On 2014-08-09 1:19, Michael Gilbert wrote:
On Fri, Aug 8, 2014 at 7:52 PM, Cyril Brulebois wrote:
The archive keyring package is currently signed by Philip Kern's old
removed key.
Since this package contains the keys to archive, it really needs a
valid signature.
$ apt-get source debian-archive-keyring --download-only
Well, surely this is using the apt cache, with Release files and GPG
signatures all over the placeā¦
Release files signed by the keys that were signed by the removed key.
For stable, that's partially accurate, as the wheezy stable release key
is indeed signed by Phil's old key. It is, however, also signed by my,
very much current, key and Phil's new key.
However, stable's Release file is also co-signed by, and >= testing are
_only_ signed by, the ftp-master key, for which:
adsb@franck:~$ gpg --keyring
/srv/keyring.debian.org/keyrings/debian-keyring.gpg --keyring
/usr/share/keyrings/debian-archive-keyring.gpg --list-sigs 46925553
pub 4096R/46925553 2012-04-27 [expires: 2020-04-25]
uid Debian Archive Automatic Signing Key (7.0/wheezy)
<ftpmas...@debian.org>
sig 3 46925553 2012-04-27 Debian Archive Automatic Signing Key
(7.0/wheezy) <ftpmas...@debian.org>
sig 3 7E7B8AC9 2012-04-27 [User ID not found]
sig 3 P B12525C4 2012-04-27 Joerg Jaspert <jo...@debian.org>
sig A3AE44A4 2012-04-27 Michael O'Connor (stew)
<s...@vireo.org>
sig CA1CF964 2012-04-27 Ansgar Burchardt <ans...@debian.org>
sig 15B0FD82 2012-04-27 Mark Hymers <m...@debian.org>
sig 672C8B12 2012-04-28 [User ID not found]
none of the sigs belong to the Release Team.
It's M.C. Escher painting kind of situation, and I'm being rather
pedantic, but then again, it's simply good hygiene.
Pedantry != release-criticality.
(Also, I don't see why this particular source package would be special
and would need a specific handling as far as its signature goes.)
Other bad sigs in the archive should also get cleaned up. I need do a
more complete analysis of bad sigs and also do a -devel MBF
discussion.
It might have been nice to have done that step first.. :-(
Regards,
Adam
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
