Package: devscripts Version: 2.15.3 Severity: wishlist File: /usr/bin/chdist Tags: security
When creating a tree with chdist, it copies the keys from the debian-archive-keyring package. After a while the keys are recycled, but chdist still uses the old ones it copied ages ago and starts to fail suddenly after a stable release. Since debian-archive-keyring is almost essential (you must remove apt to get rid of it), it seems to make more sense to symlink those keyrings and have them updated when debian-archive-keyring updates. Furthermore, why does chdist copy the debian-archive-removed-keys.gpg? The purpose of that file is to get keys untrusted, but chdist makes apt trust them nonetheless. I question the utility of adding them. Helmut -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
