Web lists-archives.com

Re: Expired GPG keys of older release




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, Jun 19, 2018 at 09:22:22AM +0200, Adam Cecile wrote:
> Hello,
> 
> 
> GPG key that signed the Squeeze repo is now expired. How should I
> handle this properly ? Despite the key is expired, it use to be
> valid and I don't like much the idea of going for [trusted=yes] for
> each impacted sources.list entry.

Squeeze is, as others have noticed, beyond "end-of-life". That means
that it is "archived". It won't change. Ever.

Re-signing the packages with fresh keys would mean "change". Bad idea.

And just extending the keys' validity (as someone proposed in this
thread) seems a bad idea too, since the requirement for secure keys
evolves over time, as the NSA^H^H^H bad guys buy more GPUs.

So as far as I see it, there's no easy solution to that. I guess
you'll have to live with an expired key.

Perhaps one could talk the Apt folks into treating expired keys
in a different way than plain invalid or non-existing ones. I
wouldn't hold my breath, though.

Cheers
- -- tomás
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlsqAF4ACgkQBcgs9XrR2kY9tQCffzppTznd/U5l0HKW8q3uVya3
oCIAn14QUYeEe64pbqTEmXHe8ipWH/SN
=AG66
-----END PGP SIGNATURE-----