Web lists-archives.com

Re: Expired GPG keys of older release

Adam Cecile <adam.cecile@xxxxxxxx> writes:

> I still thinks it *sucks* to have no alternative then considering
> packages signed by an expired key like unsigned packages....

The key is expired, which means its creator no longer claims it as their
key. Any signatures found using that key, can no longer be known to be
made by the person who nominally owns that key.

In other words: Yes, it's inconvenient, but it's because *no one can
know* with confidence any more whether that key has been compromised.
So that does put it into the same category as “who the hell knows
whether this signature is associated with the key owner”.

That's just a fact that follows from the finite lifetime of the security
of a given key. The longer it's been out there, the larger the window
for compromise; and we're now outside the window where the key owner
warrants to still be in control of that key. Don't trust whatever
signatures you find with that key any more.

 \     “I have had a perfectly wonderful evening, but this wasn't it.” |
  `\                                                     —Groucho Marx |
_o__)                                                                  |
Ben Finney