Web lists-archives.com

Re: Expired GPG keys of older release

Hash: SHA1

On Wed, Jun 20, 2018 at 01:06:02PM -0700, Don Armstrong wrote:
> On Wed, 20 Jun 2018, tomas@xxxxxxxxxx wrote:
> > Since it seems that an archived Debian release is bound to have an
> > expired key, would you agree that it'd be useful to have an option to
> > accept such a key?
> Probably. I would not put my personal development time into if existing
> features don't already support it, though. Releases as old as squeeze
> are known to have multiple security exploits, and shouldn't be used at
> all for new installations. Therefore I can't argue for someone else to
> spend their development time implementing such a feature.

Understood. And for squeeze the horses are already out, as Ansgar points
out downstream. But somehow it seems worth thinking about, since it is
a structural problem (how do people solve the "old signed documents"
problem" anyway?).

It is clear that an archived release has (known & unknown) unfixed security
problems, since it doesn't change. And veryfying the key can only tell
you "well, at the time this seems to have been signed correctly". Perhaps
the new Debian maintainers can attest to this fact with new signatures.

In short, this is going to haunt us beyond Unix "end-of-time" (with a
tip of the hat to Ansgar).

- -- tomás
Version: GnuPG v1.4.12 (GNU/Linux)