Re: Expired GPG keys of older release
- Date: Fri, 22 Jun 2018 14:39:52 -0400
- From: James Cloos <cloos@xxxxxxxxxxx>
- Subject: Re: Expired GPG keys of older release
>>>>> "T" == <tomas@xxxxxxxxxx> writes:
T> And just extending the keys' validity (as someone proposed in this
T> thread) seems a bad idea too, since the requirement for secure keys
T> evolves over time, as the NSA^H^H^H bad guys buy more GPUs.
The problem is that the point of a key's expiration time is that
signatures newer than that should fail, but all signatures made before
the expiration should verify.
So, if apt's signature verification only looks at the key's expiration
date and not at the signature's timestamp, that is a bug.
James Cloos <cloos@xxxxxxxxxxx> OpenPGP: 0x997A9F17ED7DAEA6