On Thu, 2020-12-17 at 00:03 +0100, Samuel Thibault wrote: > Indeed, but one can use trusted=yes That disables the OpenPGP checks completely rather than just ignoring that the OpenPGP key is expired, so it is fairly unsafe and definitely should be at minimum combined with TLS, which snapshot supports now. Some discussion on IRC brought up these things: * apt does not have a way to treat expired keys as not expired * you could use faketime to send apt back to the past * you could use a fakegpgv that does s/EXPKEYSIG/GOODSIG/ * snapshot could gain a re-signing service (#763419) * another solution was found that means snapshot isn't needed -- bye, pabs https://wiki.debian.org/PaulWise
Attachment:
signature.asc
Description: This is a digitally signed message part