Re: Questioning debian/upstream/signing-key.asc

[Russ Allbery <rra@debian.org>]

Christoph Biedl <debian.axhn@manchmal.in-ulm.de> writes:

> Of course I understand there are various reasons why this happens, and
> several are not the maintainer's fault. But at least in some cases it's
> obvious the maintainers didn't care: When there has been an upload with
> a new upstream version released after the expiration. This has happened,
> hopefully they've verified the tarball by other means.

That feels like a bug to be sure.

I think there's a bit of subtlety here in that if upstream uses a key with
an expiration that they periodically extend (to provide a time-based
cut-off if they lose control of the key for whatever reason, for
instance), and that package is rarely updated because it's stable, it's
quite likely that the key will have expired but I'm not sure that's a
problem.

I'm not all that familiar with the intended semantics of OpenPGP key
expirations, but intuitively I think a signature made before the
expiration should be considered valid, even if the key has now expired and
thus shouldn't be used to make new signatures.

I'm curious how your numbers would change if you only counted as expired
keys that were expired at the time that the upstream tarball signature was
made.

-- 
Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>