* Russ Allbery <firstname.lastname@example.org> [2021-03-26 09:35]:
We do have a trusted timestamp for the point at which the upstream tarball and signature were uploaded to the Debian archive, though, so if the key had not yet expired at that point, I think we can infer it wasn't expired when the signature was made.
Once the package has been uploaded, it does no longer make a difference whether or not the upstream package was signed in the first place: any package will be protected by the Debian archive keys anyway. Without that, like Ansgar pointed out, there is no trusted party left to determine whether or not a signature has been backdated, because we have to assume that an expired key might have been compromised at some point (or the whole idea of key expiry becomes meaningless). The upstream key is only really needed by the maintainer if and when they package a new release, and this is exactly the time when uscan will complain about an expired key. What might be useful is a Lintian warning when an upstream key is soon to expire, assuming that upstream cares enough to have a proper key rotation scheme. - Timo
Description: PGP signature