[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Questioning debian/upstream/signing-key.asc

* Russ Allbery <rra@debian.org> [2021-03-26 09:35]:
We do have a trusted timestamp for the point at which the upstream tarball
and signature were uploaded to the Debian archive, though, so if the key
had not yet expired at that point, I think we can infer it wasn't expired
when the signature was made.
Once the package has been uploaded, it does no longer make a difference
whether or not the upstream package was signed in the first place: any
package will be protected by the Debian archive keys anyway.  Without
that, like Ansgar pointed out, there is no trusted party left to
determine whether or not a signature has been backdated, because we have
to assume that an expired key might have been compromised at some point
(or the whole idea of key expiry becomes meaningless).

The upstream key is only really needed by the maintainer if and when they
package a new release, and this is exactly the time when uscan will
complain about an expired key.

What might be useful is a Lintian warning when an upstream key is soon to
expire, assuming that upstream cares enough to have a proper key
rotation scheme.

- Timo

Attachment: signature.asc
Description: PGP signature

Reply to: