Re: Questioning debian/upstream/signing-key.asc

To: debian-devel@lists.debian.org
Subject: Re: Questioning debian/upstream/signing-key.asc
From: Russ Allbery <rra@debian.org>
Date: Fri, 26 Mar 2021 13:01:54 -0700
Message-id: <[🔎] 87im5dk7kd.fsf@hope.eyrie.org>
In-reply-to: <[🔎] 20210326193158.edveyt2uiv3b75eh@mail.gaussglocke.de> ("Timo Röhling"'s message of "Fri, 26 Mar 2021 20:31:58 +0100")
References: <[🔎] 1616749579@msgid.manchmal.in-ulm.de> <[🔎] 871rc1lx14.fsf@hope.eyrie.org> <[🔎] 498a8e4699f7cab925bcf1f8f552f605dcb68185.camel@43-1.org> <[🔎] 87v99dkh4c.fsf@hope.eyrie.org> <[🔎] 20210326193158.edveyt2uiv3b75eh@mail.gaussglocke.de>

Timo Röhling <timo@gaussglocke.de> writes:

> Once the package has been uploaded, it does no longer make a difference
> whether or not the upstream package was signed in the first place: any
> package will be protected by the Debian archive keys anyway.

If this were the case, it would be fine to re-sign *.dsc files, but there
has been quite a lot of opposition to that in the past.  The upstream
signing key is at least as useful as the signature on the *.dsc file, for
exactly the same reasons.

> Without that, like Ansgar pointed out, there is no trusted party left to
> determine whether or not a signature has been backdated, because we have
> to assume that an expired key might have been compromised at some point
> (or the whole idea of key expiry becomes meaningless).

I don't understand this statement.  It sounds like you want to treat a key
expiration as synonymous with a revocation, but that isn't my
understanding of the semantics at all.

Key expiration, at least in my understanding, says that signatures made by
that key are valid up until the point that the key has expired, but not
after that point.  It cannot protect against key compromise prior to the
expiration date.  That's what a revocation is for.

> The upstream key is only really needed by the maintainer if and when
> they package a new release, and this is exactly the time when uscan will
> complain about an expired key.

If the upstream key is only used by the package maintainer at the time of
packaging, we shouldn't put it in the Debian package at all.  But I don't
believe that was the intent.

Personally, I'd be happy to drop the upstream signing keys from all of my
packages and save a bit of work.  I never use them as the package
maintainer because I'm the only upstream of my packaging that signs
packages, and therefore I already know the tarballs are authentic without
using a signature to prove it.  I include them only for the use of others.
If you're right that no one else cares, I'll save myself the time and
energy of refreshing them periodically.  But I'd like to see some
confirmation that people really don't care.

-- 
Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: Questioning debian/upstream/signing-key.asc
  - From: Timo Röhling <timo@gaussglocke.de>
- Re: Questioning debian/upstream/signing-key.asc
  - From: Timo Röhling <timo@gaussglocke.de>

References:
- Questioning debian/upstream/signing-key.asc
  - From: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
- Re: Questioning debian/upstream/signing-key.asc
  - From: Russ Allbery <rra@debian.org>
- Re: Questioning debian/upstream/signing-key.asc
  - From: Ansgar <ansgar@43-1.org>
- Re: Questioning debian/upstream/signing-key.asc
  - From: Russ Allbery <rra@debian.org>
- Re: Questioning debian/upstream/signing-key.asc
  - From: Timo Röhling <timo@gaussglocke.de>

Prev by Date: Re: Questioning debian/upstream/signing-key.asc
Next by Date: Re: Statement regarding Richard Stallman's readmission to the FSF board
Previous by thread: Re: Questioning debian/upstream/signing-key.asc
Next by thread: Re: Questioning debian/upstream/signing-key.asc
Index(es):
- Date
- Thread