Re: Questioning debian/upstream/signing-key.asc
[ CCing Daniel. ]
On Fri, 2021-03-26 at 17:31:16 +0100, Ansgar wrote:
> On Fri, 2021-03-26 at 09:06 -0700, Russ Allbery wrote:
> > I'm not all that familiar with the intended semantics of OpenPGP key
> > expirations, but intuitively I think a signature made before the
> > expiration should be considered valid, even if the key has now
> > expired and thus shouldn't be used to make new signatures.
> How would you know that the signature was made before the key expired?
Ideally, because our tooling would not let such signatures through
into the archive, so we'd be able to tell automatically whether this
would hold at least at upload time.
(If the certificate would have expired at that time, I'd expect the
Debian maintainer to talk with the upstream maintainer about this.)
> Other systems (e.g. signed executables on Windows) have a trusted third
> party sign the timestamp for that, but OpenPGP doesn't do so.
If we are not going to trust the upstream signed signature timestamp,
then that seems it should be the least of our worries then? I don't
see why we'd trust the code upstream has provided?