packages signed with unavailable keys
There are a few packages(1) in unstable who's .dsc file cannot be verified
as the key is not available, i assume that the key has been revoked and
removed from debians keyring.
I think if a developer does revoke their key, then they should resign and
reupload all their packages.
If they dont and its ok for packages to exist without a valid signature
then there isnt really much point in signing any packages, it gives a
false sense of security.
If users see a package that fails to verify then they should be thinking
"well, im not going to trust that package", but as it is they are more
likely to think "the maintainer probably revoked his key, it happens all
the time, itll be right".
Is my thinking flawed here ?
(1) I only checked a little way into the archive and found