packages signed with unavailable keys

To: debian-security@lists.debian.org
Subject: packages signed with unavailable keys
From: Glenn McGrath <bug1@optushome.com.au>
Date: Thu, 6 Sep 2001 01:38:11 +1000
Message-id: <[🔎] 20010906013811.50d8bed3.bug1@optushome.com.au>

There are a few packages(1) in unstable who's .dsc file cannot be verified
as the key is not available, i assume that the key has been revoked and
removed from debians keyring.

I think if a developer does revoke their key, then they should resign and
reupload all their packages.

If they dont and its ok for packages to exist without a valid signature
then there isnt really much point in signing any packages, it gives a
false sense of security.

If users see a package that fails to verify then they should be thinking
"well, im not going to trust that package", but as it is they are more
likely to think "the maintainer probably revoked his key, it happens all
the time, itll be right".

Is my thinking flawed here ?


Glenn



(1) I only checked a little way into the archive and found

ascpu_1.9-2.dsc
asmix_1.3-2.dsc
asmem_1.8-2.dsc
glib-reference_000826-2.dsc
gtk-reference_000826-2.dsc
ude_0.2.6b-BETA-3.dsc
gnat-glade-doc_3.13p-1.dsc
wn_2.2.9-1.dsc
gforth_0.5.0-1.dsc
libmail-imapclient-perl_1.15-1.dsc

Reply to:

Prev by Date: Re: listen on tcp port and log input ??
Next by Date: Re: listen on tcp port and log input ??
Previous by thread: Re: listen on tcp port and log input ??
Next by thread: Replacement for common services (was Re: Is ident secure?)
Index(es):
- Date
- Thread