Re: Unverifiable Signature on Debian Security Advisory Emails
On Fri, Dec 12, 2014 at 11:20:12AM -0500, Hubert Chathi wrote:
> On Fri, 12 Dec 2014 10:17:25 +0100, Sébastien NOBILI <sebnewsletter@free.fr> said:
> > Hi, Le jeudi 11 décembre 2014 à 21:46, Hubert Chathi a écrit :
> >> On Thu, 11 Dec 2014 17:28:32 -0800, Jeremie Marguerie
> >> <jeremie@marguerie.org> said: > I guess there might/should be
> >> something on the official website with > the key ID of official
> >> members.
> >>
> >> apt-get install debian-keyring?
>
> > Thanks for pointing this package.
>
> > I'm using stable branch and its contents is outdated (april 2013), so
> > many of announces can't be verified this way…
>
> > The same applies to Jessie version (august 2014)…
>
> > Shouldn't this package follow Sid version even for stable branch ?
> > What's the use for outdated keys that aren't used anymore ?
>
> Yeah, and it should probably be added to stable-updates.
That causes problems with verifying signatures from keys that were valid
at the point in time stable released (and may still be valid, if no
longer part of the active Debian keyring).
The debian-keyring package is a convenience package, and there has been
some discussion about getting rid of it entirely due to it causing
confusion like this. If you want the active Debian keyrings then you
should be rsyncing from keyring.debian.org. If you want the ability to
do archaeology on older keyring versions then you probably want the git
tree (http://anonscm.debian.org/cgit/keyring/keyring.git/).
J.
--
If plugging it in doesn't help, turn it on.
Reply to: