* Jonathan McDowell <noodles@earth.li>, 2014-12-12, 16:46:
Yeah, and it should probably be added to stable-updates.
+1
That causes problems with verifying signatures from keys that were valid at the point in time stable released
Usefulness of dsc signatures for source packages in the archive is very limited anyway. People should be using the archive signature instead (or rather let "apt-get source" verify it for them).
Also, it works both ways. None of my packages can be verified using stable's debian-keyring, because the key is expired. I updated the expiration date, but this update is only in unstable.
(and may still be valid, if no longer part of the active Debian keyring).
Or perhaps the signature looks valid despite the fact it was created by a key that is now know to be compromised...
The debian-keyring package is a convenience package, and there has been some discussion about getting rid of it entirely due to it causing confusion like this. If you want the active Debian keyrings then you should be rsyncing from keyring.debian.org. If you want the ability to do archaeology on older keyring versions then you probably want the git tree (http://anonscm.debian.org/cgit/keyring/keyring.git/).
How do I verify authenticity of a keyring that was retrieved by rsync or git?
-- Jakub Wilk