On Fri, Dec 12, 2014 at 08:39:28PM +0100, Jakub Wilk wrote: > * Jonathan McDowell <noodles@earth.li>, 2014-12-12, 16:46: > >>Yeah, and it should probably be added to stable-updates. > > +1 > > >That causes problems with verifying signatures from keys that were > >valid at the point in time stable released > > Usefulness of dsc signatures for source packages in the archive is > very limited anyway. People should be using the archive signature > instead (or rather let "apt-get source" verify it for them). > > Also, it works both ways. None of my packages can be verified using > stable's debian-keyring, because the key is expired. I updated the > expiration date, but this update is only in unstable. What's the check that you're expecting to be done here? Packages that are in the archive aren't validated using the keyring package, but instead the trust path of the archive keyring and the hashes in the Packages file. > >(and may still be valid, if no longer part of the active Debian > >keyring). > > Or perhaps the signature looks valid despite the fact it was created > by a key that is now know to be compromised... Indeed, which is an argument for dropping the package and getting people to use keyservers if they want to retrieve keys. > >The debian-keyring package is a convenience package, and there has > >been some discussion about getting rid of it entirely due to it > >causing confusion like this. If you want the active Debian > >keyrings then you should be rsyncing from keyring.debian.org. If > >you want the ability to do archaeology on older keyring versions > >then you probably want the git tree > >(http://anonscm.debian.org/cgit/keyring/keyring.git/). > > How do I verify authenticity of a keyring that was retrieved by > rsync or git? For rsync the sha512sums.txt file is signed by myself, Gunner or Daniel (rsync keyring.debian.org::keyrings to get that file; this is how the Debian infrastructure works). For git the changesets are signed, again by myself, Gunnar or Daniel depending on who made them. J. -- Don't just stand there, kill something. This .sig brought to you by the letter I and the number 31 Product of the Republic of HuggieTag
Attachment:
signature.asc
Description: Digital signature