Re: Expired GPG keys of older release

To: debian-user@lists.debian.org
Subject: Re: Expired GPG keys of older release
From: <tomas@tuxteam.de>
Date: Wed, 20 Jun 2018 09:21:02 +0200
Message-id: <[🔎] 20180620072102.GA18456@tuxteam.de>
In-reply-to: <[🔎] ddca0514-7d2b-2a77-4246-e0c4525125cb@hitec.lu>
References: <[🔎] ddca0514-7d2b-2a77-4246-e0c4525125cb@hitec.lu>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, Jun 19, 2018 at 09:22:22AM +0200, Adam Cecile wrote:
> Hello,
> 
> 
> GPG key that signed the Squeeze repo is now expired. How should I
> handle this properly ? Despite the key is expired, it use to be
> valid and I don't like much the idea of going for [trusted=yes] for
> each impacted sources.list entry.

Squeeze is, as others have noticed, beyond "end-of-life". That means
that it is "archived". It won't change. Ever.

Re-signing the packages with fresh keys would mean "change". Bad idea.

And just extending the keys' validity (as someone proposed in this
thread) seems a bad idea too, since the requirement for secure keys
evolves over time, as the NSA^H^H^H bad guys buy more GPUs.

So as far as I see it, there's no easy solution to that. I guess
you'll have to live with an expired key.

Perhaps one could talk the Apt folks into treating expired keys
in a different way than plain invalid or non-existing ones. I
wouldn't hold my breath, though.

Cheers
- -- tomás
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlsqAF4ACgkQBcgs9XrR2kY9tQCffzppTznd/U5l0HKW8q3uVya3
oCIAn14QUYeEe64pbqTEmXHe8ipWH/SN
=AG66
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: Expired GPG keys of older release
  - From: James Cloos <cloos@jhcloos.com>

References:
- Expired GPG keys of older release
  - From: Adam Cecile <adam.cecile@hitec.lu>

Prev by Date: Ntp not working
Next by Date: Re: Expired GPG keys of older release
Previous by thread: Re: Expired GPG keys of older release
Next by thread: Re: Expired GPG keys of older release
Index(es):
- Date
- Thread