Re: Expired GPG keys of older release

To: debian-user@lists.debian.org
Subject: Re: Expired GPG keys of older release
From: <tomas@tuxteam.de>
Date: Thu, 21 Jun 2018 08:53:27 +0200
Message-id: <[🔎] 20180621065327.GA24840@tuxteam.de>
In-reply-to: <[🔎] 20180620200602.4434kaip3qzgwwpy@qor.donarmstrong.com>
References: <[🔎] ddca0514-7d2b-2a77-4246-e0c4525125cb@hitec.lu> <[🔎] ea9f16bd-7564-664f-087f-5f6c3b68784a@mail.com> <[🔎] 5F0AA188-6C45-48AA-A32D-96BD7308DC54@hitec.lu> <[🔎] 20180619204823.hn7yz27gxokmqhjv@qor.donarmstrong.com> <[🔎] 29897804-a005-d77c-1d99-4d88fae7b917@hitec.lu> <[🔎] 20180620173719.7frumlurrfygjxor@qor.donarmstrong.com> <[🔎] 20180620192908.GB5520@tuxteam.de> <[🔎] 20180620200602.4434kaip3qzgwwpy@qor.donarmstrong.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, Jun 20, 2018 at 01:06:02PM -0700, Don Armstrong wrote:
> On Wed, 20 Jun 2018, tomas@tuxteam.de wrote:
> > Since it seems that an archived Debian release is bound to have an
> > expired key, would you agree that it'd be useful to have an option to
> > accept such a key?
> 
> Probably. I would not put my personal development time into if existing
> features don't already support it, though. Releases as old as squeeze
> are known to have multiple security exploits, and shouldn't be used at
> all for new installations. Therefore I can't argue for someone else to
> spend their development time implementing such a feature.

Understood. And for squeeze the horses are already out, as Ansgar points
out downstream. But somehow it seems worth thinking about, since it is
a structural problem (how do people solve the "old signed documents"
problem" anyway?).

It is clear that an archived release has (known & unknown) unfixed security
problems, since it doesn't change. And veryfying the key can only tell
you "well, at the time this seems to have been signed correctly". Perhaps
the new Debian maintainers can attest to this fact with new signatures.

In short, this is going to haunt us beyond Unix "end-of-time" (with a
tip of the hat to Ansgar).

Cheers
- -- tomás
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlsrS2cACgkQBcgs9XrR2kayEgCfREHbAQtIs+TCYGxiim4eXocy
IOsAmgO1iOdreJVvxstzxA/IdfMOhE6V
=HgoW
-----END PGP SIGNATURE-----

Reply to:

References:
- Expired GPG keys of older release
  - From: Adam Cecile <adam.cecile@hitec.lu>
- Re: Expired GPG keys of older release
  - From: john doe <johndoe65534@mail.com>
- Re: Expired GPG keys of older release
  - From: Adam Cecile <adam.cecile@hitec.lu>
- Re: Expired GPG keys of older release
  - From: Don Armstrong <don@debian.org>
- Re: Expired GPG keys of older release
  - From: Adam Cecile <adam.cecile@hitec.lu>
- Re: Expired GPG keys of older release
  - From: Don Armstrong <don@debian.org>
- Re: Expired GPG keys of older release
  - From: <tomas@tuxteam.de>
- Re: Expired GPG keys of older release
  - From: Don Armstrong <don@debian.org>

Prev by Date: Re: USB Host-Host cables
Next by Date: Re: Expired GPG keys of older release
Previous by thread: Re: Expired GPG keys of older release
Next by thread: Re: Expired GPG keys of older release
Index(es):
- Date
- Thread