-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Fri, Jun 22, 2018 at 11:48:00PM -0500, David Wright wrote:
On Fri 22 Jun 2018 at 21:12:51 (+0200), tomas@tuxteam.de wrote:
[...]
Well, I attempted to supply that in
https://lists.debian.org/debian-user/2018/06/msg00528.html
but I have no idea whether that would be achievable in docker
or not because the suggestion has had no follow-up.
I'm not the docker guy, and there are lots of "interesting" things
around, so I won't be the one. But I'm curious too...
BTW Reading your "Keys *have* to expire at some point, and you can't
re-sign archived packages with a fresh key", it's not clear why the
expired key can't be unexpired, ie given an expiration date in the
future, if it's known to be still good.
Yes, you're right: a GPG key's validity can be extended with a new
certificate (whether it's responsible to do is another thing, since
available computing power grows, *and* there has been more time to
hack at this key, its crypto, and for things to leak). So practically
speaking still keys have to expire at some point.