Re: many builds missing for krb5-appl & opensaml2 in stable-security

["Adam D. Barratt" <adam@adam-barratt.org.uk>]

On Wed, 5 Oct 2011 12:43:26 +0200, Thijs Kinkhorst wrote:
> Op maandag 03 oktober 2011 19:48:47 schreef Thijs Kinkhorst:
> > Hi Kurt,
> >
> > Op zondag 25 september 2011 17:48:46 schreef Kurt Roeckx:
> > > On Sun, Sep 25, 2011 at 01:35:46PM +0200, Kurt Roeckx wrote:
> > > > I also don't understand why they get rejected once the key
> > > > expired.  The signatures are from before the key expired and
> > > > perfectly valid.
> > >
> > > I should probably clarify this.  Of course you can't trust that
> > > the signature wasn't made after the key expired.
> >
> > Why do these keys expire so quickly? Can't we have a really large 
> > window,
> > say a year, in which the key stays valid after the date it was last 
> > in
> > use?
> >
> > > But we really should have a process so that once it's accepted it
> > > stays accepted, even when it moves to an other host.
> >
> > How do you propose we solve this concrete issue?
>
> I prefer that at least the krb5-appl and opensaml2 builds are made 
> available
> before the point release this weekend. Let me know what I can do to 
> help.

As an additional data point, simply getting the missing builds uploaded 
won't currently resolve the issue for either krb5-appl or opensaml2, as 
some of the builds already in p-u-NEW are signed by now-expired keys.

Regards,

Adam