Bug#345823: apt: Key error at year turnover resembles security problem, and may represent one
On Tue, Jan 03, 2006 at 10:58:28AM -0800, Joshua Rodman wrote:
> Since the year has turned over, apt-get update now produces the error:
> [...]
> Reading package lists... Done
> W: GPG error: http://http.us.debian.org testing Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 010908312D230C5F
> W: GPG error: http://http.us.debian.org unstable Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 010908312D230C5F
Fwiw, the Release.gpg file contains two signatures now, both one with the
2005 key and the 2006 key, to have a short transition period. The archive
still validates with the 2005 key, which isn't expired yet, and I think APT
should not spread too worrysome errors at users while the archive can still
be verified. Only when the 2005 expires and the user still hasn't imported
the 2006 key (some mechanism needs to be implemented for that for it to
happen cleanly and in a user-frienly way) apt should really bail out on the
user.
--Jeroen
--
Jeroen van Wolffelaar
jeroen@wolffelaar.nl
http://jeroen.A-Eskwadraat.nl
Reply to: