Bug#345823: apt: Key error at year turnover resembles security problem, and may represent one
On Wed, Jan 04, 2006 at 02:41:30AM -0800, Joshua Rodman wrote:
> On Wed, Jan 04, 2006 at 03:01:35AM +0100, Jeroen van Wolffelaar wrote:
> > Fwiw, the Release.gpg file contains two signatures now, both one with the
> > 2005 key and the 2006 key, to have a short transition period. The archive
> > still validates with the 2005 key, which isn't expired yet, and I think APT
> > should not spread too worrysome errors at users while the archive can still
> > be verified.
>
> Not to contradict you, since my understanding of these issues is
> strongly limited, but apt seems to think that it cannot validate the
> archive?
I know, I said "should", because I believe apt should deal with the
multiple signatures correctly, instead of the current behaviour of (it
seems) only looking at the last one and/or requiring all signatures to
verify.
Apt needs to be satisfied with just at least one of the multiple
signatures verifying, so that there can be turnover periods, and for
example third party repositories can have multiple signatures too, for
certain circumstances.
--Jeroen
--
Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl
Reply to: