Bug#345823: apt: Key error at year turnover resembles security problem, and may represent one

[Michael Vogt <mvo@debian.org>]

On Wed, Jan 04, 2006 at 01:26:26PM +0100, Jeroen van Wolffelaar wrote:
> On Wed, Jan 04, 2006 at 02:41:30AM -0800, Joshua Rodman wrote:
> > On Wed, Jan 04, 2006 at 03:01:35AM +0100, Jeroen van Wolffelaar wrote:
> > > Fwiw, the Release.gpg file contains two signatures now, both one with the
> > > 2005 key and the 2006 key, to have a short transition period. The archive
> > > still validates with the 2005 key, which isn't expired yet, and I think APT
> > > should not spread too worrysome errors at users while the archive can still
> > > be verified.
> > 
> > Not to contradict you, since my understanding of these issues is
> > strongly limited, but apt seems to think that it cannot validate the
> > archive?
> 
> I know, I said "should", because I believe apt should deal with the
> multiple signatures correctly, instead of the current behaviour of (it
> seems) only looking at the last one and/or requiring all signatures to
> verify.
> 
> Apt needs to be satisfied with just at least one of the multiple
> signatures verifying, so that there can be turnover periods, and for
> example third party repositories can have multiple signatures too, for
> certain circumstances.

Sorry for the late reply. I'm working on fixing the gpgv method to
properly support multiple signatures right now and will (hopefully) do
a upload really soon.

Cheers,
 Michael

-- 
Linux is not The Answer. Yes is the answer. Linux is The Question. - Neo