[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#433091: ignores expiry of archive keys



Hi Martin,

Going through the security issues to fix before lenny, I came by this bug.

> > If I update from an archive whose key recently expired and I have
> > not yet updated the local copy via apt-key -- the local keyring says
> > it's expired -- APT does not complain but just proceeds. I think it
> > should *at least* warn.

> For its first birthday, I am giving this bug report a severity
> upgrade and a tag.

I think key expiry is a rather peripheral part of the PGP model. It's designed 
to combat proliferation of keys for which the private key was lost.

While it is desirable to implement key expiry, and I hope that the APT team 
will do so, I do have doubts whether this sould be critical for the release 
of Debian Lenny. Can you provide a scenario that illustrates the criticality 
of this issue?


cheers,
Thijs

Attachment: pgp2OE3wzvD3V.pgp
Description: PGP signature


Reply to: