Hi Martin, Going through the security issues to fix before lenny, I came by this bug. > > If I update from an archive whose key recently expired and I have > > not yet updated the local copy via apt-key -- the local keyring says > > it's expired -- APT does not complain but just proceeds. I think it > > should *at least* warn. > For its first birthday, I am giving this bug report a severity > upgrade and a tag. I think key expiry is a rather peripheral part of the PGP model. It's designed to combat proliferation of keys for which the private key was lost. While it is desirable to implement key expiry, and I hope that the APT team will do so, I do have doubts whether this sould be critical for the release of Debian Lenny. Can you provide a scenario that illustrates the criticality of this issue? cheers, Thijs
Attachment:
pgp2OE3wzvD3V.pgp
Description: PGP signature