Jonathan McDowell <nood...@earth.li> writes: > On Mon, Dec 04, 2023 at 11:07:38AM +0100, Simon Josefsson wrote: >> Judit Foglszinger <ur...@riseup.net> writes: >> >> > Dmitri, could you re-run the numbers with the debian-maintainer >> >> > keyring? >> >> >> >> That is correct. I have updated the results now. The 2,455 no >> >> public key has now become 1,238 >> > >> > Another is the DN keyring. Also I'd expect many keys to be found in >> > older versions of the keyring package/keyring repository and on >> > keyservers like keyserver.ubuntu.com >> >> Removing old keys is usually a bad idea -- could these be moved to a >> "archived" keyring instead? I assume having them in the "live" >> keyring is not possible if the presence of a key in that file is used >> to make authorization decisions. >> >> You want to be able to verify old signatures in 20+ years too, and >> then you need to be able to find the corresponding public key. > > For a long time we had a "removed" keyring, but we decided that we > didn't want to continue shipping a keyring that was explicitly a set of > keys we could not vouch for the trust of (whether that be because they > were revoked, lost, weak, or whatever). If you really want to find old > keys there is 15+ years of history in the keyring git repository, as > Judit mentioned: > > https://salsa.debian.org/debian-keyring/keyring/
I think that is unfortunate and not sustainable over time: you need to have access to the public keys to verify old signatures, and for as long as the old signatures are published we should make a public keyring for them easily available. Which I suspect means essentially forever, due to archive.debian.org. I don't think it doesn't really matter of the old public key is weak or invalid: if we know of a public key published at the time as some signature that was possible to verify using software available at that time, we should publish that public key. Was there a real practical situations that couldn't be resolved that lead to dropping the "removed" keyring? What was the details? Maybe this decision could be reverted with some effort. /Simon
signature.asc
Description: PGP signature
