-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Jun 20, 2018 at 01:06:02PM -0700, Don Armstrong wrote: > On Wed, 20 Jun 2018, to...@tuxteam.de wrote: > > Since it seems that an archived Debian release is bound to have an > > expired key, would you agree that it'd be useful to have an option to > > accept such a key? > > Probably. I would not put my personal development time into if existing > features don't already support it, though. Releases as old as squeeze > are known to have multiple security exploits, and shouldn't be used at > all for new installations. Therefore I can't argue for someone else to > spend their development time implementing such a feature.
Understood. And for squeeze the horses are already out, as Ansgar points out downstream. But somehow it seems worth thinking about, since it is a structural problem (how do people solve the "old signed documents" problem" anyway?). It is clear that an archived release has (known & unknown) unfixed security problems, since it doesn't change. And veryfying the key can only tell you "well, at the time this seems to have been signed correctly". Perhaps the new Debian maintainers can attest to this fact with new signatures. In short, this is going to haunt us beyond Unix "end-of-time" (with a tip of the hat to Ansgar). Cheers - -- tomás -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlsrS2cACgkQBcgs9XrR2kayEgCfREHbAQtIs+TCYGxiim4eXocy IOsAmgO1iOdreJVvxstzxA/IdfMOhE6V =HgoW -----END PGP SIGNATURE-----
