>>>>> "T" == <to...@tuxteam.de> writes: T> And just extending the keys' validity (as someone proposed in this T> thread) seems a bad idea too, since the requirement for secure keys T> evolves over time, as the NSA^H^H^H bad guys buy more GPUs.
The problem is that the point of a key's expiration time is that signatures newer than that should fail, but all signatures made before the expiration should verify. So, if apt's signature verification only looks at the key's expiration date and not at the signature's timestamp, that is a bug. -JimC -- James Cloos <cl...@jhcloos.com> OpenPGP: 0x997A9F17ED7DAEA6
