-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, Jun 22, 2018 at 11:48:00PM -0500, David Wright wrote: > On Fri 22 Jun 2018 at 21:12:51 (+0200), to...@tuxteam.de wrote:
[...] > Well, I attempted to supply that in > https://lists.debian.org/debian-user/2018/06/msg00528.html > but I have no idea whether that would be achievable in docker > or not because the suggestion has had no follow-up. I'm not the docker guy, and there are lots of "interesting" things around, so I won't be the one. But I'm curious too... > BTW Reading your "Keys *have* to expire at some point, and you can't > re-sign archived packages with a fresh key", it's not clear why the > expired key can't be unexpired, ie given an expiration date in the > future, if it's known to be still good. Yes, you're right: a GPG key's validity can be extended with a new certificate (whether it's responsible to do is another thing, since available computing power grows, *and* there has been more time to hack at this key, its crypto, and for things to leak). So practically speaking still keys have to expire at some point. The only way out would be for an archive declared immutable to set up an attestation service which signs (state-of-the-art) package hashes with (state-of-the-art) signing procedures and refreshes things periodically. Debian hasn't decided to set that up, a thing I can understand. Cheers - -- tomás -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlst76cACgkQBcgs9XrR2kYeLgCaAibgQsc+ZemhfmKjZIalrKWF pZsAn0Y3ktHGU9QJaKveKZSEUfr0ZIQb =5MG1 -----END PGP SIGNATURE-----
