severity 1127116 normal thanks On Sun, Mar 29, 2026 at 05:57:56PM +0200, Marco d'Itri wrote: > Control: tag -1 wontfix > > On Feb 06, Santiago Vila <[email protected]> wrote: > > > During a rebuild of all packages in unstable with the system clock set > > at 2030-08-09 (estimated to be three years after the release date of forky), > > this package failed to build. > I checked with IANA: a new CA will be generated before the current one will > expire in 2029, but it does not exist yet. > The plan from now on is to roll the root KSK about every 3 years, so I will > need to update the package at least in 2027. > > https://blog.verisign.com/security/2024-2026-root-zone-ksk-rollover-initial-observations/ > https://www.icann.org/ru/public-comment/proceeding/proposed-root-ksk-algorithm-rollover-03-02-2026
Thanks for this extra documentation. I'm downgrading to normal to remind myself not to raise this bug to serious (and as it happened in trixie, I request and will appreciate that you allow me to keep it open for tracking purposes). However, this does not explain what would be wrong with allowing the package to be built after the expiry date in the spirit of reproducible-builds, as the package could perfectly be built after such date with minor changes to debian/rules. We could say that currently we have both a runtime time-bomb and a buildtime time-bomb. Do they really have to be in sync? (My theory is that we would be better with no build-time bomb at all, that would certainly make my life easier regarding this effort). Thanks.
