On Mon, Apr 06, 2009 at 02:12:26AM +0200, Peter Palfrader wrote: > On Tue, 05 Aug 2008, Thijs Kinkhorst wrote: > > > On Tuesday 5 August 2008 20:24, martin f krafft wrote: > > > Sure, we wouldn't want to endanger our release schedule for feature > > > enhancements or Debian's reputation. ;| > > > > Or put differently, I'd rather spend our time on things that more > > significantly improve the security a of Debian system, and to be frank I > > think it's quite speculative that there's actual reputation risk here. > > So why the fuck do we ship apt keys with expiration dates anyway, if apt > happily ignores them? > > When I create a key and add that to apt's trusted-keys with an > expiration date of foo I fully expect it to not be trusted afterwards. > > But heck, I can even create new signatures made after the expiration > date and apt will happily accept any and all Release files signed by > that expired key. > > I was shocked when I realized this today, after reading this bug > report I'm dumbfounded that you even consider this acceptable!
Sorry for this. I'm looking through the code now and it seems like this caused by a misinterpretation of the gpg documentation for the GOODSIG vs VALIDSIG status mesages (and is in the code since day 1 of apt-secure :( I'm working on a patch now and would appreicate help with the testing/verification ones its ready. Thanks, Michael -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

