Am 8. Dezember 2023 18:56:00 MEZ schrieb Simon Josefsson <si...@josefsson.org>: > >I think that is unfortunate and not sustainable over time: you need to >have access to the public keys to verify old signatures, and for as long >as the old signatures are published we should make a public keyring for >them easily available. Which I suspect means essentially forever, due >to archive.debian.org.
But certainly there are keyring packages on archive.d.o in the archived releases that hold the keys for the packages found within the resp. release? (modulo the problem we are facing right now: missing keys of packages uploaded aeons before the resp. release). I probably agree that it would be /nice/ (though I don't think: necessary) to have a keyring package in a given release that includes all keys that were used to bring the packages into that very release (that is: if a package was uploaded 10 years ago, the old key used to upload this package should be included somehow). But I don't see why we would need to ship (in a current package) all keys that were ever used in the history of Debian, just because somebody might do some archeology in the archives. mfh.her.fsr IOhannes
