Package: devscripts Version: 2.15.3 Severity: wishlist File: /usr/bin/chdist Tags: security
When creating a tree with chdist, it copies the keys from the debian-archive-keyring package. After a while the keys are recycled, but chdist still uses the old ones it copied ages ago and starts to fail suddenly after a stable release. Since debian-archive-keyring is almost essential (you must remove apt to get rid of it), it seems to make more sense to symlink those keyrings and have them updated when debian-archive-keyring updates. Furthermore, why does chdist copy the debian-archive-removed-keys.gpg? The purpose of that file is to get keys untrusted, but chdist makes apt trust them nonetheless. I question the utility of adding them. Helmut _______________________________________________ devscripts-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/devscripts-devel
