On Wed, Jan 9, 2019 at 2:38 PM gevisz <[email protected]> wrote: > > ср, 9 янв. 2019 г. в 19:36, Rich Freeman <[email protected]>: > > > > On Wed, Jan 9, 2019 at 6:21 AM gevisz <[email protected]> wrote: > > > > > > On the other side, app-crypt/gkeys is marked by ~ > > > in my architecture (amd64). So, it is impossible > > > to update the portage snapshot signing key without > > > using non-recommended package. > Ok, not app-crypt/gentoo-keys package but > app-crypt/openpgp-keys-gentoo-release package. > > Does it matter?
Sure, because you brought up issues with unrelated packages, like stable/unstable keywords, which aren't actually problems. > After that I have found out that a new > app-crypt/openpgp-keys-gentoo-release package > was released on 2 January 2019 when the previous > portage signing keys already expired. You probably should have led with that. Seems like an actual issue. Or at least lead with "I have this problem - what should I do?" and not basically starting out by accusing everybody of not caring about security. Really, though, an expired key fails safe - it blocks updates and doesn't cause you to install insecure ones. That is certainly how I'd prefer that it behaves. Sure, it would be better if keys were updated before they expire, but I tend to doubt that your email is going to do much to fix that. I don't use webrsync which is probably why I didn't personally notice this issue - I'm guessing it uses a different key than git but I haven't checked. -- Rich
