ср, 9 янв. 2019 г. в 22:17, Rich Freeman <ri...@gentoo.org>: > > On Wed, Jan 9, 2019 at 2:38 PM gevisz <gev...@gmail.com> wrote: > > > > ср, 9 янв. 2019 г. в 19:36, Rich Freeman <ri...@gentoo.org>: > > > > > > On Wed, Jan 9, 2019 at 6:21 AM gevisz <gev...@gmail.com> wrote: > > > > > > > > On the other side, app-crypt/gkeys is marked by ~ > > > > in my architecture (amd64). So, it is impossible > > > > to update the portage snapshot signing key without > > > > using non-recommended package. > > Ok, not app-crypt/gentoo-keys package but > > app-crypt/openpgp-keys-gentoo-release package. > > > > Does it matter? > > Sure, because you brought up issues with unrelated packages, like > stable/unstable keywords, which aren't actually problems. > > > After that I have found out that a new > > app-crypt/openpgp-keys-gentoo-release package > > was released on 2 January 2019 when the previous > > portage signing keys already expired. > > You probably should have led with that. Seems like an actual issue. > Or at least lead with "I have this problem - what should I do?" and > not basically starting out by accusing everybody of not caring about > security. > > Really, though, an expired key fails safe - it blocks updates and > doesn't cause you to install insecure ones. That is certainly how I'd > prefer that it behaves. Sure, it would be better if keys were updated > before they expire, but I tend to doubt that your email is going to do > much to fix that.
I had an impression that you are a member of the Gentoo council. Now I have checked this and found out that you are not. So, I should agree with you that this my e-mail probably will not do much to fix the issue (especially the one with the bug). So, I should probably sent a similar e-mail to all Gentoo council members. > I don't use webrsync which is probably why I didn't personally notice > this issue - I'm guessing it uses a different key than git but I > haven't checked. Yes, they uses different ways of verifying the snapshots.