adrianschroeter
commented
11 years ago a pure publish event may not be enough, since the publisher skips re-publishing if no binary has changed.
Open darix opened 11 years ago
adrianschroeter
commented
11 years ago a pure publish event may not be enough, since the publisher skips re-publishing if no binary has changed.
mlschroe
commented
11 years ago I don't understand this issue, as signatures done with a currently expired key are still considered ok, as long as the key was not expired when the signature was made.
darix
commented
11 years ago but the key file in the repository is still with the old expiration date.
mlschroe
commented
11 years ago And how is that a problem?
darix
commented
11 years ago user wants to install package from repos with outdated key: e.g. http://download.opensuse.org/repositories/security:/OpenVAS:/STABLE:/v4/Debian_6.0/Release.key
of course the package manager will and should warn him "key outdated". having it republish the repos with the updated key file shouldnt cause my IO load and would solve that issue.
adrianschroeter
commented
11 years ago If only apt behaves that way it is maybe enough to do that only for debian type repos?
mlschroe
commented
11 years ago The package manager should not warn about an outdated key, an outdated key is perfectly acceptable as long as the signatures were done when the key was not expired. That's how pgp/gpg works, somebody should fix apt.
mckaygerhard
commented
2 years ago i guess the problem is related with #12333
darix
commented
2 years ago The package manager should not warn about an outdated key, an outdated key is perfectly acceptable as long as the signatures were done when the key was not expired. That's how pgp/gpg works, somebody should fix apt.
well the reality is ... it does warn ... so we should republish to make this whole process more userfriendly.
laf0rge
commented
2 months ago The package manager should not warn about an outdated key, an outdated key is perfectly acceptable as long as the signatures were done when the key was not expired. That's how pgp/gpg works, somebody should fix apt.
As this issue has been lingering for mor than a decade, and is still happening with OBS + apt, I was wondering if you were aware of any bug reports filed against apt to try to get this fixed?
darix
commented
1 month ago @laf0rge after reading https://www.phoronix.com/news/Linux-Mint-APT-Captain-Aptkit
i wonder if apt doesnt have a general problem with moving forward.
otherwise the extended key might not be published for a very long time. this is especially important for sub projects, as the maintainer might forget to trigger a build in those to force the publish.