Re: distribution archives became unusable

To: debian-user@lists.debian.org
Subject: Re: distribution archives became unusable
From: Darac Marjal <mailinglist@darac.org.uk>
Date: Wed, 6 Mar 2024 19:00:32 +0000
Message-id: <[🔎] 22cae71d-b164-473e-a222-49db085123f7@darac.org.uk>
In-reply-to: <[🔎] be13645e-b814-4490-8ad2-b9742d5b719f@aixigo.com>
References: <[🔎] be13645e-b814-4490-8ad2-b9742d5b719f@aixigo.com>

On 06/03/2024 08:09, Harald Dunkel wrote:

Hi folks,

the repositories listed on https://www.debian.org/distrib/archive have
been signed using expired keys. Unfortunately this page doesn't deal
with this problem.

Do you think this could be improved?

No, I wouldn't have said so. The packages were signed with keys that were valid before they were archived. The archive then provides a bit-for-bit copy of what was in the repository at that point in time.

If the keys that signed the packages didn't have an expiry, then there'd be an opportunity for someone to update (and validly) sign packages retroactively.

The fact that the keys have expired should reassure you that the archive hasn't been tampered with.

Regards
Harri

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

Reply to:

References:
- distribution archives became unusable
  - From: Harald Dunkel <harald.dunkel@aixigo.com>

Prev by Date: messages on my phone
Next by Date: Re: strange time problem with bullseye
Previous by thread: distribution archives became unusable
Next by thread: Temporary failure in name resolution
Index(es):
- Date
- Thread