| 1 |
On Wed, Jan 9, 2019 at 2:38 PM gevisz <gevisz@×××××.com> wrote: |
| 2 |
> |
| 3 |
> ср, 9 янв. 2019 г. в 19:36, Rich Freeman <rich0@g.o>: |
| 4 |
> > |
| 5 |
> > On Wed, Jan 9, 2019 at 6:21 AM gevisz <gevisz@×××××.com> wrote: |
| 6 |
> > > |
| 7 |
> > > On the other side, app-crypt/gkeys is marked by ~ |
| 8 |
> > > in my architecture (amd64). So, it is impossible |
| 9 |
> > > to update the portage snapshot signing key without |
| 10 |
> > > using non-recommended package. |
| 11 |
> Ok, not app-crypt/gentoo-keys package but |
| 12 |
> app-crypt/openpgp-keys-gentoo-release package. |
| 13 |
> |
| 14 |
> Does it matter? |
| 15 |
|
| 16 |
Sure, because you brought up issues with unrelated packages, like |
| 17 |
stable/unstable keywords, which aren't actually problems. |
| 18 |
|
| 19 |
> After that I have found out that a new |
| 20 |
> app-crypt/openpgp-keys-gentoo-release package |
| 21 |
> was released on 2 January 2019 when the previous |
| 22 |
> portage signing keys already expired. |
| 23 |
|
| 24 |
You probably should have led with that. Seems like an actual issue. |
| 25 |
Or at least lead with "I have this problem - what should I do?" and |
| 26 |
not basically starting out by accusing everybody of not caring about |
| 27 |
security. |
| 28 |
|
| 29 |
Really, though, an expired key fails safe - it blocks updates and |
| 30 |
doesn't cause you to install insecure ones. That is certainly how I'd |
| 31 |
prefer that it behaves. Sure, it would be better if keys were updated |
| 32 |
before they expire, but I tend to doubt that your email is going to do |
| 33 |
much to fix that. |
| 34 |
|
| 35 |
I don't use webrsync which is probably why I didn't personally notice |
| 36 |
this issue - I'm guessing it uses a different key than git but I |
| 37 |
haven't checked. |
| 38 |
|
| 39 |
-- |
| 40 |
Rich |
Archives