On Mon, Dec 04, 2023 at 11:07:38AM +0100, Simon Josefsson wrote: > Judit Foglszinger <urbec@riseup.net> writes: > >> > Dmitri, could you re-run the numbers with the debian-maintainer > >> > keyring? > >> > >> That is correct. I have updated the results now. The 2,455 no > >> public key has now become 1,238 > > > > Another is the DN keyring. Also I'd expect many keys to be found in > > older versions of the keyring package/keyring repository and on > > keyservers like keyserver.ubuntu.com > > Removing old keys is usually a bad idea -- could these be moved to a > "archived" keyring instead? I assume having them in the "live" > keyring is not possible if the presence of a key in that file is used > to make authorization decisions. > > You want to be able to verify old signatures in 20+ years too, and > then you need to be able to find the corresponding public key. For a long time we had a "removed" keyring, but we decided that we didn't want to continue shipping a keyring that was explicitly a set of keys we could not vouch for the trust of (whether that be because they were revoked, lost, weak, or whatever). If you really want to find old keys there is 15+ years of history in the keyring git repository, as Judit mentioned: https://salsa.debian.org/debian-keyring/keyring/ J. -- Web [ Barndoors. Barndoors. Barndoors. Profile. Profile. VARILITE! ] site: https:// [ ] Made by www.earth.li/~noodles/ [ ] HuggieTag 0.0.24
Attachment:
signature.asc
Description: PGP signature