[Mageia-dev] PGP keys and package signing

David W. Hodgins davidwhodgins at gmail.com
Mon Jan 31 21:41:34 CET 2011

On Mon, 31 Jan 2011 14:12:24 -0500, nicolas vigier <boklm at mars-attacks.org> wrote:

> So the only use of expiration date I see is to check that the key was
> updated from keyserver recently. Maybe we can set a short expiration
> time (15 days ?), and have something in cron to update it a few days
> before it expire ?

What about systems that are not connected to the internet?  I see no
point in having the key expire.  If a person chooses to install an
old version after the release has reached end of life, that is their
choice.  They shouldn't have to jump through hoops, just to get the
installer to run.

If a key gets compromised, it gets revoked, and the revocation certificate
gets distributed as an update, along with a new key.

Regards, Dave Hodgins

More information about the Mageia-dev mailing list