Vdsm source packages signed with an expired key?

Monday, 19 September 2016

Hi, on Vdsm packages downloaded from
http://resources.ovirt.org/pub/ovirt-4.0/src/vdsm/ :

% gpg --verify vdsm-4.18.13.tar.gz.sig
gpg: assuming signed data in 'vdsm-4.18.13.tar.gz'
gpg: Signature made Wed 14 Sep 2016 04:38:26 PM CEST using RSA key ID FE590CB7
gpg: Good signature from "oVirt <infra(a)ovirt.org&gt;&quot; [expired]
gpg: Note: This key has expired!
Primary key fingerprint: 31A5 D783 7FAD 7CB2 86CD  3469 AB8C 4F9D FE59 0CB7

% gpg --list-keys infra(a)ovirt.org
pub   2048R/FE590CB7 2014-03-30 [expired: 2016-04-02]
uid       [ expired] oVirt <infra(a)ovirt.org&gt;

Either I download fake packages signed with a cracked expired key, or
you sign the packages with an expired key.  Not good in any case.

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011