If two auth certs are both old but were generated nearby in time, we keep both
In trusted_dirs_remove_old_certs() we check if
(cert_published + OLD_CERT_LIFETIME < newest_published)) {when deciding whether to discard an old cert from our cache.
We don't check it at all with respect to current time.
So if an authority generates a signing key in January, and then generates ten more signing keys within a week, and now it's April, we'll still keep all of them until they expire or until a new signing key shows up that's more than 7 days newer than them.
This cannot be the right logic.
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information