On Wed, Mar 19, 2014 at 10:28:25AM +0100, Malthe Borch wrote: > On 18 March 2014 17:29, Julian Andres Klode <jak@debian.org> wrote: > > > On Tue, Mar 18, 2014 at 01:48:27PM +0100, Malthe Borch wrote: > > > The local computer time is encoded in the GPG signature: > > > > > > If you verify using ``gpg --verify``. > > > > > > gpg: Signature made Fri 14 Feb 2014 09:30:32 PM CET using RSA key ID > > > B35FEC3C > > > > > > This was taken from the latest release of apt-cacher-ng [1]. > > > > > > It's contingent on the release system's local time being accurate, but I > > > bet it's at least accurate to the nearest day, and most likely to the > > > minute or even second. > > > > > > [1] > > > > > http://ftp.debian.org/debian/pool/main/a/apt-cacher-ng/apt-cacher-ng_0.7.25-1~bpo70+1.dsc > > > > We do not have the .dsc files locally, and we do not store the dates in the > > indices we download. > > > I see – but the system that generates these indices might first download > and verify the .dsc files, extract the signature date and provide that as > an additional metadata field in each package index section. Or you do what everyone else with this usecase does: local mirror (and for prototyping snapshot.debian.org is probably handy) as you otherwise will soon hit a problem: The date in the dsc file is the date of the build/signature of this version, not the date this version entered the release. jessie will release with software build in 2014 as well as software last build in 2010. No problem so far, right? Well, if you use jessie now and you pin it like you proposed to a release of a weeks ago your chosen release will not remain stable. Everytime a package is unblocked and transitions from unstable to testing you might have a new package in your release as the date can be in the past, even if it has just entered in your view. Or in other words: Pinning is a way of mix and matching different releases, not a way to manage the releases itself. Best regards David Kalnischkies
Attachment:
signature.asc
Description: Digital signature