Re: A Look In the Mirror: Attacks on Package Managers
2010/6/6 Joey Hess <firstname.lastname@example.org>:
> Josselin Mouette wrote:
>> It does. If you don’t re-run “apt-get update”, the signature will be
>> considered invalid.
> joey@gnu:~/tmp/apt-0.7.26~exp5>grep -i Valid-Until -r .
> zsh: exit 2 grep -i Valid-Until -r .
> What'm I missing?
Nothing - or at least I didn't know about such a feature until now…
(Not impossible, but not very likely ;) )
A quick scan over the open bugreports also doesn't indicate that
it was requested so far.
Another quick look at non-official archives indicate also that it is
NOT commonly used (official debian and security use it,
backports not, anyone else?) so this should be propagated more?
Third one: reprepro has a ValidFor option to generate this stanza,
what about the others? (apt-ftparchive obviously doesn't so far)
In regards to APT i will have a look later how to implement it,
hints regarding a good error message are welcomed
as i can currently only thing about stuff like:
W: http://debian.example.org squeeze Release: The Validation date for
the archive has expired. (This can indicate an outdated mirror.)