[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#763419: apt ignoring check-valid-until flag

On Thu, 2020-12-17 at 00:47 +0100, John Paul Adrian Glaubitz wrote:
> On 12/17/20 12:36 AM, Paul Wise wrote:
> >  * snapshot could gain a re-signing service (#763419)
> That would be absolutely awesome. Whom do I throw my money at?

It doesn't seem too complicated to implement and could be developed
independent from snapshot.d.o:

If any Release.gpg/InRelease file is requested:

- Retrieve the original Release+Release.gpg/InRelease files.
- If there is a valid signature from any previous archive key:
  - Generate new signature (Release.gpg/InRelease) and store it in 
    some cache.
    (Bonus points if this keeps the original signature if possible.)
  - Return the generated Release.gpg/InRelease.
- Otherwise:
  - Return some HTTP error? Or the unmodified Release.gpg/InRelease?

Any other files:

- Redirect to normal snapshot.d.o

Only some storage for recently-requested Release.gpg/InRelease files
would be needed.  The service could run independent from snapshot.d.o
and redirect most requests there.

Maybe the same could be done for archive.d.o?

I might be interested to experiment with this as it seems reasonably
small project to implement. :-)


Reply to: