Bug#763419: apt ignoring check-valid-until flag
On Thu, 2020-12-17 at 00:47 +0100, John Paul Adrian Glaubitz wrote:
> On 12/17/20 12:36 AM, Paul Wise wrote:
> > * snapshot could gain a re-signing service (#763419)
> That would be absolutely awesome. Whom do I throw my money at?
It doesn't seem too complicated to implement and could be developed
independent from snapshot.d.o:
If any Release.gpg/InRelease file is requested:
- Retrieve the original Release+Release.gpg/InRelease files.
- If there is a valid signature from any previous archive key:
- Generate new signature (Release.gpg/InRelease) and store it in
(Bonus points if this keeps the original signature if possible.)
- Return the generated Release.gpg/InRelease.
- Return some HTTP error? Or the unmodified Release.gpg/InRelease?
Any other files:
- Redirect to normal snapshot.d.o
Only some storage for recently-requested Release.gpg/InRelease files
would be needed. The service could run independent from snapshot.d.o
and redirect most requests there.
Maybe the same could be done for archive.d.o?
I might be interested to experiment with this as it seems reasonably
small project to implement. :-)