Bug#685215: Apt pinning is broken

[Malthe Borch <mborch@gmail.com>]

The local computer time is encoded in the GPG signature:

If you verify using ``gpg --verify``.

    gpg: Signature made Fri 14 Feb 2014 09:30:32 PM CET using RSA key ID B35FEC3C

This was taken from the latest release of apt-cacher-ng [1].

It's contingent on the release system's local time being accurate, but I bet it's at least accurate to the nearest day, and most likely to the minute or even second.

[1] http://ftp.debian.org/debian/pool/main/a/apt-cacher-ng/apt-cacher-ng_0.7.25-1~bpo70+1.dsc

On 18 March 2014 13:34, Julian Andres Klode <jak@jak-linux.org> wrote:

On Tue, Mar 18, 2014 at 1:30 PM, Malthe Borch <mborch@gmail.com> wrote:
> How difficult would it be to implement a pinning policy that only allowed
> packages released up until some timestamp:
>
> -- /etc/apt/preferences --
>
> Explanation: I want a system current as of some date.
> Package: *
> Pin: release a=stable <= 2014-03-18T12:00:00Z
>
> This would be very useful in situations where you test out a staging system
> and want to upgrade a production system. In this case, you'd like to ensure
> that you only get the upgrades you have tested out in the staging
> environment.

Impossible. We do not know when the packages were released.

--
Julian Andres Klode  - Debian Developer, Ubuntu Member

See http://wiki.debian.org/JulianAndresKlode and http://jak-linux.org/.

--
---
Malthe Borch
mborch@gmail.com