Bug#685215: Apt pinning is broken

On 18 March 2014 17:29, Julian Andres Klode <jak@debian.org> wrote:

On Tue, Mar 18, 2014 at 01:48:27PM +0100, Malthe Borch wrote:
> The local computer time is encoded in the GPG signature:
>
> If you verify using ``gpg --verify``.
>
> gpg: Signature made Fri 14 Feb 2014 09:30:32 PM CET using RSA key ID
> B35FEC3C
>
> This was taken from the latest release of apt-cacher-ng [1].
>
> It's contingent on the release system's local time being accurate, but I
> bet it's at least accurate to the nearest day, and most likely to the
> minute or even second.
>
> [1]
> http://ftp.debian.org/debian/pool/main/a/apt-cacher-ng/apt-cacher-ng_0.7.25-1~bpo70+1.dsc

We do not have the .dsc files locally, and we do not store the dates in the
indices we download.

I see – but the system that generates these indices might first download and verify the .dsc files, extract the signature date and provide that as an additional metadata field in each package index section.

Reply to:

Follow-Ups:

Bug#685215: Apt pinning is broken
- From: david@kalnischkies.de

References:

Bug#685215: Apt pinning is broken
- From: Malthe Borch <mborch@gmail.com>
Bug#685215: Apt pinning is broken
- From: Julian Andres Klode <jak@jak-linux.org>
Bug#685215: Apt pinning is broken
- From: Malthe Borch <mborch@gmail.com>
Bug#685215: Apt pinning is broken
- From: Julian Andres Klode <jak@debian.org>