[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1123853: Allow repositories to be signed *slightly* in the future? Signature was created after the --not-after date.

Package: apt
Version: 3.1.12
Severity: normal

Hi,

In Debusine we have achieved pretty fast APT repository publishing to 
the point that we're seeing races between signing the repository and 
workers consuming the new InRelease data. [0]

[0]: https://salsa.debian.org/freexian-team/debusine/-/issues/1230

> Err:3 http://deb.debusine.debian.net/debian/r-stefanor-dh-python sid-dh-python InRelease
> Sub-process /usr/bin/sqv returned an error code (1), error message is: Signature by D966DAFFBD4394D369CFB892DE78184209E0E98A was created after the --not-after date.

Obviously some NTP action can help out there, but time synchronization 
is one of those things that's hard to get perfect in distributed 
systems.

How about having APT accept repositories that are signed *slightly* in 
the future. 30 seconds say? 5 minutes? I don't see any security risk 
with either of those options, and they would make APT more resiliant to 
failed time synchronisation. sqv accepts an explicit --not-after date 
instead of NOW. apt could specify one.

For Debusine's case, we obviously can't wait for APT to fix this in all 
historical releases. So we'll have to do improve our NTP setup, and 
maybe do some hacks to sign our repositories a little in the past. Or 
intentionally delay publication by a few seconds.

Stefano
Reply to: