* Daniel Kahn Gillmor <d...@fifthhorseman.net> [110121 06:30]: > Some repositories have a policy that they will make updates on a > regular basis (or that they will at least refresh the signatures on > the same static list of packages regularly). > > It would be nice for the maintainers of those archives to be able to > state that their archive signatures have an expiration date. > > Having an expiration date on an archive signature provides a quick way > for users to know that their mirror is out of date, and it prevents > the possibility of a version rollback (by replay of old metadata) by > an attacker in control of the network.
Do you know the "ValidFor" option? That will create a Valid-Until header in the generated Release file, so that apt might no longer accept it after that time. > A configuration option that passes its value through to gpg's > --default-sig-expire argument would be great. An admin with a policy > to refresh the archive at least once every two weeks could do > something like: > > echo 'archive-sig-expire 2w' >> conf/options > > I think this would be currently doable (as a workaround) by archive > administrators willing to modify ~/.gnupg/gpg.conf, or to use an > alternate $GNUPGHOME for their reprepro invocations, but it would be > good to expose it as an explicit option. You do not know by chance a way to make libgpgme pass this option? I did not find anything in a quick glance over its documentation. Bernhard R. Link -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org