* Daniel Kahn Gillmor <d...@fifthhorseman.net> [110121 06:30]:
> Some repositories have a policy that they will make updates on a
> regular basis (or that they will at least refresh the signatures on
> the same static list of packages regularly).
>
> It would be nice for the maintainers of those archives to be able to
> state that their archive signatures have an expiration date.
>
> Having an expiration date on an archive signature provides a quick way
> for users to know that their mirror is out of date, and it prevents
> the possibility of a version rollback (by replay of old metadata) by
> an attacker in control of the network.
Do you know the "ValidFor" option? That will create a Valid-Until header
in the generated Release file, so that apt might no longer accept it
after that time.
> A configuration option that passes its value through to gpg's
> --default-sig-expire argument would be great. An admin with a policy
> to refresh the archive at least once every two weeks could do
> something like:
>
> echo 'archive-sig-expire 2w' >> conf/options
>
> I think this would be currently doable (as a workaround) by archive
> administrators willing to modify ~/.gnupg/gpg.conf, or to use an
> alternate $GNUPGHOME for their reprepro invocations, but it would be
> good to expose it as an explicit option.
You do not know by chance a way to make libgpgme pass this option?
I did not find anything in a quick glance over its documentation.
Bernhard R. Link
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
