Re: APT Date verification
On Thu, Feb 08, 2018 at 03:07:54PM +0100, Julian Andres Klode wrote: > Hey guys, > > APT will shortly start validating that the Date field in a release > file is not (too far) in the future. This might have implications > for installing on devices with an inaccurate clock, as they might > now fail. > > There are two primary workarounds: > > * Set Acquire::Check-Date to false > * Set check-date sources.list option to false > > It's a bit unclear if this only affects validation of the Date field, > or also turns off Validation of the Valid-Until field (as a generic "turn > off all date-related checks" option). Opinions on that? I think I forgot to follow up, but we enabled this feature in beta1 on Feb 26, which entered testing on Mar 03. -- debian developer - deb.li/jak | jak-linux.org - free software dev ubuntu core developer i speak de, en
Re: APT Date verification
On Thu, Feb 08, 2018 at 09:05:50PM +0100, Philip Hands wrote: > On Thu, 08 Feb 2018, Julian Andres Klode wrote: > > Hey guys, > > > > APT will shortly start validating that the Date field in a release > > file is not (too far) in the future. This might have implications > > for installing on devices with an inaccurate clock, as they might > > now fail. > > > > There are two primary workarounds: > > > > * Set Acquire::Check-Date to false > > * Set check-date sources.list option to false > > It is probably worth checking the system's current time to see if it is > before the date that apt was built (or rather apt's SOURCE_DATE_EPOCH) > and/or the date that the medium that is being booted was built (if > that's available) or similar, to check if we're living in the past. relevant IRC quote: Of course, we can also only enable that feature if the current time is beyond the APT release time. (the source epoch thingy) "Your clock is too far beyond, disabling verification of release file dates" eek > > If that's the case, these errors about future signatures are really not > worth reporting. > > It might also be good to then try hard to get sensible time somehow, but > that's not apt's problem to solve. Perhaps the right thing to do in d-i > is to check for being in the past, try to find a decent time source, and > if that fails then set a flag that could be used to decide to disable > the check when we come to running apt. AFAIUI, d-i tries very early to get time via ntp. If it fails, it should probably write a file and then set the check-date option to false. -- debian developer - deb.li/jak | jak-linux.org - free software dev ubuntu core developer i speak de, en
Re: APT Date verification
On Thu, 08 Feb 2018, Julian Andres Klode wrote: > Hey guys, > > APT will shortly start validating that the Date field in a release > file is not (too far) in the future. This might have implications > for installing on devices with an inaccurate clock, as they might > now fail. > > There are two primary workarounds: > > * Set Acquire::Check-Date to false > * Set check-date sources.list option to false It is probably worth checking the system's current time to see if it is before the date that apt was built (or rather apt's SOURCE_DATE_EPOCH) and/or the date that the medium that is being booted was built (if that's available) or similar, to check if we're living in the past. If that's the case, these errors about future signatures are really not worth reporting. It might also be good to then try hard to get sensible time somehow, but that's not apt's problem to solve. Perhaps the right thing to do in d-i is to check for being in the past, try to find a decent time source, and if that fails then set a flag that could be used to decide to disable the check when we come to running apt. Cheers, Phil. -- |)| Philip Hands [+44 (0)20 8530 9560] HANDS.COM Ltd. |-| http://www.hands.com/http://ftp.uk.debian.org/ |(| Hugo-Klemm-Strasse 34, 21075 Hamburg,GERMANY signature.asc Description: PGP signature
Re: APT Date verification
On Thu, Feb 08, 2018 at 03:25:16PM +, Holger Levsen wrote: > On Thu, Feb 08, 2018 at 03:07:54PM +0100, Julian Andres Klode wrote: > > It's a bit unclear if this only affects validation of the Date field, > > or also turns off Validation of the Valid-Until field (as a generic "turn > > off all date-related checks" option). Opinions on that? > > there definitly should be an option to completly turn off all date > related checks, while still checking the signatures. > > usecase: rebuilds in the (far) future. The question more is whether Check-Date=false should only disable Checks on the "Date" field or not. DonKult said it makes more sense to have it be a one stop that also sets Check-Valid-Until=false (and that's implemented in my branch). So basically you either have to set just Check-Date=false or you have to set both of them. In either case, you'll have option(s) to disable date checking :D -- debian developer - deb.li/jak | jak-linux.org - free software dev ubuntu core developer i speak de, en
Re: APT Date verification
On Thu, Feb 08, 2018 at 03:07:54PM +0100, Julian Andres Klode wrote: > It's a bit unclear if this only affects validation of the Date field, > or also turns off Validation of the Valid-Until field (as a generic "turn > off all date-related checks" option). Opinions on that? there definitly should be an option to completly turn off all date related checks, while still checking the signatures. usecase: rebuilds in the (far) future. -- cheers, Holger signature.asc Description: PGP signature