1 |
On 28.10.2017 05:27, M. J. Everitt wrote: |
2 |
> On 28/10/17 03:41, Dean Stephens wrote: |
3 |
>> On 10/27/17 17:48, Hanno Böck wrote: |
4 |
>>> Should a package manager reject a sync if it is too old? or not install |
5 |
>>> packages if a sync hasn't happened for some time? What is considered |
6 |
>>> "outdated"? I think that should be clarified how exactly it's supposed |
7 |
>>> to work. |
8 |
>>> |
9 |
>> If such a rejection is to be the default, an override option should be |
10 |
>> required as part of the spec. There are use cases where using an "old" |
11 |
>> repository would be necessary, even if only temporarily. |
12 |
>> |
13 |
> I_KNOW_WHAT_I_AM_DOING=1 |
14 |
> |
15 |
> :] |
16 |
|
17 |
That is already reserved for disabling the signature checks :P |
18 |
|
19 |
I would suggest --max-repository-age-days=<value> with <value> |
20 |
defaulting to as much days as the maximum update intervall of the |
21 |
repository + 1. |
22 |
|
23 |
But then the repository actually has to be newly signed at least once |
24 |
each <value> days to prevent users from getting false positive replay |
25 |
attack detection errors breaking their update process... |
26 |
|
27 |
|
28 |
|
29 |
-- |
30 |
Allan Wegan |
31 |
<http://www.allanwegan.de/> |
32 |
Jabber: allanwegan@××××××.net |
33 |
OTR-Fingerprint: E4DCAA40 4859428E B3912896 F2498604 8CAA126F |
34 |
Jabber: allanwegan@××××××××××.de |
35 |
OTR-Fingerprint: A1AAA1B9 C067F988 4A424D33 98343469 29164587 |
36 |
ICQ: 209459114 |
37 |
OTR-Fingerprint: 71DE5B5E 67D6D758 A93BF1CE 7DA06625 205AC6EC |