| 1 |
On 28.10.2017 05:27, M. J. Everitt wrote: |
| 2 |
> On 28/10/17 03:41, Dean Stephens wrote: |
| 3 |
>> On 10/27/17 17:48, Hanno Böck wrote: |
| 4 |
>>> Should a package manager reject a sync if it is too old? or not install |
| 5 |
>>> packages if a sync hasn't happened for some time? What is considered |
| 6 |
>>> "outdated"? I think that should be clarified how exactly it's supposed |
| 7 |
>>> to work. |
| 8 |
>>> |
| 9 |
>> If such a rejection is to be the default, an override option should be |
| 10 |
>> required as part of the spec. There are use cases where using an "old" |
| 11 |
>> repository would be necessary, even if only temporarily. |
| 12 |
>> |
| 13 |
> I_KNOW_WHAT_I_AM_DOING=1 |
| 14 |
> |
| 15 |
> :] |
| 16 |
|
| 17 |
That is already reserved for disabling the signature checks :P |
| 18 |
|
| 19 |
I would suggest --max-repository-age-days=<value> with <value> |
| 20 |
defaulting to as much days as the maximum update intervall of the |
| 21 |
repository + 1. |
| 22 |
|
| 23 |
But then the repository actually has to be newly signed at least once |
| 24 |
each <value> days to prevent users from getting false positive replay |
| 25 |
attack detection errors breaking their update process... |
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
-- |
| 30 |
Allan Wegan |
| 31 |
<http://www.allanwegan.de/> |
| 32 |
Jabber: allanwegan@××××××.net |
| 33 |
OTR-Fingerprint: E4DCAA40 4859428E B3912896 F2498604 8CAA126F |
| 34 |
Jabber: allanwegan@××××××××××.de |
| 35 |
OTR-Fingerprint: A1AAA1B9 C067F988 4A424D33 98343469 29164587 |
| 36 |
ICQ: 209459114 |
| 37 |
OTR-Fingerprint: 71DE5B5E 67D6D758 A93BF1CE 7DA06625 205AC6EC |
Archives