Package: apt Severity: important thanks apt appears to consider Valid-Until without proper timezone support.
From a Release file:
| Date: Thu, 31 Mar 2016 19:16:26 -0400
| Valid-Until: Thu, 31 Mar 2016 19:16:27 -0400
^ 1s expiry
I checked this three seconds (literally, heh) after signing it, and ran
apt-get update.
I was supprised to see the following:
| E: Release file for http://localhost/infra/dists/unstable/InRelease is expired
| (invalid since 4h 0min 2s). Updates for this repository will not be applied.
4 hours! At the time of writing the wall clock says:
| Thu Mar 31 19:19:53 EDT 2016 (where EDT is -0400)
So, not four hours!
I strongly suspected that apt did this correctly, and that this was
purely cosmetic, so I checked, I set a Valid-Until to 1h, and got:
| E: Release file for http://localhost/infra/dists/unstable/InRelease is
| expired (invalid since 3h 0min 3s). Updates for this repository will not
| be applied.
But it's still valid!
Just for clarity:
| (debian)[paultag@cassiel:~/tmp][⌚ 07:21 PM] ♥ cat
infra/dists/unstable/InRelease | grep Valid-Until
| Valid-Until: Thu, 31 Mar 2016 20:20:54 -0400
| (debian)[paultag@cassiel:~/tmp][⌚ 07:21 PM] ♥ date
| Thu Mar 31 19:21:53 EDT 2016
In the case where our machines are often in UTC, this might not actually
hit Debian all that hard, but it could be an issue if someone Baker
Island's -12:00 timezone was being attacked by keeping a view of the
archive stale for a day, for their target over in New Zealand's +13:45
timezone.
Anyway, enough trouble for me tonight. Thanks for working on apt.
Cheers,
Paul
signature.asc
Description: PGP signature
