Package: apt Version: 3.1.12 Severity: normal Hi,
In Debusine we have achieved pretty fast APT repository publishing to the point that we're seeing races between signing the repository and workers consuming the new InRelease data. [0] [0]: https://salsa.debian.org/freexian-team/debusine/-/issues/1230 > Err:3 http://deb.debusine.debian.net/debian/r-stefanor-dh-python > sid-dh-python InRelease > Sub-process /usr/bin/sqv returned an error code (1), error message is: > Signature by D966DAFFBD4394D369CFB892DE78184209E0E98A was created after the > --not-after date. Obviously some NTP action can help out there, but time synchronization is one of those things that's hard to get perfect in distributed systems. How about having APT accept repositories that are signed *slightly* in the future. 30 seconds say? 5 minutes? I don't see any security risk with either of those options, and they would make APT more resiliant to failed time synchronisation. sqv accepts an explicit --not-after date instead of NOW. apt could specify one. For Debusine's case, we obviously can't wait for APT to fix this in all historical releases. So we'll have to do improve our NTP setup, and maybe do some hacks to sign our repositories a little in the past. Or intentionally delay publication by a few seconds. Stefano
