Bug#610674: reprepro: please add configuration option for exipiration of cryptographic signatures

[Daniel Kahn Gillmor]

Package: reprepro
Version: 4.2.0-2
Severity: wishlist

Some repositories have a policy that they will make updates on a
regular basis (or that they will at least refresh the signatures on
the same static list of packages regularly).

It would be nice for the maintainers of those archives to be able to
state that their archive signatures have an expiration date.

Having an expiration date on an archive signature provides a quick way
for users to know that their mirror is out of date, and it prevents
the possibility of a version rollback (by replay of old metadata) by
an attacker in control of the network.

A configuration option that passes its value through to gpg's
--default-sig-expire argument would be great.  An admin with a policy
to refresh the archive at least once every two weeks could do
something like:

  echo 'archive-sig-expire 2w' >> conf/options

I think this would be currently doable (as a workaround) by archive
administrators willing to modify ~/.gnupg/gpg.conf, or to use an
alternate $GNUPGHOME for their reprepro invocations, but it would be
good to expose it as an explicit option.

Thanks for reprepro!

       --dkg

-- System Information:
Debian Release: 6.0
  APT prefers testing
  APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.37-trunk-686 (SMP w/1 CPU core)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages reprepro depends on:
ii  libarchive1             2.8.4-1          Single library to read/write tar, 
ii  libbz2-1.0              1.0.5-6          high-quality block-sorting file co
ii  libc6                   2.11.2-7         Embedded GNU C Library: Shared lib
ii  libdb4.8                4.8.30-2         Berkeley v4.8 Database Libraries [
ii  libgpg-error0           1.10-0.2         library for common error values an
ii  libgpgme11              1.2.0-1.2        GPGME - GnuPG Made Easy
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

Versions of packages reprepro recommends:
ii  apt                           0.8.10     Advanced front-end for dpkg

Versions of packages reprepro suggests:
ii  gnupg-agent                   2.0.14-2   GNU privacy guard - password agent
pn  inoticoming                   <none>     (no description available)
ii  lzma                          4.43-14    Compression method of 7z format in
ii  xz-utils                      5.0.0-2    XZ-format compression utilities

-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org