On 28.10.2017 05:27, M. J. Everitt wrote: > On 28/10/17 03:41, Dean Stephens wrote: >> On 10/27/17 17:48, Hanno Böck wrote: >>> Should a package manager reject a sync if it is too old? or not install >>> packages if a sync hasn't happened for some time? What is considered >>> "outdated"? I think that should be clarified how exactly it's supposed >>> to work. >>> >> If such a rejection is to be the default, an override option should be >> required as part of the spec. There are use cases where using an "old" >> repository would be necessary, even if only temporarily. >> > I_KNOW_WHAT_I_AM_DOING=1 > > :]
That is already reserved for disabling the signature checks :P I would suggest --max-repository-age-days=<value> with <value> defaulting to as much days as the maximum update intervall of the repository + 1. But then the repository actually has to be newly signed at least once each <value> days to prevent users from getting false positive replay attack detection errors breaking their update process... -- Allan Wegan <http://www.allanwegan.de/> Jabber: allanwe...@ffnord.net OTR-Fingerprint: E4DCAA40 4859428E B3912896 F2498604 8CAA126F Jabber: allanwe...@jabber.ccc.de OTR-Fingerprint: A1AAA1B9 C067F988 4A424D33 98343469 29164587 ICQ: 209459114 OTR-Fingerprint: 71DE5B5E 67D6D758 A93BF1CE 7DA06625 205AC6EC
signature.asc
Description: OpenPGP digital signature
