On 2019-12-13 12:39, Allan McRae wrote:
I have made a start at adding an expiry time to repo databases. See the three patches here:
https://patchwork.archlinux.org/bundle/Allan/repo_timestamp/
My question is, what should we do once a database is determined to be expired? Follow the example of a bad signature, and refuse to load it at all? Just refuse to install anything from it, but still enable searching etc?
In my opinion the timestamp only needs to be checked during a database refresh: in combination with signed database files, this provides security against a MITM serving an outdated database to withhold security updates, while leaving the timing of database updates under the user's control. As an example, air-gapped computers are expected to have an outdated database, while it would still be completely fine to install packages from the cache. In case the freshly downloaded database is expired, it shall not be copied and unpacked to /var/lib/pacman at all, instead the next available mirror should be tried to download a more recent copy. This also provides a bit of a usability improvement w.r.t. stale mirrors. Best, Jonas