Merge branch 'pu/not-valid-before' into 'master'

Check that Date of Release file is not in the future

See merge request apt-team/apt!3

3 files changed, 41 insertions, 0 deletions

diff --git a/doc/apt.conf.5.xml b/doc/apt.conf.5.xml
index fdcd99425..e285b3130 100644
--- a/doc/apt.conf.5.xml
+++ b/doc/apt.conf.5.xml
@@ -315,6 +315,27 @@ APT::Compressor::rev {
    for the download itself (see also &sources-list;).</para>
 
    <variablelist>
+     <varlistentry><term><option>Check-Date</option></term>
+	 <listitem><para>
+	 Security related option defaulting to true, enabling time-related
+	 checks. Disabling it means that the machine's time cannot be
+	 trusted, and APT will hence disable all time-related checks,
+	 such as <option>Check-Valid-Until</option> and verifying that
+	 the Date field of a release file is not in the future.
+	 </para></listitem>
+     </varlistentry>
+
+     <varlistentry><term><option>Max-FutureTime</option></term>
+	 <listitem><para>Maximum time (in seconds) before its creation (as indicated
+	 by the <literal>Date</literal> header) that the <filename>Release</filename>
+	 file should be considered valid.
+
+	 The default value is <literal>10</literal>.
+	 Archive specific settings can be made by appending the label of the archive
+	 to the option name. Preferably, the same can be achieved for specific
+	 &sources-list; entries by using the <option>Date-Max-Future</option> option there.
+	 </para></listitem>
+     </varlistentry>
      <varlistentry><term><option>Check-Valid-Until</option></term>
      <listitem><para>
      Security related option defaulting to true, as giving a Release file's
diff --git a/doc/examples/configure-index b/doc/examples/configure-index
index 00c2ee183..3763aa900 100644
--- a/doc/examples/configure-index
+++ b/doc/examples/configure-index
@@ -234,6 +234,9 @@ Acquire
   Max-ValidTime::* "<INT>"; // repository label specific configuration
   Min-ValidTime "<INT>"; // time in seconds
   Min-ValidTime::* "<INT>"; // repository label specific configuration
+  Check-Date "<BOOL>"; // whether to check the "Date" field
+  Max-FutureTime "<INT>"; // seconds to allow release file's Date field to be in the future (default 10)
+  Max-FutureTime::* "<INT>"; // repository label specific configuration
 
   SameMirrorForAllIndexes "<BOOL>"; // use the mirror serving the Release file for Packages & co
 
diff --git a/doc/sources.list.5.xml b/doc/sources.list.5.xml
index 2a047c83b..592227dd8 100644
--- a/doc/sources.list.5.xml
+++ b/doc/sources.list.5.xml
@@ -343,6 +343,23 @@ deb-src [ option1=value1 option2=value2 ] uri suite [component1] [component2] [.
 		default.
 	  </para></listitem>
 
+	  <listitem><para><option>Check-Date</option> (<option>check-date</option>)
+		is a yes/no value which controls if APT should consider
+		the machine's time correct and hence perform time related
+		checks, such as verifying that a Release file is not
+		from the future. Disabling it also disables the
+		<option>Check-Valid-Until</option> option
+		mentioned above.
+	  </para></listitem>
+
+	  <listitem><para><option>Date-Max-Future</option>
+		(<option>date-max-future</option>) controls how far
+		from the future a repository may be.
+		Default to the value of the configuration option
+		<option>Acquire::Max-FutureTime</option> which is
+		10 seconds by default.
+	  </para></listitem>
+
 	  <listitem><para><option>InRelease-Path</option> (<option>inrelease-path</option>)
 		determines the path to the InRelease file, relative
 		to the normal position of an <filename>InRelease</filename> file.