From f318d062dd381d53e37dd6003ec9d7f3d9b91e07 Mon Sep 17 00:00:00 2001
From: Ansgar Burchardt <ansgar@debian.org>
Date: Fri, 12 Sep 2014 01:24:24 +0200
Subject: [PATCH] daklib/checks.py: check timestamp of .changes signature
This allows to eventually drop old entries from the signature_history
table.
---
daklib/archive.py | 1 +
daklib/checks.py | 20 ++++++++++++++++++++
2 files changed, 21 insertions(+)
diff --git a/daklib/archive.py b/daklib/archive.py
index 34350fec..b78a1cb4 100644
--- a/daklib/archive.py
+++ b/daklib/archive.py
@@ -902,6 +902,7 @@ class ArchiveUpload(object):
# Validate signatures and hashes before we do any real work:
for chk in (
checks.SignatureAndHashesCheck,
+ checks.SignatureTimestampCheck,
checks.ChangesCheck,
checks.ExternalHashesCheck,
checks.SourceCheck,
diff --git a/daklib/checks.py b/daklib/checks.py
index c7c4a16f..f4127808 100644
--- a/daklib/checks.py
+++ b/daklib/checks.py
@@ -36,6 +36,7 @@ import daklib.upload
import apt_inst
import apt_pkg
from apt_pkg import version_compare
+import datetime
import errno
import os
import subprocess
@@ -167,6 +168,25 @@ class SignatureAndHashesCheck(Check):
except daklib.upload.UploadException as e:
raise Reject('{0}: {1}'.format(filename, unicode(e)))
+class SignatureTimestampCheck(Check):
+ """Check timestamp of .changes signature"""
+ def check(self, upload):
+ changes = upload.changes
+
+ now = datetime.datetime.utcnow()
+ timestamp = changes.signature_timestamp
+ age = now - timestamp
+
+ age_max = datetime.timedelta(days=365)
+ age_min = datetime.timedelta(days=-7)
+
+ if age > age_max:
+ raise Reject('{0}: Signature from {1} is too old (maximum age is {2} days)'.format(changes.filename, timestamp, age_max.days))
+ if age < age_min:
+ raise Reject('{0}: Signature from {1} is too far in the future (tolerance is {2} days)'.format(changes.filename, timestamp, abs(age_min.days)))
+
+ return True
+
class ChangesCheck(Check):
"""Check changes file for syntax errors."""
def check(self, upload):
--
2.39.5