I've set up a local APT mirror using apt-mirror2 to serve specific versions of Debian packages for my environment. However, since I don't update this mirror regularly, I've been encountering issues with expired repository metadata, resulting in errors like:
Here is the my client sources list :I understand that this issue can be resolved by re-syncing with apt-mirror2, but my concern is that re-syncing might not only update the metadata files but also download new versions of packages, which I want to avoid to maintain stability.
Current Workarounds
To address this, I've found two potential solutions:
Code:
E: Release file for http://<local_apt_server_ip>/aptmirror/tagging/debian12.7/mirror/debian/20240731T204419Z/dists/bookworm-backports/InRelease is expired (invalid since X days). Updates for this repository will not be applied.Code:
deb http://<local_apt_server_ip>/aptmirror/tagging/debian12.7/debian bookworm main contrib non-free non-free-firmware deb http://<local_apt_server_ip>/aptmirror/tagging/debian12.7/debian-security bookworm-security main contrib non-free non-free-firmware deb http://<local_apt_server_ip>/aptmirror/tagging/debian12.7/debian bookworm-backports main contrib non-free deb http://<local_apt_server_ip>/aptmirror/tagging/debian12.7/debian bookworm-updates main contrib non-free non-free-firmware deb http://<local_apt_server_ip>/aptmirror/tagging/debian12.7/debian/20240731T204419Z/ bookworm-backports main contrib non-free non-free-firmwareCurrent Workarounds
To address this, I've found two potential solutions:
- Using the `[check-valid-until=no]` option directly in my `sources.list` file for the affected repositories. This seems to allow me to bypass the `Valid-Until` check selectively for specific entries:
Code:
deb [check-valid-until=no] http://<local_apt_server_ip>/aptmirror/tagging/debian12.7/mirror/debian/20240731T204419Z/ bookworm-backports main contrib non-free non-free-firmware- Setting `Acquire::Check-Valid-Until "false";` in `/etc/apt/apt.conf` to globally disable the `Valid-Until` check across all repositories.
- Which approach is preferable for my use case, considering I don’t update my APT mirror regularly?
- What are the security risks associated with bypassing the `Valid-Until` check for repository metadata? I want to ensure that I'm making an informed decision without compromising the security of my system.
- Are there any best practices or additional steps I can take to avoid the "InRelease is expired" issue without sacrificing too much security? Would love to hear how others manage this in their environments.
Statistics: Posted by samadhan — 2024-09-01 20:18 — Replies 1 — Views 52