Hey. Some more technical on this:
Right now, we get the validity via the fields in the Release files. I'm not sure whether the following could actually help with the technical issues (i.e. speed of distributing re-signed release files across the mirrors), but perhaps basing the validity on the OpenPGP signature could help a tiny bit. That way one would just need to distribute the detached signatures and perhaps one could also place multiple signatures along with the Release files to assist the turn-over. Not sure though, whether this would still work with InRelease - I guess OpenPGP itself would probably support it, but no sure whether gnupg does. Also this doesn't help with the point, that one rather needs a fast distribution of all the Release/Packages/Sources files for shorter validity times, at least if my analysis from message #60 is more or less correct. Cheers, Chris
smime.p7s
Description: S/MIME cryptographic signature