| LPMtool - LPMtool is a Package Management tool | ||
|---|---|---|
| <<< Previous | Chapter 10. Creating restricted-access repositories | Next >>> |
The web server checks each request for any file from a restricted access repository as follows:
The VERSION and pgpkeys.txt files are available just for asking.
The contents of the TIMESTAMP file are constructed on the fly, each time it gets requested.
| NOTE: | In the future, the TIMESTAMP file might contain other things beside just the server's clock. When parsing this file's contents, be prepared to see, and ignore, other things besides "TIME=N". |
Requests for any other file that do not include the extra authentication parameters are rejected.
The server compares the epoch timestamp in the request against its internal clock. The server rejects any requests with an epoch timestamp that's nowhere near what its internal clock says it should be. A variance of sixty seconds, plus or minus, is recommended. In practice the variance should not be more than 2-3 seconds, the extra padding provides for marginal situations when the server is overloaded with requests.
The server finds the authorization key that has ID as its first part, and takes the second part of the authorization key. The server combines the second part with the timestamp from the request, and the relative path to the requested file in the primary repository. Finally, the server computes the SHA1 hash, converts it to hexadecimal, and prepends the fixed "sha1-" prefix. The request is rejected unless the result matches the "hash" portion of the access request.
| <<< Previous | Home | Next >>> |
| Creating restricted-access repositories | Up | Sample request for a restricted access file |