Backport TUF security bugfix to 3.6

cherry-picks dcfdc9c
haskell · Nov 16, 2023 · 0f207d6 · 0f207d6
1 parent 8fd619e
commit 0f207d6
Showing 1 changed file with 6 additions and 4 deletions.
diff --git a/cabal-install/src/Distribution/Client/CmdUpdate.hs b/cabal-install/src/Distribution/Client/CmdUpdate.hs
@@ -197,10 +197,12 @@ updateRepo verbosity _updateFlags repoCtxt (repo, indexState) = do
       -- NB: always update the timestamp, even if we didn't actually
       -- download anything
       writeIndexTimestamp index indexState
-      ce <- if repoContextIgnoreExpiry repoCtxt
-              then Just `fmap` getCurrentTime
-              else return Nothing
-      updated <- Sec.uncheckClientErrors $ Sec.checkForUpdates repoSecure ce
+      -- typically we get the current time to check expiry against
+      -- but if the flag is set, we don't.
+      now <- case repoContextIgnoreExpiry repoCtxt of
+                 False -> Just <$> getCurrentTime
+                 True  -> pure Nothing
+      updated <- Sec.uncheckClientErrors $ Sec.checkForUpdates repoSecure now
 
       let rname = remoteRepoName (repoRemote repo)