From ca5f8c33cea3e50e166cbe63b2f14eb0826aeb38 Mon Sep 17 00:00:00 2001
From: Andrea Bedini <andrea.bedini@tweag.io>
Date: Fri, 17 Nov 2023 00:33:11 +0800
Subject: [PATCH] Backport TUF security bugfix to 3.6

cherry-picks dcfdc9cffd74cade4e8cf3df37c5993413ffd30f
---
 cabal-install/src/Distribution/Client/CmdUpdate.hs | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/cabal-install/src/Distribution/Client/CmdUpdate.hs b/cabal-install/src/Distribution/Client/CmdUpdate.hs
index b205dfda348..5c9f37e4810 100644
--- a/cabal-install/src/Distribution/Client/CmdUpdate.hs
+++ b/cabal-install/src/Distribution/Client/CmdUpdate.hs
@@ -197,10 +197,12 @@ updateRepo verbosity _updateFlags repoCtxt (repo, indexState) = do
       -- NB: always update the timestamp, even if we didn't actually
       -- download anything
       writeIndexTimestamp index indexState
-      ce <- if repoContextIgnoreExpiry repoCtxt
-              then Just `fmap` getCurrentTime
-              else return Nothing
-      updated <- Sec.uncheckClientErrors $ Sec.checkForUpdates repoSecure ce
+      -- typically we get the current time to check expiry against
+      -- but if the flag is set, we don't.
+      now' <- case repoContextIgnoreExpiry repoCtxt of
+                 False -> Just <$> getCurrentTime
+                 True  -> pure Nothing
+      updated <- Sec.uncheckClientErrors $ Sec.checkForUpdates repoSecure now'
 
       let rname = remoteRepoName (repoRemote repo)