Time sync issues with DPA builds

I rebuilt a set of 50 random dh-python reverse-build-dependencies in a repository: https://debusine.debian.net/debian/r-stefanor-dh-python/

I forgot to disable adding these builds to the repository (only dh-python itself needed to be published) but that meant I ran into a fun little problem:

https://debusine.debian.net/debian/r-stefanor-dh-python/artifact/2913650/#L6-section

12s Err:3 http://deb.debusine.debian.net/debian/r-stefanor-dh-python sid-dh-python InRelease
14
12s Sub-process /usr/bin/sqv returned an error code (1), error message is: Signature by D966DAFFBD4394D369CFB892DE78184209E0E98A was created after the --not-after date.

I guess that means the external worker (debusine-worker-arm64-demeter-01) had a time behind the signing worker.

@helmutg: What is our time-sync strategy? Munin shows debusine-worker-arm64-demeter-01 out by 16 seconds, although the host isn't as far out. I see posidon has systemd-timesyncd:

stefanor@poseidon:~$ timedatectl timesync-status
       Server: 2a01:4f8:0:a112::2:2 (ntp2.hetzner.com)
Poll interval: 34min 8s (min: 32s; max 34min 8s)
         Leap: normal
      Version: 4
      Stratum: 2
    Reference: 7CD8A40E
    Precision: 1us (-24)
Root distance: 24.108ms (max: 5s)
       Offset: +46us
        Delay: 25.721ms
       Jitter: 153us
 Packet count: 815
    Frequency: +14.143ppm

The cloud workers are using systemd-timesyncd too.

@cjwatson: Would it make sense to sign indices with a timestamp 5 minutes in the past? Or wait 5 seconds before serving a new InRelease file?

Edited Dec 21, 2025 by Stefano Rivera

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information