Support expiration of metadata by package archives
Expiring package metadata is intended to limit the effectiveness of a replay attack, and is used by the APT package manager, among others. Here, the onus is on the package archives to implement a secure and reasonable policy. (Debian uses 7 days before metadata expires.) * lisp/emacs-lisp/package.el (package--parse-header-from-buffer): Break out new defun from... (package--parse-timestamp-from-buffer): ...here. (package--parse-valid-until-from-buffer) (package--archive-contents-not-expired): New defuns. (package--check-archive-timestamp): Test for a "Valid-Until" header in the archive-contents file and signal an error if it's too old. * test/lisp/emacs-lisp/package-tests.el (package--parse-valid-until-from-buffer) (package-test-check-archive-timestamp/not-expired) (package-test-check-archive-timestamp/expired): New tests for the above.