Chapter 10. Creating restricted-access repositories

Table of Contents

1. Accessing restricted-access repositories
2. Verifying access to restricted files
3. Sample request for a restricted access file
3.1. Reference implementation

It is possible to restrict access to a LPMtool web repository to authorized users only. This is done by assigning an authorization key to each user who should have access to a web repository.

An authorization key is a token that consists of two parts:


The id part must contain only characters in the US-ASCII character set. The following characters may not appear in id: control characters and whitespace, the quote character, apostrophe, commas, and the #, &, <, >, :, and ; characters. The id should really contain letters and numbers only. Other punctuation characters might cause problems with external web proxies. Each authorized user must have a unique id.

id is followed by a colon, and a password. Characters forbidden in id are also forbidden in the password, but the password may also contain character codes 160-255. For best results, id should be at least 64 characters long, and randomly generated using all legal character codes.

The authorization keys are assigned and maintained by whoever maintains the package repository. The authorization keys can be created using whatever mechanism is the most convenient to the maintainer. LPMtool does not interpret the authorization key's contents in any way except as described above. As long as each part of the authorization key meets these specifications, LPMtool does not parse its contents any further.

When a web repository holds more than one platform-specific subdirectory, all platform-specific subdirectories should have the same set of valid authorization keys. It is technically possible to use different sets of valid authorization keys for each platform specific directory, if custom validation software is installed on the package repository's web server.

1. Accessing restricted-access repositories

In the following description URL represents the URL to a platform-specific subdirectory of a package repository. For example, if a package repository's URL is, and LPMtool is running on a supertux-2.1 platform, URL in the following examples should be replaced by

All package repositories contain the following files:


These two files remain accessible to everyone, the authorization key is not required. A third file is also present in restricted access repositories. This file is also available without authorization:


TIMESTAMP is a plain text file. For now, this file contains one line:


n is a single, whole decimal number. Each time this file gets requested, n gets replaced by the number of seconds since a fixed epoch, according to the repository server's internal clock.


Although almost everyone will use the UNIX epoch date of midnight, January, 1970 GMT, a repository server may choose any other fixed epoch start.

All other files in the repository require authorization, and must be accessed using the following URL:


ID is the first portion of the authorization key. N is computed by taking n from the TIMESTAMP file, and adding the number of seconds that elapsed since the TIMESTAMP file was downloaded from the server. N represents a good guess as to the repository server's current time.

Finally, hash is set to sha1-X, where X is a SHA1 hash of path/N/PW, in hexadecimal characters. path and N are taken from the access request, and PW is the second part of the authorization key.


The base URL of the repository directory is not included in the computation, only the relative pathname of the file in the repository.