bmersereau puts a shelf life on Mike's download links
Shared download links stop living forever - by default they now expire after 30 days.
Mike hands out download links protected by a cryptographic signature, so only a genuinely-issued link works. bmersereau's change adds an expiry date to that signature: once a link is older than its window, the backend refuses it. The default window is 30 days, which the author frames as a deliberate trade-off - long enough that a link pasted into a chat thread still works when someone comes back to it later, short enough to limit the damage if the underlying signing key ever has to be swapped out.
Crucially, nothing breaks on day one. Links created before this change carry no expiry and keep working, so existing shares in the wild aren't killed the moment it lands. Only new links start the clock. The work also brings the backend its first automated test setup, with a handful of tests covering the new behaviour.
Spotted something wrong? Or know the PR text has fresher detail than the writeup above?