Seeking Advice on Managing Expired APT Repository Metadata for a Local Mirror

I've set up a local APT mirror using apt-mirror2 to serve specific versions of Debian packages for my environment. However, since I don't update this mirror regularly, I've been encountering issues with expired repository metadata, resulting in errors like: E: Release file for http:///aptmirror/tagging/debian12.7/mirror/debian/20240731T204419Z/dists/bookworm-backports/InRelease is expired (invalid since X days). Updates for this repository will not be applied. Here is my client sources list: deb http:///aptmirror/tagging/debian12.7/debian bookworm main contrib non-free non-free-firmware deb http:///aptmirror/tagging/debian12.7/debian-security bookworm-security main contrib non-free non-free-firmware deb http:///aptmirror/tagging/debian12.7/debian bookworm-backports main contrib non-free deb http:///aptmirror/tagging/debian12.7/debian bookworm-updates main contrib non-free non-free-firmware deb http:///aptmirror/tagging/debian12.7/debian/20240731T204419Z/ bookworm-backports main contrib non-free non-free-firmware **Current Workarounds** To address this, I've found two potential solutions: Using the [check-valid-until=no] option directly in my sources.list file for the affected repositories. This seems to allow me to bypass the Valid-Until check selectively for specific entries: deb [check-valid-until=no] http:///aptmirror/tagging/debian12.7/mirror/debian/20240731T204419Z/ bookworm-backports main contrib non-free non-free-firmware Setting Acquire::Check-Valid-Until "false"; in /etc/apt/apt.conf to globally disable the Valid-Until check across all repositories. Which approach is preferable for my use case, considering I don’t update my APT mirror regularly? What are the security risks associated with bypassing the Valid-Until check for repository metadata? I want to ensure that I'm making an informed decision without compromising the security of my system. Are there any best practices or additional steps I can take to avoid the "InRelease is expired" issue without sacrificing too much security? Would love to hear how others manage this in their environments.