Hi Jörg, > Done. We now generate Release files having "Valid-Until:" headers. Same > format as the Date: one, just currently (for the main archive) 7 days in > future. Thanks for implementing this. When is this file regenerated, daily? > Would be nice if apt could get this implemented soon[1] and then the > release team asked how we could get this into lenny. > (If its *only* this change, maybe lenny proper. If that doesnt work, > maybe r1? Or possibly really a DSA for it). I guess APT would need to reject Release files that do not contain any Valid-Until header (or you could still do the attack with the files we served until now). However, that could break a lot of private repositories and the software that runs them would need to be fixed aswell. So I'm not sure if we manage to do all that in time for lenny. In case this indeed turns out to be a problem we may get away with it being an optional feature for lenny that can be turned on by a cautious administrator, and that will be default on for squeeze? I also believe that APT would need an override switch - it's an imporant tool for system maintenance, and there may be cases where your system time is seriously borked but you would still want to run an update. cheers, Thijs
Attachment:
pgpBdgUjagHQP.pgp
Description: PGP signature