[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian derivatives census: Wazo: welcome!

On Tue, 2017-04-25 at 09:48 -0400, Sébastien Duthil wrote:

> I understand this setting has no effect on caching the Release files,
> right? An apt-get update won't consider a still-valid Release file as
> already up-to-date and will still replace the already downloaded Release
> file, as long as the Date is more recent, is this correct?


> Also, I don't really know what would be a good value for ValidFor... 1
> minute? 1 hour? 1 day? What about 0 minutes? Or is this a
> not-recommended setting? In my mind, "ValidFor: 0m" would still prevent
> the security issue, can you confirm this?

IIRC the appropriate value is a bit more than the max amount of time
between each time you sign your Release files. So if you sign daily
then 3 days might be appropriate. Active network adversaries could hold
back the repo state for 3 days before users would recieve errors about
the Release files being outdated. If weekly then I'd go with 17 days. 

> Thanks a lot for all the recommendations. We can't do everything you
> propose right now, but we'll keep them in mind.

Great, thanks.



Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: