On Tue, 2017-04-25 at 09:48 -0400, Sébastien Duthil wrote: > I understand this setting has no effect on caching the Release files, > right? An apt-get update won't consider a still-valid Release file as > already up-to-date and will still replace the already downloaded Release > file, as long as the Date is more recent, is this correct? Correct. > Also, I don't really know what would be a good value for ValidFor... 1 > minute? 1 hour? 1 day? What about 0 minutes? Or is this a > not-recommended setting? In my mind, "ValidFor: 0m" would still prevent > the security issue, can you confirm this? IIRC the appropriate value is a bit more than the max amount of time between each time you sign your Release files. So if you sign daily then 3 days might be appropriate. Active network adversaries could hold back the repo state for 3 days before users would recieve errors about the Release files being outdated. If weekly then I'd go with 17 days. > Thanks a lot for all the recommendations. We can't do everything you > propose right now, but we'll keep them in mind. Great, thanks. -- bye, pabs https://wiki.debian.org/PaulWise
Attachment:
signature.asc
Description: This is a digitally signed message part