Re: software outside Debian (Re: holes in secure apt)

To: debian-devel@lists.debian.org
Subject: Re: software outside Debian (Re: holes in secure apt)
From: Jakub Wilk <jwilk@debian.org>
Date: Mon, 23 Jun 2014 14:42:58 +0200
Message-id: <[🔎] 20140623124258.GA7001@jwilk.net>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 1403404458.4582.57.camel@heisenberg.scientia.net>
References: <[🔎] 1402527988.4739.34.camel@heisenberg.scientia.net> <[🔎] 201406171339.58577.holger@layer-acht.org> <[🔎] 1403060712.4774.64.camel@heisenberg.scientia.net> <[🔎] 201406181246.23958.holger@layer-acht.org> <[🔎] 20140618115532.GA5363@jwilk.net> <[🔎] 1403404458.4582.57.camel@heisenberg.scientia.net>

* Christoph Anton Mitterer <calestyo@scientia.net>, 2014-06-22, 04:34:

There are a few mechanisms to mitigate downgrade attacks within thearchive:
* Valid-Until fields in the Release files;
I still think the time spans are far too long here...


For the record, the validity periods currently are:

unstable, experimental: 7 days
testing: 7 days

wheezy: no limit
wheezy(-proposed)-updates: 7 days
wheezy/updates at security.d.o: 10 days
wheezy-backports: 7 days

squeeze: no limit
squeeze(-proposed)-updates: 7 days
squeeze/updates at security.d.o: 10 days
squeeze-lts: 7 days

I agree than they could be shorter (particularly the security.d.o onesraised my eyebrows), but I'm not going to lose sleep over it.

can someone please tell me against what I could report a bug (i.e.politely ask for enhancement by making the time span much smaller)?


My guesses would be:

"reportbug ftp.debian.org" for unstable and experimental;

"reportbug release.debian.org" for testing, (old)stable and their(proposed-)updates;

team@security.d.o for the security.d.o archive;
debian-lts@lists.d.o for squeeze-lts.

--
Jakub Wilk

Reply to:

Follow-Ups:
- Re: software outside Debian (Re: holes in secure apt)
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Re: software outside Debian (Re: holes in secure apt)
  - From: Christoph Anton Mitterer <calestyo@scientia.net>
- Re: software outside Debian (Re: holes in secure apt)
  - From: Christoph Anton Mitterer <calestyo@scientia.net>

References:
- holes in secure apt
  - From: Christoph Anton Mitterer <calestyo@scientia.net>
- Re: sofftware outside Debian (Re: holes in secure apt)
  - From: Holger Levsen <holger@layer-acht.org>
- Re: sofftware outside Debian (Re: holes in secure apt)
  - From: Christoph Anton Mitterer <calestyo@scientia.net>
- Re: sofftware outside Debian (Re: holes in secure apt)
  - From: Holger Levsen <holger@layer-acht.org>
- Re: sofftware outside Debian (Re: holes in secure apt)
  - From: Jakub Wilk <jwilk@debian.org>
- Re: sofftware outside Debian (Re: holes in secure apt)
  - From: Christoph Anton Mitterer <calestyo@scientia.net>

Prev by Date: Bug#752399: ITP: python-fdb -- Python DB-API driver for Firebird
Next by Date: Re: software outside Debian (Re: holes in secure apt)
Previous by thread: Re: sofftware outside Debian (Re: holes in secure apt)
Next by thread: Re: software outside Debian (Re: holes in secure apt)
Index(es):
- Date
- Thread