[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: software outside Debian (Re: holes in secure apt)

* Christoph Anton Mitterer <calestyo@scientia.net>, 2014-06-22, 04:34:
There are a few mechanisms to mitigate downgrade attacks within the archive:
* Valid-Until fields in the Release files;
I still think the time spans are far too long here...

For the record, the validity periods currently are:

unstable, experimental: 7 days
testing: 7 days

wheezy: no limit
wheezy(-proposed)-updates: 7 days
wheezy/updates at security.d.o: 10 days
wheezy-backports: 7 days

squeeze: no limit
squeeze(-proposed)-updates: 7 days
squeeze/updates at security.d.o: 10 days
squeeze-lts: 7 days

I agree than they could be shorter (particularly the security.d.o ones raised my eyebrows), but I'm not going to lose sleep over it.

can someone please tell me against what I could report a bug (i.e. politely ask for enhancement by making the time span much smaller)?

My guesses would be:

"reportbug ftp.debian.org" for unstable and experimental;
"reportbug release.debian.org" for testing, (old)stable and their (proposed-)updates;
team@security.d.o for the security.d.o archive;
debian-lts@lists.d.o for squeeze-lts.

Jakub Wilk

Reply to: