[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: software outside Debian (Re: holes in secure apt)

On Mon, 2014-06-23 at 14:42 +0200, Jakub Wilk wrote: 
> For the record, the validity periods currently are:
> unstable, experimental: 7 days
> testing: 7 days
> wheezy: no limit
> wheezy(-proposed)-updates: 7 days
> wheezy/updates at security.d.o: 10 days
> wheezy-backports: 7 days
> squeeze: no limit
> squeeze(-proposed)-updates: 7 days
> squeeze/updates at security.d.o: 10 days
> squeeze-lts: 7 days
> I agree than they could be shorter (particularly the security.d.o ones 
> raised my eyebrows), but I'm not going to lose sleep over it.
Well I just think that most of the time, our Security Team does some
very great job (if not hiding away issues o.O) and fixes are available
in Debian very shortly after a fix is available.
These guys put a lot effort into that, but their quick response is
useless if those periods are so long.
It gives an attacker that can MitM (and we must expect that not only the
NSA can do this) 7-10 days (!!!) to conceal updates from a system and
exploit the security holes they fix.
Especially since many server systems update automatically, this is quite
problematic IMHO.


Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply to: