Re: software outside Debian (Re: holes in secure apt)

To: debian-devel@lists.debian.org
Subject: Re: software outside Debian (Re: holes in secure apt)
From: Jakub Wilk <jwilk@debian.org>
Date: Mon, 23 Jun 2014 19:00:43 +0200
Message-id: <[🔎] 20140623170043.GB6476@jwilk.net>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] b0ed4a308fd8c8f47cb23708bf94e421@mail.adsl.funky-badger.org>
References: <[🔎] 1402527988.4739.34.camel@heisenberg.scientia.net> <[🔎] 201406171339.58577.holger@layer-acht.org> <[🔎] 1403060712.4774.64.camel@heisenberg.scientia.net> <[🔎] 201406181246.23958.holger@layer-acht.org> <[🔎] 20140618115532.GA5363@jwilk.net> <[🔎] 1403404458.4582.57.camel@heisenberg.scientia.net> <[🔎] 20140623124258.GA7001@jwilk.net> <[🔎] b0ed4a308fd8c8f47cb23708bf94e421@mail.adsl.funky-badger.org>

* Adam D. Barratt <adam@adam-barratt.org.uk>, 2014-06-23, 14:24:

* Christoph Anton Mitterer <calestyo@scientia.net>, 2014-06-22, 04:34:
There are a few mechanisms to mitigate downgrade attacks withinthe archive:
* Valid-Until fields in the Release files;
I still think the time spans are far too long here...
For the record, the validity periods currently are:
[...]
can someone please tell me against what I could report a bug (i.e.politely ask for enhancement by making the time span muchsmaller)?
My guesses would be:

"reportbug ftp.debian.org" for unstable and experimental;
"reportbug release.debian.org" for testing, (old)stable and their(proposed-)updates;
team@security.d.o for the security.d.o archive;
debian-lts@lists.d.o for squeeze-lts.
Those are all dak configuration, so controlled by ftpmaster.

I don't doubt it. :-) What I doubt is that ftp-masters would be willingto alter the configuration without blessing of the respective teams. ButI could be wrong, of course.


--
Jakub Wilk

Reply to:

References:
- holes in secure apt
  - From: Christoph Anton Mitterer <calestyo@scientia.net>
- Re: sofftware outside Debian (Re: holes in secure apt)
  - From: Holger Levsen <holger@layer-acht.org>
- Re: sofftware outside Debian (Re: holes in secure apt)
  - From: Christoph Anton Mitterer <calestyo@scientia.net>
- Re: sofftware outside Debian (Re: holes in secure apt)
  - From: Holger Levsen <holger@layer-acht.org>
- Re: sofftware outside Debian (Re: holes in secure apt)
  - From: Jakub Wilk <jwilk@debian.org>
- Re: sofftware outside Debian (Re: holes in secure apt)
  - From: Christoph Anton Mitterer <calestyo@scientia.net>
- Re: software outside Debian (Re: holes in secure apt)
  - From: Jakub Wilk <jwilk@debian.org>
- Re: software outside Debian (Re: holes in secure apt)
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Re: software outside Debian (Re: holes in secure apt)
Next by Date: Re: HTTPS everywhere!
Previous by thread: Re: software outside Debian (Re: holes in secure apt)
Next by thread: Re: software outside Debian (Re: holes in secure apt)
Index(es):
- Date
- Thread