Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files

To: debian-devel@lists.debian.org
Subject: Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
From: Peter Palfrader <weasel@debian.org>
Date: Sat, 27 Sep 2014 22:34:35 +0200
Message-id: <[🔎] 20140927203435.GR26023@anguilla.noreply.org>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] CAKTje6G53nRQBd5w=1NSOOvh3iCg8GiY3McDeDazv9pdDEFF+w@mail.gmail.com>
References: <20140623155202.22464.62148.reportbug@heisenberg.scientia.net> <[🔎] 87zje23rq7.fsf@gkar.ganneff.de> <[🔎] 1411658470.4869.21.camel@scientia.net> <[🔎] CAKTje6G53nRQBd5w=1NSOOvh3iCg8GiY3McDeDazv9pdDEFF+w@mail.gmail.com>

On Fri, 26 Sep 2014, Paul Wise wrote:

> On Thu, Sep 25, 2014 at 11:21 PM, Christoph Anton Mitterer wrote:
> 
> > Well I think snapshot is it's own construction site, isn't it?
> 
> snapshot is a read-only (modulo cosmic rays and removal of
> non-redistributable things) historical record, files in it will not be
> modified to re-sign with newer keys nor to update Valid-Until.

That doesn't mean one couldn't consider providing an overlay of sorts,
that provides re-signed release files if the original ones verified.
Under a different path obviously.  We could look at patches if they
somehow appeared.

> Updating the Release files more often will simply mean slightly more
> disk space used for the extra Release files. Depending on the update
> frequency, the quantity of data is probably too little to make any
> significant difference in the disk usage of the snapshot service so
> nothing to worry about IMO.

Right, I don't think the additional space of 4 or 10 more Release files
a day are an issue.

However, it seems unsmart to bet on ftp-master or security-master never
being offline longer than a few hours.  We do not have the set-up to
guarantee that kind of high availability.

Thus, I think significantly shortening validity times is a Very Bad
Idea.

Cheers,
weasel
-- 
                           |  .''`.       ** Debian **
      Peter Palfrader      | : :' :      The  universal
 http://www.palfrader.org/ | `. `'      Operating System
                           |   `-    http://www.debian.org/

Reply to:

Follow-Ups:
- Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
  - From: Paul Wise <pabs@debian.org>
- Bug#763419: snapshot.debian.org: add an overlay for updates to Valid-Until, OpenPGP signatures
  - From: Paul Wise <pabs@debian.org>

References:
- Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
  - From: Joerg Jaspert <joerg@debian.org>
- Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
  - From: Christoph Anton Mitterer <calestyo@scientia.net>
- Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
  - From: Paul Wise <pabs@debian.org>

Prev by Date: repost: Reproducible builds? I never did any - manually
Next by Date: Re: binary data file and endianness and multiarch
Previous by thread: Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
Next by thread: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
Index(es):
- Date
- Thread