[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files

On Mon, 29 Sep 2014, Christoph Anton Mitterer wrote:
> Now to deal with your concern of larger outages:
> 2) Just because there are no valid [In]Release* files, it doesn't mean
> that those mirrors and their repositories can't be used any longer. The
> data is still there as it was before.
> An application like apt/aptitude/etc. could simply give the user an
> error, telling that the files have expired for hh:mm and could give the
> user and option to nevertheless trust them.
> And the same options could be provided for batch modes.

This is not making any sense anymore.  Step back and think about your threat
model in the first place.   The *entire* threat model, not whatever small
part of it that looks easily fixable by a severe reduction to the inrelease
validity period (which you have already been told by several Debian archive
ops _and_ mirror ops people to be very much a Bad Idea).

Now, if you want us to add per-repository validity overrides to source.lists
that can *reduce* the range APT will accept, so that the local admin can
tighten things, that's fine.  If you're going to propose some sort of tiered
system and a way for apt to actually know it is OK to use this "updates not
often at all" fallback mirror as long as it also has a mirror from the
"fresh stuff only" tier, that would be at least sensible...  Would those
help?  I don't know, that's what the full threat model analysis is for.

> IMHO it's quite dangerous if people start to negotiate security for
> technical reasons, the wellness-factor of users or for historical
> reasons.  Attackers simply don't care about this.

"secure" means "available to those that should be able to access it, when
they should be able to access it, in the way they should be able to access
it", just as much as the negative forms.

So, can we get now some alternative proposals that address the fact that
some mirrors need >48H validity, and many leaf mirrors really want at least
a week?  Or to help apt detect it is using a mirror that is more outdated
than expected, which *is* the reason 99,999% of our users ever suffer an
"unintended downgrade attack" ?

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh
Reply to: