On Wed, 2014-10-29 at 19:39 -0700, Russ Allbery wrote: > But we shouldn't confuse that with the right way to check > for security updates for Debian systems. People who > care about security updates need to be subscribed to > debian-security-announce and reading the DSAs. If there are two "ways" and one requires a human and the other is completely automatic, all other things being equal for me the "right" way is the automated one. I know my limitations - not being conscientious when doing manual repetitive labour is one of them. > It seems to me that if you want to lower the chances of a downgrade attack > for your systems, setting the validity period on your systems is exactly > the tool that you need. There's no need for anything to change on the > server side for you to get that protection. Yes, I agree. But for me apt.conf/Max-ValidTime is useless unless the release file is guaranteed to be updated more frequently than its "Valid-Until:" header implies. Is it, and is that undertaking documented somewhere?
Description: This is a digitally signed message part