[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files

On Wed, 2014-10-29 at 19:39 -0700, Russ Allbery wrote:
> But we shouldn't confuse that with the right way to check 
> for security updates for Debian systems.  People who
> care about security updates need to be subscribed to
> debian-security-announce and reading the DSAs.

If there are two "ways" and one requires a human and the other is
completely automatic, all other things being equal for me the "right"
way is the automated one.  I know my limitations - not being
conscientious when doing manual repetitive labour is one of them.

> It seems to me that if you want to lower the chances of a downgrade attack
> for your systems, setting the validity period on your systems is exactly
> the tool that you need.  There's no need for anything to change on the
> server side for you to get that protection.

Yes, I agree.  But for me apt.conf/Max-ValidTime is useless unless the
release file is guaranteed to be updated more frequently than its
"Valid-Until:" header implies.  Is it, and is that undertaking
documented somewhere?

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: