Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
Russell Stuart <email@example.com> writes:
> If it is so that much of a disaster that it warrants pulling a package
> from stable, surely a little more notification than an email to a list
> most people don't monitor would be warranted?
See, for example, DSA-2819. Or, on a different front, DSA-2907, which was
rather important to read.
I find this concept that most people who run Debian in stable production
environments but don't read the DSAs rather terrifying. Please, if you
run a lot of Debian systems and care at all about the security of those
systems, just read the mailing list. It doesn't get that much traffic.
There are also RSS feeds in various formats.
If you're just using Debian as a home desktop or the like, the chances of
someone going to the effort to MITM your connection to the mirror in order
to attack some local package that you haven't upgraded is remote enough
that I'm just not particularly worried about it. Yes, it's possible, but
it's a lot less likely than other attacks that we aren't doing anything
Russ Allbery (firstname.lastname@example.org) <http://www.eyrie.org/~eagle/>