Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files

To: debian-devel@lists.debian.org
Subject: Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
From: Russ Allbery <rra@debian.org>
Date: Wed, 29 Oct 2014 22:26:03 -0700
Message-id: <[🔎] 8738a6cems.fsf@hope.eyrie.org>
In-reply-to: <[🔎] 1414645974.5402.99.camel@russell-laptop.pc.brisbane.lube> (Russell Stuart's message of "Thu, 30 Oct 2014 15:12:54 +1000")
References: <20140623155202.22464.62148.reportbug@heisenberg.scientia.net> <87zje23rq7.fsf@gkar.ganneff.de> <1411658470.4869.21.camel@scientia.net> <87k34riien.fsf@gkar.ganneff.de> <1411953785.28972.7.camel@scientia.net> <20140929110845.GA20150@khazad-dum.debian.net> <[🔎] 1414617850.4565.8.camel@scientia.net> <[🔎] 87y4rycmcx.fsf@hope.eyrie.org> <[🔎] 1414639955.5402.60.camel@russell-laptop.pc.brisbane.lube> <[🔎] 87egtqcfw9.fsf@hope.eyrie.org> <[🔎] 1414645974.5402.99.camel@russell-laptop.pc.brisbane.lube>

Russell Stuart <russell-debian@stuart.id.au> writes:

> If it is so that much of a disaster that it warrants pulling a package
> from stable, surely a little more notification than an email to a list
> most people don't monitor would be warranted?

See, for example, DSA-2819.  Or, on a different front, DSA-2907, which was
rather important to read.

I find this concept that most people who run Debian in stable production
environments but don't read the DSAs rather terrifying.  Please, if you
run a lot of Debian systems and care at all about the security of those
systems, just read the mailing list.  It doesn't get that much traffic.
There are also RSS feeds in various formats.

If you're just using Debian as a home desktop or the like, the chances of
someone going to the effort to MITM your connection to the mirror in order
to attack some local package that you haven't upgraded is remote enough
that I'm just not particularly worried about it.  Yes, it's possible, but
it's a lot less likely than other attacks that we aren't doing anything
about currently.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

References:
- Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
  - From: Christoph Anton Mitterer <calestyo@scientia.net>
- Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
  - From: Russ Allbery <rra@debian.org>
- Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
  - From: Russell Stuart <russell-debian@stuart.id.au>
- Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
  - From: Russ Allbery <rra@debian.org>
- Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
  - From: Russell Stuart <russell-debian@stuart.id.au>

Prev by Date: Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
Next by Date: Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
Previous by thread: Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
Next by thread: Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
Index(es):
- Date
- Thread