Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
On Wed, 2014-10-29 at 21:58 -0700, Russ Allbery wrote:
> > Yes, I agree. But for me apt.conf/Max-ValidTime is useless unless the
> > release file is guaranteed to be updated more frequently than its
> > "Valid-Until:" header implies. Is it, and is that undertaking
> > documented somewhere?
> Point. We should have documentation for what the minimum signing
> frequency we guarantee is, particularly for the security archive. Then,
> people who are willing to suffer from mirror issues if they're slow can
> just use that.
It seems to me that "Valid-Until" was a mistake in the first place; the
date on which it was signed and the frequency with which it is expected
to be re-signed are needed (whether this information is in the file
itself or just in the docs), and it's up to the client to decide how old
is acceptable given this information.
Nick Phillips / email@example.com / 03 479 4195
# These statements are mine, not those of the University of Otago