Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files

To: "debian-devel@lists.debian.org" <debian-devel@lists.debian.org>
Subject: Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
From: Nick Phillips <nick.phillips@otago.ac.nz>
Date: Thu, 30 Oct 2014 18:56:59 +0000
Message-id: <[🔎] 1414695423.14516.107.camel@batfink>
In-reply-to: <[🔎] 87egtqcfw9.fsf@hope.eyrie.org>
References: <20140623155202.22464.62148.reportbug@heisenberg.scientia.net> <87zje23rq7.fsf@gkar.ganneff.de> <1411658470.4869.21.camel@scientia.net> <87k34riien.fsf@gkar.ganneff.de> <1411953785.28972.7.camel@scientia.net> <20140929110845.GA20150@khazad-dum.debian.net> <[🔎] 1414617850.4565.8.camel@scientia.net> <[🔎] 87y4rycmcx.fsf@hope.eyrie.org> <[🔎] 1414639955.5402.60.camel@russell-laptop.pc.brisbane.lube> <[🔎] 87egtqcfw9.fsf@hope.eyrie.org>

On Wed, 2014-10-29 at 21:58 -0700, Russ Allbery wrote:

> > Yes, I agree.  But for me apt.conf/Max-ValidTime is useless unless the
> > release file is guaranteed to be updated more frequently than its
> > "Valid-Until:" header implies.  Is it, and is that undertaking
> > documented somewhere?
> 
> Point.  We should have documentation for what the minimum signing
> frequency we guarantee is, particularly for the security archive.  Then,
> people who are willing to suffer from mirror issues if they're slow can
> just use that.

It seems to me that "Valid-Until" was a mistake in the first place; the
date on which it was signed and the frequency with which it is expected
to be re-signed are needed (whether this information is in the file
itself or just in the docs), and it's up to the client to decide how old
is acceptable given this information.

Cheers,

Nick
-- 
Nick Phillips / nick.phillips@otago.ac.nz / 03 479 4195
# These statements are mine, not those of the University of Otago

Reply to:

Follow-Ups:
- Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
  - From: Russ Allbery <rra@debian.org>

References:
- Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
  - From: Christoph Anton Mitterer <calestyo@scientia.net>
- Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
  - From: Russ Allbery <rra@debian.org>
- Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
  - From: Russell Stuart <russell-debian@stuart.id.au>
- Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
Next by Date: Leading With Emotional Intelligence Workshop
Previous by thread: Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
Next by thread: Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
Index(es):
- Date
- Thread