Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
Nick Phillips <firstname.lastname@example.org> writes:
> On Wed, 2014-10-29 at 21:58 -0700, Russ Allbery wrote:
>> Point. We should have documentation for what the minimum signing
>> frequency we guarantee is, particularly for the security archive.
>> Then, people who are willing to suffer from mirror issues if they're
>> slow can just use that.
> It seems to me that "Valid-Until" was a mistake in the first place; the
> date on which it was signed and the frequency with which it is expected
> to be re-signed are needed (whether this information is in the file
> itself or just in the docs), and it's up to the client to decide how old
> is acceptable given this information.
I approve of us putting a ceiling on how long the client should trust the
signature. The client can always ignore Valid-Until if they really want
to, but this way we're explicit about our recommendations.
Russ Allbery (email@example.com) <http://www.eyrie.org/~eagle/>