Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files

To: debian-devel@lists.debian.org
Subject: Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
From: Russ Allbery <rra@debian.org>
Date: Thu, 30 Oct 2014 13:25:20 -0700
Message-id: <[🔎] 87sii5cnkf.fsf@hope.eyrie.org>
In-reply-to: <[🔎] 1414695423.14516.107.camel@batfink> (Nick Phillips's message of "Thu, 30 Oct 2014 18:56:59 +0000")
References: <20140623155202.22464.62148.reportbug@heisenberg.scientia.net> <87zje23rq7.fsf@gkar.ganneff.de> <1411658470.4869.21.camel@scientia.net> <87k34riien.fsf@gkar.ganneff.de> <1411953785.28972.7.camel@scientia.net> <20140929110845.GA20150@khazad-dum.debian.net> <[🔎] 1414617850.4565.8.camel@scientia.net> <[🔎] 87y4rycmcx.fsf@hope.eyrie.org> <[🔎] 1414639955.5402.60.camel@russell-laptop.pc.brisbane.lube> <[🔎] 87egtqcfw9.fsf@hope.eyrie.org> <[🔎] 1414695423.14516.107.camel@batfink>

Nick Phillips <nick.phillips@otago.ac.nz> writes:
> On Wed, 2014-10-29 at 21:58 -0700, Russ Allbery wrote:

>> Point.  We should have documentation for what the minimum signing
>> frequency we guarantee is, particularly for the security archive.
>> Then, people who are willing to suffer from mirror issues if they're
>> slow can just use that.

> It seems to me that "Valid-Until" was a mistake in the first place; the
> date on which it was signed and the frequency with which it is expected
> to be re-signed are needed (whether this information is in the file
> itself or just in the docs), and it's up to the client to decide how old
> is acceptable given this information.

I approve of us putting a ceiling on how long the client should trust the
signature.  The client can always ignore Valid-Until if they really want
to, but this way we're explicit about our recommendations.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

References:
- Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
  - From: Christoph Anton Mitterer <calestyo@scientia.net>
- Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
  - From: Russ Allbery <rra@debian.org>
- Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
  - From: Russell Stuart <russell-debian@stuart.id.au>
- Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
  - From: Russ Allbery <rra@debian.org>
- Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
  - From: Nick Phillips <nick.phillips@otago.ac.nz>

Prev by Date: Leading With Emotional Intelligence Workshop
Next by Date: Re: What is the policy on audio group? and, proposal of a new group for the jack audio server
Previous by thread: Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
Next by thread: Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
Index(es):
- Date
- Thread