[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files

Nick Phillips <nick.phillips@otago.ac.nz> writes:
> On Wed, 2014-10-29 at 21:58 -0700, Russ Allbery wrote:

>> Point.  We should have documentation for what the minimum signing
>> frequency we guarantee is, particularly for the security archive.
>> Then, people who are willing to suffer from mirror issues if they're
>> slow can just use that.

> It seems to me that "Valid-Until" was a mistake in the first place; the
> date on which it was signed and the frequency with which it is expected
> to be re-signed are needed (whether this information is in the file
> itself or just in the docs), and it's up to the client to decide how old
> is acceptable given this information.

I approve of us putting a ceiling on how long the client should trust the
signature.  The client can always ignore Valid-Until if they really want
to, but this way we're explicit about our recommendations.

Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to: