Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files

To: debian-devel@lists.debian.org
Subject: Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
From: "Bernhard R. Link" <brlink@debian.org>
Date: Fri, 31 Oct 2014 12:48:04 +0100
Message-id: <[🔎] 20141031114804.GB1931@client.brlink.eu>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 1414642183.15628.1.camel@scientia.net>
References: <20140623155202.22464.62148.reportbug@heisenberg.scientia.net> <87zje23rq7.fsf@gkar.ganneff.de> <1411658470.4869.21.camel@scientia.net> <87k34riien.fsf@gkar.ganneff.de> <1411953785.28972.7.camel@scientia.net> <20140929110845.GA20150@khazad-dum.debian.net> <[🔎] 1414617850.4565.8.camel@scientia.net> <[🔎] 87y4rycmcx.fsf@hope.eyrie.org> <[🔎] 1414642183.15628.1.camel@scientia.net>

* Christoph Anton Mitterer <calestyo@scientia.net> [141030 05:10]:
> To be honest, it's really awkward to see how much all this is apparently
> fought against.

You have been told again and again that what you suggest would make the
whole thing less useable to the point that it reduces security for many
people.

You have been told that your thread model is quite strange, in that
you assume that people will
- not only notice every MITM with too old a signature even though
  you suggest to change the system so that this will cause far more
  false positives,
- but will also investigate every short network or mirror problem so
  that the far easier MITM of making the security mirrors inaccessible
  (which your suggested 'improvement' does nothing against) is not
  possible,
- but are not able to notice if there are no security updates applied.

What do you expect? That people on the list think it is a good idea to
do what in their eyes only lowers Debian's security just because someone
continues to claim the opposite?

Please take a step back and try to understand why people think this
will not help (It is not because they do not believe in evil
resourceful governments). This should make it easier to either have
arguments that persuage people or even better lead to solutions that
improve the situation more generally (I'm quite sure the are aspects
that can be improved, just that lowering Valid-Until times is
detrimental).

	Bernhard R. Link
-- 
F8AC 04D5 0B9B 064B 3383  C3DA AFFC 96D1 151D FFDC

Reply to:

Follow-Ups:
- Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
  - From: Santiago Vila <sanvila@unex.es>

References:
- Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
  - From: Christoph Anton Mitterer <calestyo@scientia.net>
- Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
  - From: Russ Allbery <rra@debian.org>
- Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
  - From: Christoph Anton Mitterer <calestyo@scientia.net>

Prev by Date: Re: Doxygen and embedded jquery problem, how to solve?
Next by Date: Bug#767503: ITP: ruby-d3-rails -- Gem installation of javascript framework for data visualization, D3
Previous by thread: Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
Next by thread: Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
Index(es):
- Date
- Thread