Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
[Dropping the bug, this is beginning to get OT]
On Tue, Nov 4, 2014 at 1:56 AM, Ian Jackson wrote:
> * We could run a lightweight polling service on Debian infrastructure
> which the computer could use to find out how out of date it is.
This makes me think of the AMQP stuff DSA has setup as well as the fedmsg bus.
> * We could provide a separate command or tool or option to check for
> security updates - a tool which would _fail_ if the network and
> infrastructure was not sufficiently working.
debsecan exists (and daily mails the sysadmin about new security
updates, available security updates, fixed security issues and
security issues without updates) but it only prints errors in the
download process when run interactively:
I suppose the reason is that the Internet is flakey and this would
guarantee to annoy sysadmins world-wide, which might make them remove
or turn off debsecan.
> * We could provide a configurable addition to the validity period.
apt already supports this.
> * The security archive might want a different validity period.
This is already the case, but it has a longer validity period:
10 days: http://security.debian.org/dists/wheezy/updates/Release
7 days: http://ftp.debian.org/debian/dists/wheezy-updates/Release
7 days: http://ftp.debian.org/debian/dists/jessie/Release
> * We might want automation which was capable of automatically
> shutting a server down into some kind of minimal maintenance mode,
> when it is unable to verify its own security support status.
That sounds like it would introduce a denial of service attack.