Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files

To: debian-devel@lists.debian.org
Subject: Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
From: Paul Wise <pabs@debian.org>
Date: Tue, 4 Nov 2014 10:49:36 +0800
Message-id: <[🔎] CAKTje6EW5HgEEHAAx0hHfCLH4fYt4oJOV9ptmeowQ40xD99oOw@mail.gmail.com>
In-reply-to: <[🔎] 21591.49599.3987.684475@chiark.greenend.org.uk>
References: <20140623155202.22464.62148.reportbug@heisenberg.scientia.net> <87zje23rq7.fsf@gkar.ganneff.de> <1411658470.4869.21.camel@scientia.net> <87k34riien.fsf@gkar.ganneff.de> <1411953785.28972.7.camel@scientia.net> <20140929110845.GA20150@khazad-dum.debian.net> <1414617850.4565.8.camel@scientia.net> <87y4rycmcx.fsf@hope.eyrie.org> <1414642183.15628.1.camel@scientia.net> <20141031114804.GB1931@client.brlink.eu> <20141031153118.GA29422@nuc> <[🔎] 21591.49599.3987.684475@chiark.greenend.org.uk>

[Dropping the bug, this is beginning to get OT]

On Tue, Nov 4, 2014 at 1:56 AM, Ian Jackson wrote:

>  * We could run a lightweight polling service on Debian infrastructure
>    which the computer could use to find out how out of date it is.

This makes me think of the AMQP stuff DSA has setup as well as the fedmsg bus.

https://wiki.debian.org/FedMsg
https://anonscm.debian.org/gitweb/?p=mirror/dsa-puppet.git;a=tree;f=modules/rabbitmq

>  * We could provide a separate command or tool or option to check for
>    security updates - a tool which would _fail_ if the network and
>    infrastructure was not sufficiently working.

debsecan exists (and daily mails the sysadmin about new security
updates, available security updates, fixed security issues and
security issues without updates) but it only prints errors in the
download process when run interactively:

http://sources.debian.net/src/debsecan/0.4.17/src/debsecan/#L512

I suppose the reason is that the Internet is flakey and this would
guarantee to annoy sysadmins world-wide, which might make them remove
or turn off debsecan.

>  * We could provide a configurable addition to the validity period.

apt already supports this.

>  * The security archive might want a different validity period.

This is already the case, but it has a longer validity period:

10 days: http://security.debian.org/dists/wheezy/updates/Release
7 days: http://ftp.debian.org/debian/dists/wheezy-updates/Release
7 days: http://ftp.debian.org/debian/dists/jessie/Release

>  * We might want automation which was capable of automatically
>    shutting a server down into some kind of minimal maintenance mode,
>    when it is unable to verify its own security support status.

That sounds like it would introduce a denial of service attack.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Reply to:

Follow-Ups:
- Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
  - From: Philip Hands <phil@hands.com>

References:
- Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>

Prev by Date: Re: Re: Arch-dependent files in /usr/share
Next by Date: Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
Previous by thread: Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
Next by thread: Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
Index(es):
- Date
- Thread