Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
From: Christoph Anton Mitterer <calestyo@scientia.net>
Date: Mon, 23 Jun 2014 17:52:02 +0200
Message-id: <[🔎] 20140623155202.22464.62148.reportbug@heisenberg.scientia.net>
Reply-to: Christoph Anton Mitterer <calestyo@scientia.net>, 752450@bugs.debian.org

Package: ftp.debian.org
Severity: important
Tags: security


Dear ftp masters.

I've thought about that before but then forgot it again and it came
back to my mind  during the recent thread[0] about security, that
I've started on debian-devel.

As Jakub Wilk pointed out[1] these are the current validity periods
for Release files:

unstable, experimental: 7 days
testing: 7 days

wheezy: no limit
wheezy(-proposed)-updates: 7 days
wheezy/updates at security.d.o: 10 days
wheezy-backports: 7 days

squeeze: no limit
squeeze(-proposed)-updates: 7 days
squeeze/updates at security.d.o: 10 days
squeeze-lts: 7 days


IMHO all of them are far too long.
Maintainers and our Security Team are usually doing a great job in
trying to provide fixes for security issues ASAP.

But even if they're incorporated only hours or less after being
released, an attacker can do a downgrade attack for 7-10 days and
trick a system into not "seeing" these new packages.

Such downgrade attack is very easy to perform, as soon as one can
MitM, and we generally must expect that not only powerful groups
like NSA and friends are able to do this.


Since many unattended systems (especially in the stable branches)
are more or less automatically updated, and since an attacker that
can MitM can likely also block any security announcement mails,
users/admins have no chance to take note about such updates being
available for 7-10 days.


I'd suggest to reduce the validity to at most 1 day in all cases.
Actually I'd choose much smaller values if this causes no other
problems.
Many users run unstable/testing as their normal system, so it's
not enough to only tighten the periods for the stable branches.

My proposal would be something like that:
unstable/testing: 4-12 hours

[wheezy|squeeze]/updates at security.d.o: 1-6 hours

For the others, it depends how security updates are distributed,
i.e. since they come via [wheezy|squeeze]/updates at security.d.o
it probably makes not much sense to have that short times for
wheezy and for squeeze.

Not sure about wheezy(-proposed)-updates, squeeze(-proposed)-updates
and wheezy-backports, squeeze-lts.



Cheers,
Chris.

btw: I'll CC the security team, the debian lts guys and affect the bug
to release.debian.org... at least these are hopefully the responsible
guys acording to [1].



[0] https://lists.debian.org/debian-devel/2014/06/msg00171.html
[1] https://lists.debian.org/debian-devel/2014/06/msg00407.html

Reply to:

Prev by Date: Re: LTS id for reference
Next by Date: Testing for php5 update
Previous by thread: Re: lxml for LTS
Next by thread: Testing for php5 update
Index(es):
- Date
- Thread