Bug#796476: ftp.debian.org: valid-until for stable

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#796476: ftp.debian.org: valid-until for stable
From: Raphael Geissert <geissert@debian.org>
Date: Sat, 22 Aug 2015 01:28:22 +0200
Message-id: <[🔎] CAA7hUgE-YgnX+7Urij_GVy3we0JY4b-8bjnXQKyZVon1H5jOQA@mail.gmail.com>
Reply-to: Raphael Geissert <geissert@debian.org>, 796476@bugs.debian.org

Package: ftp.debian.org
Tags: security
X-Debbugs-CC: debian-release@lists.debian.org

Hi,

Nowadays the Release files for the *stable releases do not have a
Valid-Until field.
>From a security POV, this could allow a replay attack to be performed
on the main stable repositories, which could prevent a user from
getting some security updates.

Would it be possible to have such a valid-until field with a duration
of, say, four months?
Given the trend of doing point updates every few months, the date
could be renewed only at point release time.

Release team: would that be ok for you?

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Reply to:

Prev by Date: Bug#796326: Bug#796327: nmu: libgnomecanvasmm2.6_2.26.0-1.1+b1 on arm64
Next by Date: Bug#796491: nmu: magics++_2.24.7-6
Previous by thread: Bug#796461: marked as done (nmu: libstxxl_1.4.1-1)
Next by thread: Bug#796491: nmu: magics++_2.24.7-6
Index(es):
- Date
- Thread