Re: Bug#796476: ftp.debian.org: valid-until for stable

To: Raphael Geissert <geissert@debian.org>, 796476@bugs.debian.org
Cc: debian-release@lists.debian.org
Subject: Re: Bug#796476: ftp.debian.org: valid-until for stable
From: Julien Cristau <jcristau@debian.org>
Date: Thu, 19 May 2016 10:03:49 +0200
Message-id: <[🔎] 20160519080349.GO2718@betterave.cristau.org>
In-reply-to: <CAA7hUgE-YgnX+7Urij_GVy3we0JY4b-8bjnXQKyZVon1H5jOQA@mail.gmail.com>
References: <CAA7hUgE-YgnX+7Urij_GVy3we0JY4b-8bjnXQKyZVon1H5jOQA@mail.gmail.com>

On Sat, Aug 22, 2015 at 01:28:22 +0200, Raphael Geissert wrote:

> Package: ftp.debian.org
> Tags: security
> X-Debbugs-CC: debian-release@lists.debian.org
> 
> Hi,
> 
> Nowadays the Release files for the *stable releases do not have a
> Valid-Until field.
> >From a security POV, this could allow a replay attack to be performed
> on the main stable repositories, which could prevent a user from
> getting some security updates.
> 
> Would it be possible to have such a valid-until field with a duration
> of, say, four months?
> Given the trend of doing point updates every few months, the date
> could be renewed only at point release time.
> 
> Release team: would that be ok for you?
> 
I think it would have to be 6 months, at which point I don't see that it
buys you much in the way of security, and it breaks archive.debian.org
further.  So I'm not wild about that idea.

Cheers,
Julien

Reply to:

Prev by Date: NEW changes in stable-new
Next by Date: Bug#820241: jessie-pu: package clamav/0.99.1+dfsg-0+deb8u1
Previous by thread: Помогу решить вопрос с сертификатами
Next by thread: Bug#824809: nmu: libpng1.6, gdal transition in experimental
Index(es):
- Date
- Thread