Bug#796476: ftp.debian.org: valid-until for stable

To: 796476@bugs.debian.org
Subject: Bug#796476: ftp.debian.org: valid-until for stable
From: Paul Gevers <elbrus@debian.org>
Date: Thu, 30 Nov 2023 10:50:19 +0100
Message-id: <[🔎] a11d2fa4-63ec-4006-9c89-b2e4c460fa81@debian.org>
Reply-to: Paul Gevers <elbrus@debian.org>, 796476@bugs.debian.org
In-reply-to: <20160519080349.GO2718@betterave.cristau.org>
References: <CAA7hUgE-YgnX+7Urij_GVy3we0JY4b-8bjnXQKyZVon1H5jOQA@mail.gmail.com> <20160519080349.GO2718@betterave.cristau.org> <20160519080349.GO2718@betterave.cristau.org> <CAA7hUgE-YgnX+7Urij_GVy3we0JY4b-8bjnXQKyZVon1H5jOQA@mail.gmail.com>

Hi,

On Thu, 19 May 2016 10:03:49 +0200 Julien Cristau <jcristau@debian.org>wrote:

On Sat, Aug 22, 2015 at 01:28:22 +0200, Raphael Geissert wrote:
> Nowadays the Release files for the *stable releases do not have a
> Valid-Until field.
> >From a security POV, this could allow a replay attack to be performed
> on the main stable repositories, which could prevent a user from
> getting some security updates.

>> Would it be possible to have such a valid-until field with a duration

> of, say, four months?
> Given the trend of doing point updates every few months, the date
> could be renewed only at point release time.

I think it would have to be 6 months, at which point I don't see that it
buys you much in the way of security, and it breaks archive.debian.org
further.  So I'm not wild about that idea.

So, shall be close (wontfix) this bug report? Or have insights changedin those 7 years in between?


Paul

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

Reply to:

Prev by Date: Bug#951209: marked as done (nmu: libgusb and co)
Next by Date: Bug#1056307: bookworm-pu: package lastpass-cli/1.3.7-1+deb12u1
Previous by thread: Bug#951209: marked as done (nmu: libgusb and co)
Next by thread: Bug#1055085: waiting for 3.12.1
Index(es):
- Date
- Thread