Re: Bug#499897: preventing replay attacks against the security archive
* Eugene V. Lyubimkin:
>> If it uses the real-time clock, it doesn't fix the issue because our
>> users typically haven't got a secure time source.
> Yes, it does. I doubt that apt has something else that can be
> treated as more secure (time?) source.
At the very least, apt could check that the signature (or the
Valid-Until field) does not go back in time. However, this has
serious potential for shooting is in our collective feet (think what
happens if we accidentally publish something Valid-Until 2038), so I'm
not sure if it's acceptable.
Reply to: