Hello Thijs, hello FTP masters, please see problem 2) below... Thijs Kinkhorst wrote: >> However, it seems there is no better solution, or is there? > > Why are we trying to invent something new here, with Valid-Until? The problem > is that we want to ensure that the Release file of the security archive is > actually provided by that archive and not by a man in the middle. That > problem has already been solved: use https. If apt would get the release file > over https from the security archive it would know it is the right one. The > rest of the downloads can then happen over http. Of course this needs APT to > have some notion of what a valid certificate is for security.debian.org; that > could be addressed by adding it to the debian-archive-keyring package. This makes sense for me, but may introduce some problems... 1) insert apt-transport-https and all its deps into base system (libcurl, kerberos etc.) 2) Release and Release.gpg, installed on security.debian.org, should be somehow synchronized with at least all official Debian mirrors, I don't know how hard it would be to insert this move into archive infrastructure (ftp masters CC'ed) 3) needs some hardcoded black magic in APT - if user has an entry 'deb http://abc.def.edu/debian lenny main' in sources.list, how can we know whether it is an official Debian archive and do we need to pick Release file from 'https://security.debian.org' or from host itself?.. -- Eugene V. Lyubimkin aka JackYF, JID: jackyf.devel(maildog)gmail.com Ukrainian C++ Developer, Debian Maintainer, APT contributor
Attachment:
signature.asc
Description: OpenPGP digital signature