#796476 ftp.debian.org: valid-until for stable

Package:
release.debian.org
Source:
release.debian.org
Submitter:
Raphael Geissert
Date:
2023-11-30 09:51:05 UTC
Severity:
normal
Tags:
#796476#5
Date:
2015-08-21 23:28:22 UTC
From:
To:
Package: ftp.debian.org
Tags: security
X-Debbugs-CC: debian-release@lists.debian.org

Hi,

Nowadays the Release files for the *stable releases do not have a
Valid-Until field.
From a security POV, this could allow a replay attack to be performed
on the main stable repositories, which could prevent a user from
getting some security updates.

Would it be possible to have such a valid-until field with a duration
of, say, four months?
Given the trend of doing point updates every few months, the date
could be renewed only at point release time.

Release team: would that be ok for you?

Cheers,
#796476#10
Date:
2016-05-19 08:03:49 UTC
From:
To:
I think it would have to be 6 months, at which point I don't see that it
buys you much in the way of security, and it breaks archive.debian.org
further.  So I'm not wild about that idea.

Cheers,
Julien
#796476#21
Date:
2023-11-30 09:50:19 UTC
From:
To:
Hi,

On Thu, 19 May 2016 10:03:49 +0200 Julien Cristau <jcristau@debian.org> wrote:

So, shall be close (wontfix) this bug report? Or have insights changed
in those 7 years in between?

Paul