On Sun, Nov 23, 2008 at 11:24:14PM +0200, Eugene V. Lyubimkin wrote: > Joerg Jaspert wrote: > >>>> - have it expire in a period long enough so a new point release will > >>>> have happened in the meantime, say half a year. > >>> Probably still not acceptable for CD-Roms. > >> I don't think that should be a problem - I don't believe CD-Roms are the > >> target of this feature. APT already handles CD-Roms differently so it > >> could exclude them from this check. > > > > Hello apt team, anyone working on supporting this? :) > > (It's used in both, the normal and the security archive). > > > No one at present, IIRC. > > Should this be incorporated into apt in Lenny? It's not hard to > apply the patch from Thomas, but it doesn't address feature that apt > should not accept Release files without 'Valid-Until' entry after > seeing it once earlier. [..]
I merge the patch (with some small modifications) into the debian-experimental bzr branch to work on the issue. I added the following configuration item: Have a "max-age" client side option in addition to the "valid-until" field on the server side. That makes it possible to have a (client side) apt configuration like: apt::acquire::max-default-age::Debian-security "7"; (using the Label in the Release file for identification). This client side configuration will only be used if no valid-until field is found on the server. It means that when the security archive that is presented does not have it anymore there will still be a good default. So just presenting a really old archive will not work (it protects against attacks when there was never a valid security.debian.org, only a realy old one). Thanks, Michael -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]