Nick Phillips <nick.phill...@otago.ac.nz> writes: > On Wed, 2014-10-29 at 21:58 -0700, Russ Allbery wrote:
>> Point. We should have documentation for what the minimum signing >> frequency we guarantee is, particularly for the security archive. >> Then, people who are willing to suffer from mirror issues if they're >> slow can just use that. > It seems to me that "Valid-Until" was a mistake in the first place; the > date on which it was signed and the frequency with which it is expected > to be re-signed are needed (whether this information is in the file > itself or just in the docs), and it's up to the client to decide how old > is acceptable given this information. I approve of us putting a ceiling on how long the client should trust the signature. The client can always ignore Valid-Until if they really want to, but this way we're explicit about our recommendations. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87sii5cnkf....@hope.eyrie.org