* Moritz Muehlenhoff: >> And there is also the option of including it in the first point release, >> after a month or two of testing in unstable. > > Since the replay attack isn't exactly grave, it could just as well be added > into 5.0.1 oder 5.0.2 once it has gotten some testing.
And if Valid-Until is only checked against the real-time clock, the attacker can still feed bad data over NTP, so it's not even a complete defense. 8-( -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
