On Sat, Aug 22, 2015 at 01:28:22 +0200, Raphael Geissert wrote: > Package: ftp.debian.org > Tags: security > X-Debbugs-CC: [email protected] > > Hi, > > Nowadays the Release files for the *stable releases do not have a > Valid-Until field. > >From a security POV, this could allow a replay attack to be performed > on the main stable repositories, which could prevent a user from > getting some security updates. > > Would it be possible to have such a valid-until field with a duration > of, say, four months? > Given the trend of doing point updates every few months, the date > could be renewed only at point release time. > > Release team: would that be ok for you? > I think it would have to be 6 months, at which point I don't see that it buys you much in the way of security, and it breaks archive.debian.org further. So I'm not wild about that idea.
Cheers, Julien
