Hi, Jonathan Wilkes wrote (02 Jul 2013 21:57:01 GMT) : > On 07/02/2013 12:46 PM, Jonathan Wilkes wrote: >> On 07/02/2013 04:51 AM, intrigeri wrote: >>> + verify that the signed file you've downloaded is actually the >>> version you intended to download, and not an older, also properly >>> signed one. [...] >> Does Debian's "Valid-Until" field in the release files solve this problem?
> After getting some help on #debian-apt, I can at least say that the > "Valid-Until" > field in the release file for Debian security updates is indeed intended to > address > replay attacks. The Valid-Until mechanism (when it's used by the APT repository at all) typically ensures an attacker can't hide available security updates for more than a week. This is sometimes good enough. Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at [email protected] or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
