Hi, Jonathan Wilkes wrote (03 Jul 2013 18:26:11 GMT) : > Are there security updates that don't use "Valid-Until"?
As far as official Debian repositories are concerned: none that I know of. It's quite different among 3rd-party repositories, though (that's what I was implicitly referring to, sorry for being unclear). > The remaining question is this: what is an example of a potential attack that > exploits the absence of a "Valid-Until" header in a stable release? A stable > version > of Debian is canonical, so there is nothing for an attacker to replay unless > it's from a previous version of Debian which has a different key and, > therefore, > would set off alarm bells from apt. Point-releases modify the stable suite. I believe some bugfixes and no-DSA security updates are shipped via point-release, without flowing through DSA + -security. That's perhaps not a big deal, though. Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech