Package: ftp.debian.org Severity: normal
Hey there. Would you possibly consider to tighten the Valid-Until times on the various repositories? E.g. stable and testing security seems to have 1 week right now. This seems pretty long,... a whole week in which an attacker might do a blocking attack and prevent people from noticing that they're not seeing any updates? Current stable (buster) doesn't seem to have a Valid-Until at all. Not sure if this is planned for bullseye as well. The impact is perhaps not that big, since the security upgrades go anyway to bullseye-security. But still perhaps better to have a validity than not? I would have blindly guessed that using shorter Valid-Until times isn't that expensive, cause it's probably just the dates that need to be refresehed and the signature on the Release file? What about a validity time of e.g. one day,... at least for repos like unstable, *-security, *-updates? Maybe also testing? And maybe a 1-2 weeks or so for any repo where security is anyway handled in another (stable)? Thanks for your consideration, Chris.