On Thu, Nov 24, 2016 at 08:39:18AM +0100, Julian Andres Klode wrote: > On Wed, Nov 23, 2016 at 04:46:57PM -0800, Seth Arnold wrote: > > On Thu, Nov 24, 2016 at 01:19:12AM +0100, Julian Andres Klode wrote: > > May I also ask for the Valid-Until: lines to be turned on for zesty and > > newer releases at the same time? I've heard various reasons why we don't > > use it: > > That would be nice IMO. APT supports it already, so it's only a matter > of turning it on in the archive. > > > > > - An attacker could simply supply valid lists from before we started > > enforcing valid-until > > That's a thing we can fix: > > Just reject downgrading from a Release file with Valid-Until > to one without Valid-Until (this means you can't ever remove a > Valid-Until field again, but you can of course set it to a very > far future like the year 9999 or something).
That said, it seems that we reject updating to a file with an older value in Date - we basically treat it like a "Hit" - that is, as if it's the same file we already have - and ignore it. -- Debian Developer - deb.li/jak | jak-linux.org - free software dev | Ubuntu Core Developer | When replying, only quote what is necessary, and write each reply directly below the part(s) it pertains to ('inline'). Thank you. -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel