Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] secure download tool - doesn't exist?!?

intrigeri intrigeri at boum.org
Wed Jul 3 01:47:37 PDT 2013


Hi,

Jonathan Wilkes wrote (02 Jul 2013 21:57:01 GMT) :
> On 07/02/2013 12:46 PM, Jonathan Wilkes wrote:
>> On 07/02/2013 04:51 AM, intrigeri wrote:
>>> + verify that the signed file you've downloaded is actually the
>>>    version you intended to download, and not an older, also properly
>>>    signed one.
[...]
>> Does Debian's "Valid-Until" field in the release files solve this problem?

> After getting some help on #debian-apt, I can at least say that the "Valid-Until"
> field in the release file for Debian security updates is indeed intended to address
> replay attacks.

The Valid-Until mechanism (when it's used by the APT repository at
all) typically ensures an attacker can't hide available security
updates for more than a week. This is sometimes good enough.

Cheers,
--
  intrigeri
  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc



More information about the liberationtech mailing list