Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] secure download tool - doesn't exist?!?

intrigeri intrigeri at
Wed Jul 3 01:47:37 PDT 2013


Jonathan Wilkes wrote (02 Jul 2013 21:57:01 GMT) :
> On 07/02/2013 12:46 PM, Jonathan Wilkes wrote:
>> On 07/02/2013 04:51 AM, intrigeri wrote:
>>> + verify that the signed file you've downloaded is actually the
>>>    version you intended to download, and not an older, also properly
>>>    signed one.
>> Does Debian's "Valid-Until" field in the release files solve this problem?

> After getting some help on #debian-apt, I can at least say that the "Valid-Until"
> field in the release file for Debian security updates is indeed intended to address
> replay attacks.

The Valid-Until mechanism (when it's used by the APT repository at
all) typically ensures an attacker can't hide available security
updates for more than a week. This is sometimes good enough.

  | GnuPG key @
  | OTR fingerprint @

More information about the liberationtech mailing list