Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] secure download tool - doesn't exist?!?

Jonathan Wilkes jancsika at
Wed Jul 3 11:26:11 PDT 2013

On 07/03/2013 04:47 AM, intrigeri wrote:
> Hi,
> Jonathan Wilkes wrote (02 Jul 2013 21:57:01 GMT) :
>> On 07/02/2013 12:46 PM, Jonathan Wilkes wrote:
>>> On 07/02/2013 04:51 AM, intrigeri wrote:
>>>> + verify that the signed file you've downloaded is actually the
>>>>     version you intended to download, and not an older, also properly
>>>>     signed one.
> [...]
>>> Does Debian's "Valid-Until" field in the release files solve this problem?
>> After getting some help on #debian-apt, I can at least say that the "Valid-Until"
>> field in the release file for Debian security updates is indeed intended to address
>> replay attacks.
> The Valid-Until mechanism (when it's used by the APT repository at
> all) typically ensures an attacker can't hide available security
> updates for more than a week.

You say "when it's used at all":

My understanding is that it's used for security updates (and possibly
some other repos), and not used for stable releases.  Are there security
updates that don't use "Valid-Until"?

The remaining question is this: what is an example of a potential attack 
exploits the absence of a "Valid-Until" header in a stable release? A 
stable version
of  Debian is canonical, so there is nothing for an attacker to replay 
it's from a previous version of Debian which has a different key and, 
would set off alarm bells from apt.


> This is sometimes good enough.
> Cheers,
> --
>    intrigeri
>    | GnuPG key @
>    | OTR fingerprint @
> --
> Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at or changing your settings at

More information about the liberationtech mailing list