Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] secure download tool - doesn't exist?!?

intrigeri intrigeri at
Wed Jul 3 23:36:19 PDT 2013


Jonathan Wilkes wrote (03 Jul 2013 18:26:11 GMT) :
> Are there security updates that don't use "Valid-Until"?

As far as official Debian repositories are concerned: none that I know
of. It's quite different among 3rd-party repositories, though (that's
what I was implicitly referring to, sorry for being unclear).

> The remaining question is this: what is an example of a potential attack that
> exploits the absence of a "Valid-Until" header in a stable release? A stable version
> of  Debian is canonical, so there is nothing for an attacker to replay unless
> it's from a previous version of Debian which has a different key and, therefore,
> would set off alarm bells from apt.

Point-releases modify the stable suite. I believe some bugfixes and
no-DSA security updates are shipped via point-release, without flowing
through DSA + -security. That's perhaps not a big deal, though.

  | GnuPG key @
  | OTR fingerprint @

More information about the liberationtech mailing list