Search Mailing List Archives
[liberationtech] secure download tool - doesn't exist?!?
intrigeri at boum.org
Wed Jul 3 23:36:19 PDT 2013
Jonathan Wilkes wrote (03 Jul 2013 18:26:11 GMT) :
> Are there security updates that don't use "Valid-Until"?
As far as official Debian repositories are concerned: none that I know
of. It's quite different among 3rd-party repositories, though (that's
what I was implicitly referring to, sorry for being unclear).
> The remaining question is this: what is an example of a potential attack that
> exploits the absence of a "Valid-Until" header in a stable release? A stable version
> of Debian is canonical, so there is nothing for an attacker to replay unless
> it's from a previous version of Debian which has a different key and, therefore,
> would set off alarm bells from apt.
Point-releases modify the stable suite. I believe some bugfixes and
no-DSA security updates are shipped via point-release, without flowing
through DSA + -security. That's perhaps not a big deal, though.
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
More information about the liberationtech