Package: ftp.debian.org, apt Hi,
In RT#744[1] an attack was brought up wherein an adversary causes the vicitim to use an outdated copy of the security mirror, thereby preventing the victim from getting security updates. The attack is not new, but Debian still has very little to offer for preventing this kind of attack, or at least making it harder. One proposed solution is to optionally add a "Valid-Until" field to Release files on at least the security archive, tho it might make sense for unstable etc also. Apt should then be changed to reject Release files that have expired, and probably also Release files from the future. Cheers, weasel 1. https://rt.debian.org/Ticket/Display.html?id=744 -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `- http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
