On Thursday 15 January 2009 22:37, Eugene V. Lyubimkin wrote: > Florian Weimer wrote: > > And if Valid-Until is only checked against the real-time clock, the > > attacker can still feed bad data over NTP, so it's not even a complete > > defense. 8-(
As there are questions about the implementation, and there's a chance we don't get it right the first time, and the release is very close, I would indeed support not rushing the change into lenny. > However, it seems there is no better solution, or is there? Why are we trying to invent something new here, with Valid-Until? The problem is that we want to ensure that the Release file of the security archive is actually provided by that archive and not by a man in the middle. That problem has already been solved: use https. If apt would get the release file over https from the security archive it would know it is the right one. The rest of the downloads can then happen over http. Of course this needs APT to have some notion of what a valid certificate is for security.debian.org; that could be addressed by adding it to the debian-archive-keyring package. cheers, Thijs
pgpGQ7YV28Y34.pgp
Description: PGP signature
