Andrei Popescu <andreimpopescu <at> gmail.com> writes: > How about distributing the Release files *only* from a trusted server? > > Regards, > Andrei
That is problematic, as it does not deal with mirror synchronization properly. If a mirror takes a few hours to update, it's Packages files may not be up to date during those hours, resulting in apt claiming the Packages file is not validly signed. I see no benefits over re-signing the Release file daily, even if none of the Packages files (and hence the checksums and Release file itself) have changed, with apt then complaining if Release.gpg has a signature that is too old. This adds security against the published attack for testing users who do not use testing-security as well as sid users. It also helps warn users about non-malicious stale mirrors. As my post made clear, stable is already secure against the published attacked. The other attack I mentioned (the attack of attempting to exploit a flaw in any client that requests a security update) cannot be fixed in the general case, except by clients using a trusted server, or a trusted proxy that does not reveal the true requesting system's IP. Stable is safe because the security servers are trusted. Users of testing or sid should choose servers they trust or some form of trusted proxy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
