Nick Phillips <[email protected]> writes: > On Wed, 2014-10-29 at 21:58 -0700, Russ Allbery wrote:
>> Point. We should have documentation for what the minimum signing >> frequency we guarantee is, particularly for the security archive. >> Then, people who are willing to suffer from mirror issues if they're >> slow can just use that. > It seems to me that "Valid-Until" was a mistake in the first place; the > date on which it was signed and the frequency with which it is expected > to be re-signed are needed (whether this information is in the file > itself or just in the docs), and it's up to the client to decide how old > is acceptable given this information. I approve of us putting a ceiling on how long the client should trust the signature. The client can always ignore Valid-Until if they really want to, but this way we're explicit about our recommendations. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
