On 2025-09-21 13:46:57 -0400, Michael Stone wrote: > On Sun, Sep 21, 2025 at 07:32:34PM +0200, Vincent Lefevre wrote: > > On 2025-09-21 13:11:28 -0400, Michael Stone wrote: > > > On Sun, Sep 21, 2025 at 07:09:54PM +0200, Vincent Lefevre wrote: > > > > With HTTP, connections can be redirected to a repository with > > > > obsolete, vulnerable packages. > > > > > > No they can't, there's a signed timestamp in the metadata and apt will > > > warn > > > if the repository isn't up to date. > > > > There's no mention of such a timestamp there: > > > > https://www.reddit.com/r/linux/comments/aidxwa/why_does_apt_not_use_https/ > > well, I don't really care about a random reddit thread ¯\_(ツ)_/¯ > > https://wiki.debian.org/DebianRepository/Format
Do you mean the Valid-Until field? But it is said: "Client behaviour on expired Release files is unspecified." -- Vincent Lefèvre <[email protected]> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)
