Wednesday, 23 November 2016

Re: Rejecting SHA1-signed repositories by default (Ubuntu edition)

On Thu, Nov 24, 2016 at 08:39:18AM +0100, Julian Andres Klode wrote:
> On Wed, Nov 23, 2016 at 04:46:57PM -0800, Seth Arnold wrote:
> > On Thu, Nov 24, 2016 at 01:19:12AM +0100, Julian Andres Klode wrote:
> > May I also ask for the Valid-Until: lines to be turned on for zesty and
> > newer releases at the same time? I've heard various reasons why we don't
> > use it:
>
> That would be nice IMO. APT supports it already, so it's only a matter
> of turning it on in the archive.
>
> >
> > - An attacker could simply supply valid lists from before we started
> > enforcing valid-until
>
> That's a thing we can fix:
>
> Just reject downgrading from a Release file with Valid-Until
> to one without Valid-Until (this means you can't ever remove a
> Valid-Until field again, but you can of course set it to a very
> far future like the year 9999 or something).

That said, it seems that we reject updating to a file with an older
value in Date - we basically treat it like a "Hit" - that is, as if
it's the same file we already have - and ignore it.

--
Debian Developer - deb.li/jak | jak-linux.org - free software dev
| Ubuntu Core Developer |
When replying, only quote what is necessary, and write each reply
directly below the part(s) it pertains to ('inline'). Thank you.

--
ubuntu-devel mailing list
[email protected]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel