Please support Valid-Until in release files for security.ubuntu.com
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | Launchpad itself |
Low
|
Unassigned | ||
| | Linux Mint |
Undecided
|
Unassigned | ||
Bug Description
Debian and apt have a new feature that we should support as well:
Valid-Until: header
This prevents "stale-proxy" attacks against our users. It means the Release file needs to get rewrite periodically even if there is nothing to publish. The client verifies after a update that it did the valid-until header is good (e.g. Valid-Until: Sat, 19 Feb 2011 21:32:12 UTC). Without that a attacker who controlls the network can just redirect traffic to a stale version of the archive and prevent the user from getting security updates.
| Changed in launchpad: | |
| status: | New → Triaged |
| importance: | Undecided → Low |
| tags: | added: feature releases |
| tags: |
added: soyuz-publish removed: releases |
| summary: |
- Please support InRelease files and Valid-Until in release files + Please support Valid-Until in release files for security.ubuntu.com |
| description: | updated |
| Michael Vogt (mvo) wrote : | #1 |
| Michael Vogt (mvo) wrote : | #2 |
Can we please reconsider the importance of this? Its a relatively small feature but at the same time fixes is important as a security feature.
| Jacob (jacob11) wrote : | #3 |
Fix it please.
| Alba Nader (sharepass12) wrote : | #4 |
Please fix.
| chemicalfan (mike-lumsden) wrote : | #5 |
Is this still an issue with the current Mint (Qiana/17) release?
| Seth Arnold (seth-arnold) wrote : | #6 |
This would still be nice to have. Thanks.
Just to clarify a few points about this:
- initially we only need this for security.ubuntu.com
- every time there is a rewrite of the Release file make Valid-Until valid for two more weeks
- if there was no security update for a week regenerate the valid-until in the release file (and resign of course) and make it valid for 2 weeks again
- when a distro is EOL the Release file does not have to be updated anymore. the user will see errors that $distro-security is no longer valid, but that is ok, because its a valid error and the user is no longer secure