Please support Valid-Until in release files for

Bug #716535 reported by Michael Vogt
This bug affects 10 people
Affects Status Importance Assigned to Milestone
Launchpad itself
Linux Mint

Bug Description

Debian and apt have a new feature that we should support as well:

Valid-Until: header
 This prevents "stale-proxy" attacks against our users. It means the Release file needs to get rewrite periodically even if there is nothing to publish. The client verifies after a update that it did the valid-until header is good (e.g. Valid-Until: Sat, 19 Feb 2011 21:32:12 UTC). Without that a attacker who controlls the network can just redirect traffic to a stale version of the archive and prevent the user from getting security updates.

Curtis Hovey (sinzui)
Changed in launchpad:
status: New → Triaged
importance: Undecided → Low
tags: added: feature releases
William Grant (wgrant)
tags: added: soyuz-publish
removed: releases
Michael Vogt (mvo)
summary: - Please support InRelease files and Valid-Until in release files
+ Please support Valid-Until in release files for
description: updated
Revision history for this message
Michael Vogt (mvo) wrote :

Just to clarify a few points about this:

- initially we only need this for
- every time there is a rewrite of the Release file make Valid-Until valid for two more weeks
- if there was no security update for a week regenerate the valid-until in the release file (and resign of course) and make it valid for 2 weeks again
- when a distro is EOL the Release file does not have to be updated anymore. the user will see errors that $distro-security is no longer valid, but that is ok, because its a valid error and the user is no longer secure

Revision history for this message
Michael Vogt (mvo) wrote :

Can we please reconsider the importance of this? Its a relatively small feature but at the same time fixes is important as a security feature.

Revision history for this message
Jacob (jacob11) wrote :

Fix it please.

Revision history for this message
Alba Nader (sharepass12) wrote :

Please fix.

Revision history for this message
chemicalfan (mike-lumsden) wrote :

Is this still an issue with the current Mint (Qiana/17) release?

Revision history for this message
Seth Arnold (seth-arnold) wrote :

This would still be nice to have. Thanks.

Changed in launchpad:
assignee: nobody → Julian Andres Klode (juliank)
Changed in launchpad:
status: Triaged → In Progress
Changed in launchpad:
assignee: Julian Andres Klode (juliank) → nobody
status: In Progress → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.