Please support Valid-Until in release files for

Bug #716535 reported by Michael Vogt
This bug affects 9 people
Affects Status Importance Assigned to Milestone
Launchpad itself
Linux Mint

Bug Description

Debian and apt have a new feature that we should support as well:

Valid-Until: header
 This prevents "stale-proxy" attacks against our users. It means the Release file needs to get rewrite periodically even if there is nothing to publish. The client verifies after a update that it did the valid-until header is good (e.g. Valid-Until: Sat, 19 Feb 2011 21:32:12 UTC). Without that a attacker who controlls the network can just redirect traffic to a stale version of the archive and prevent the user from getting security updates.

Curtis Hovey (sinzui)
Changed in launchpad:
status: New → Triaged
importance: Undecided → Low
tags: added: feature releases
William Grant (wgrant)
tags: added: soyuz-publish
removed: releases
Michael Vogt (mvo)
summary: - Please support InRelease files and Valid-Until in release files
+ Please support Valid-Until in release files for
description: updated
Revision history for this message
Michael Vogt (mvo) wrote :

Just to clarify a few points about this:

- initially we only need this for
- every time there is a rewrite of the Release file make Valid-Until valid for two more weeks
- if there was no security update for a week regenerate the valid-until in the release file (and resign of course) and make it valid for 2 weeks again
- when a distro is EOL the Release file does not have to be updated anymore. the user will see errors that $distro-security is no longer valid, but that is ok, because its a valid error and the user is no longer secure

Revision history for this message
Michael Vogt (mvo) wrote :

Can we please reconsider the importance of this? Its a relatively small feature but at the same time fixes is important as a security feature.

Revision history for this message
Jacob (jacob11) wrote :

Fix it please.

Revision history for this message
Alba Nader (sharepass12) wrote :

Please fix.

Revision history for this message
chemicalfan (mike-lumsden) wrote :

Is this still an issue with the current Mint (Qiana/17) release?

Revision history for this message
Seth Arnold (seth-arnold) wrote :

This would still be nice to have. Thanks.

Changed in launchpad:
assignee: nobody → Julian Andres Klode (juliank)
Changed in launchpad:
status: Triaged → In Progress
Changed in launchpad:
assignee: Julian Andres Klode (juliank) → nobody
status: In Progress → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers