Please support Valid-Until in release files for security.ubuntu.com

Bug #716535 reported by Michael Vogt on 2011-02-10
58
This bug affects 9 people
Affects Status Importance Assigned to Milestone
Launchpad itself
Low
Julian Andres Klode
Linux Mint
New
Undecided
Unassigned

Bug Description

Debian and apt have a new feature that we should support as well:

Valid-Until: header
 This prevents "stale-proxy" attacks against our users. It means the Release file needs to get rewrite periodically even if there is nothing to publish. The client verifies after a update that it did the valid-until header is good (e.g. Valid-Until: Sat, 19 Feb 2011 21:32:12 UTC). Without that a attacker who controlls the network can just redirect traffic to a stale version of the archive and prevent the user from getting security updates.

Curtis Hovey (sinzui) on 2011-02-10
Changed in launchpad:
status: New → Triaged
importance: Undecided → Low
tags: added: feature releases
William Grant (wgrant) on 2011-02-10
tags: added: soyuz-publish
removed: releases
Michael Vogt (mvo) on 2011-07-01
summary: - Please support InRelease files and Valid-Until in release files
+ Please support Valid-Until in release files for security.ubuntu.com
description: updated
Michael Vogt (mvo) wrote :

Just to clarify a few points about this:

- initially we only need this for security.ubuntu.com
- every time there is a rewrite of the Release file make Valid-Until valid for two more weeks
- if there was no security update for a week regenerate the valid-until in the release file (and resign of course) and make it valid for 2 weeks again
- when a distro is EOL the Release file does not have to be updated anymore. the user will see errors that $distro-security is no longer valid, but that is ok, because its a valid error and the user is no longer secure

Michael Vogt (mvo) wrote :

Can we please reconsider the importance of this? Its a relatively small feature but at the same time fixes is important as a security feature.

Jacob (jacob11) wrote :

Fix it please.

Alba Nader (sharepass12) wrote :

Please fix.

chemicalfan (mike-lumsden) wrote :

Is this still an issue with the current Mint (Qiana/17) release?

Seth Arnold (seth-arnold) wrote :

This would still be nice to have. Thanks.

Changed in launchpad:
assignee: nobody → Julian Andres Klode (juliank)
Changed in launchpad:
status: Triaged → In Progress
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers