2011-02-10 16:57:35 |
Michael Vogt |
bug |
|
|
added bug |
2011-02-10 17:14:26 |
Curtis Hovey |
launchpad: status |
New |
Triaged |
|
2011-02-10 17:14:28 |
Curtis Hovey |
launchpad: importance |
Undecided |
Low |
|
2011-02-10 17:14:50 |
Curtis Hovey |
tags |
|
feature releases |
|
2011-02-10 22:08:16 |
William Grant |
tags |
feature releases |
feature soyuz-publish |
|
2011-07-01 11:14:41 |
Michael Vogt |
summary |
Please support InRelease files and Valid-Until in release files |
Please support Valid-Until in release files for security.ubuntu.com |
|
2011-07-01 11:16:21 |
Michael Vogt |
description |
Hi,
Debian has two new features for Release files that we should support as well:
InRelease
That is just the release file with a inline signature (e.g. http://security.debian.org/debian-security/dists/lenny/updates/InRelease)
One nice property is that Release and Release.gpg can no longer get out-of-sync
Valid-Until: header
This prevents "stale-proxy" attacks against our users. It means the Release file needs to get rewrite periodically even if there is nothing to publish. The client verifies after a update that it did the valid-until header is good (e.g. Valid-Until: Sat, 19 Feb 2011 21:32:12 UTC). Without that a attacker who controlls the network can just redirect traffic to a stale version of the archive and prevent the user from getting security updates. |
Debian and apt have a new feature that we should support as well:
Valid-Until: header
This prevents "stale-proxy" attacks against our users. It means the Release file needs to get rewrite periodically even if there is nothing to publish. The client verifies after a update that it did the valid-until header is good (e.g. Valid-Until: Sat, 19 Feb 2011 21:32:12 UTC). Without that a attacker who controlls the network can just redirect traffic to a stale version of the archive and prevent the user from getting security updates. |
|
2011-07-01 13:27:03 |
Steve Beattie |
bug |
|
|
added subscriber Ubuntu Security Team |
2011-07-01 13:58:03 |
Marc Deslauriers |
bug |
|
|
added subscriber Marc Deslauriers |
2012-03-04 22:42:10 |
Jan Claeys |
bug |
|
|
added subscriber Jan Claeys |
2013-03-23 16:34:04 |
Gaurav Juvekar |
bug task added |
|
linuxmint |
|
2013-06-23 11:28:33 |
Pavel Malyshev |
bug |
|
|
added subscriber Pavel Malyshev |
2013-06-23 13:08:19 |
papukaija |
bug |
|
|
added subscriber papukaija |
2014-08-18 11:03:40 |
Chris Smith |
bug |
|
|
added subscriber Chris Smith |
2015-03-09 15:21:58 |
James Troup |
bug |
|
|
added subscriber The Canonical Sysadmins |
2016-11-04 13:29:05 |
Vincent Ladeuil |
bug |
|
|
added subscriber Vincent Ladeuil |
2016-11-07 00:02:58 |
Haw Loeung |
bug |
|
|
added subscriber Haw Loeung |
2018-01-30 22:03:12 |
Julian Andres Klode |
launchpad: assignee |
|
Julian Andres Klode (juliank) |
|
2018-01-30 22:48:11 |
Julian Andres Klode |
launchpad: status |
Triaged |
In Progress |
|
2018-01-30 22:49:33 |
Simon Quigley |
bug |
|
|
added subscriber Simon Quigley |
2020-04-20 16:21:47 |
Julian Andres Klode |
launchpad: assignee |
Julian Andres Klode (juliank) |
|
|
2020-04-20 16:22:12 |
Julian Andres Klode |
launchpad: status |
In Progress |
Confirmed |
|
2022-10-06 00:19:36 |
Robie Basak |
bug |
|
|
added subscriber Robie Basak |
2024-08-20 17:15:57 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~juliank/launchpad/+git/launchpad/+merge/471638 |
|