Comment 0 for bug 716535
Revision history for this message
| Michael Vogt (mvo) wrote Please support InRelease files and Valid-Until in release files | #0 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
Hi,
Debian has two new features for Release files that we should support as well:
InRelease
That is just the release file with a inline signature (e.g. http://
One nice property is that Release and Release.gpg can no longer get out-of-sync
Valid-Until: header
This prevents "stale-proxy" attacks against our users. It means the Release file needs to get rewrite periodically even if there is nothing to publish. The client verifies after a update that it did the valid-until header is good (e.g. Valid-Until: Sat, 19 Feb 2011 21:32:12 UTC). Without that a attacker who controlls the network can just redirect traffic to a stale version of the archive and prevent the user from getting security updates.