Please support Valid-Until in release files for security.ubuntu.com
Bug #716535 reported by
Michael Vogt
This bug affects 10 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Confirmed
|
Low
|
Unassigned | ||
Linux Mint |
New
|
Undecided
|
Unassigned |
Bug Description
Debian and apt have a new feature that we should support as well:
Valid-Until: header
This prevents "stale-proxy" attacks against our users. It means the Release file needs to get rewrite periodically even if there is nothing to publish. The client verifies after a update that it did the valid-until header is good (e.g. Valid-Until: Sat, 19 Feb 2011 21:32:12 UTC). Without that a attacker who controlls the network can just redirect traffic to a stale version of the archive and prevent the user from getting security updates.
Related branches
~juliank/launchpad:valid-until
Ready for review
for merging
into
launchpad:master
- Guruprasad: Needs Fixing
-
Diff: 83 lines (+45/-4)1 file modifiedlib/lp/archivepublisher/publishing.py (+45/-4)
Changed in launchpad: | |
status: | New → Triaged |
importance: | Undecided → Low |
tags: | added: feature releases |
tags: |
added: soyuz-publish removed: releases |
summary: |
- Please support InRelease files and Valid-Until in release files + Please support Valid-Until in release files for security.ubuntu.com |
description: | updated |
Changed in launchpad: | |
assignee: | nobody → Julian Andres Klode (juliank) |
Changed in launchpad: | |
status: | Triaged → In Progress |
Changed in launchpad: | |
assignee: | Julian Andres Klode (juliank) → nobody |
status: | In Progress → Confirmed |
To post a comment you must log in.
Just to clarify a few points about this:
- initially we only need this for security.ubuntu.com
- every time there is a rewrite of the Release file make Valid-Until valid for two more weeks
- if there was no security update for a week regenerate the valid-until in the release file (and resign of course) and make it valid for 2 weeks again
- when a distro is EOL the Release file does not have to be updated anymore. the user will see errors that $distro-security is no longer valid, but that is ok, because its a valid error and the user is no longer secure