On Mon, 29 Sep 2014, Christoph Anton Mitterer wrote: > Now to deal with your concern of larger outages: > 2) Just because there are no valid [In]Release* files, it doesn't mean > that those mirrors and their repositories can't be used any longer. The > data is still there as it was before. > An application like apt/aptitude/etc. could simply give the user an > error, telling that the files have expired for hh:mm and could give the > user and option to nevertheless trust them. > And the same options could be provided for batch modes.
This is not making any sense anymore. Step back and think about your threat model in the first place. The *entire* threat model, not whatever small part of it that looks easily fixable by a severe reduction to the inrelease validity period (which you have already been told by several Debian archive ops _and_ mirror ops people to be very much a Bad Idea). Now, if you want us to add per-repository validity overrides to source.lists that can *reduce* the range APT will accept, so that the local admin can tighten things, that's fine. If you're going to propose some sort of tiered system and a way for apt to actually know it is OK to use this "updates not often at all" fallback mirror as long as it also has a mirror from the "fresh stuff only" tier, that would be at least sensible... Would those help? I don't know, that's what the full threat model analysis is for. > IMHO it's quite dangerous if people start to negotiate security for > technical reasons, the wellness-factor of users or for historical > reasons. Attackers simply don't care about this. "secure" means "available to those that should be able to access it, when they should be able to access it, in the way they should be able to access it", just as much as the negative forms. So, can we get now some alternative proposals that address the fact that some mirrors need >48H validity, and many leaf mirrors really want at least a week? Or to help apt detect it is using a mirror that is more outdated than expected, which *is* the reason 99,999% of our users ever suffer an "unintended downgrade attack" ? -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140929110845.ga20...@khazad-dum.debian.net