Re: Bug#499897: preventing replay attacks against the security archive

To: "Eugene V. Lyubimkin" <jackyf.devel@gmail.com>
Cc: Thijs Kinkhorst <thijs@debian.org>, Peter Palfrader <weasel@debian.org>, Philipp Kern <pkern@debian.org>, 499897@bugs.debian.org, team@security.debian.org, deity@lists.debian.org, Michael Vogt <mvo@debian.org>
Subject: Re: Bug#499897: preventing replay attacks against the security archive
From: Florian Weimer <fw@deneb.enyo.de>
Date: Mon, 24 Nov 2008 10:00:00 +0100
Message-id: <[🔎] 87fxlh1otr.fsf@mid.deneb.enyo.de>
In-reply-to: <[🔎] 4929C9FE.2050102@gmail.com> (Eugene V. Lyubimkin's message of "Sun, 23 Nov 2008 23:24:14 +0200")
References: <200809240804.34689.thijs@debian.org> <87y71gqpri.fsf@delenn.ganneff.de> <20080925164820.GA20313@durotan.0x539.de> <200809252212.31938.thijs@debian.org> <20080925213150.GF15136@anguilla.noreply.org> <5424e003e946d9d52abb5aaaf485cd6f.squirrel@wm.kinkhorst.nl> <[🔎] 87ljvauqod.fsf@vorlon.ganneff.de> <[🔎] 4929C9FE.2050102@gmail.com>

* Eugene V. Lyubimkin:

> Should this be incorporated into apt in Lenny? It's not hard to
> apply the patch from Thomas, but it doesn't address feature that apt
> should not accept Release files without 'Valid-Until' entry after
> seeing it once earlier.

Does it use the real-time clock, or does it record Valid-Until
regressions in some other way?

If it uses the real-time clock, it doesn't fix the issue because our
users typically haven't got a secure time source.

Reply to:

Follow-Ups:
- Re: Bug#499897: preventing replay attacks against the security archive
  - From: "Eugene V. Lyubimkin" <jackyf.devel@gmail.com>

References:
- Re: Bug#499897: preventing replay attacks against the security archive
  - From: Joerg Jaspert <joerg@debian.org>
- Re: Bug#499897: preventing replay attacks against the security archive
  - From: "Eugene V. Lyubimkin" <jackyf.devel@gmail.com>

Prev by Date: Bug#499897: illustration
Next by Date: Bug#499897: illustration
Previous by thread: Re: Bug#499897: preventing replay attacks against the security archive
Next by thread: Re: Bug#499897: preventing replay attacks against the security archive
Index(es):
- Date
- Thread