[liberationtech] secure download tool - doesn't exist?!?
intrigeri
intrigeri at boum.org
Wed Jul 3 01:47:37 PDT 2013
Hi,
Jonathan Wilkes wrote (02 Jul 2013 21:57:01 GMT) :
> On 07/02/2013 12:46 PM, Jonathan Wilkes wrote:
>> On 07/02/2013 04:51 AM, intrigeri wrote:
>>> + verify that the signed file you've downloaded is actually the
>>> version you intended to download, and not an older, also properly
>>> signed one.
[...]
>> Does Debian's "Valid-Until" field in the release files solve this problem?
> After getting some help on #debian-apt, I can at least say that the "Valid-Until"
> field in the release file for Debian security updates is indeed intended to address
> replay attacks.
The Valid-Until mechanism (when it's used by the APT repository at
all) typically ensures an attacker can't hide available security
updates for more than a week. This is sometimes good enough.
Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
More information about the liberationtech
mailing list