On Mon, 2014-06-23 at 14:42 +0200, Jakub Wilk wrote: > For the record, the validity periods currently are: > > unstable, experimental: 7 days > testing: 7 days > > wheezy: no limit > wheezy(-proposed)-updates: 7 days > wheezy/updates at security.d.o: 10 days > wheezy-backports: 7 days > > squeeze: no limit > squeeze(-proposed)-updates: 7 days > squeeze/updates at security.d.o: 10 days > squeeze-lts: 7 days > > I agree than they could be shorter (particularly the security.d.o ones > raised my eyebrows), but I'm not going to lose sleep over it. Well I just think that most of the time, our Security Team does some very great job (if not hiding away issues o.O) and fixes are available in Debian very shortly after a fix is available. These guys put a lot effort into that, but their quick response is useless if those periods are so long. It gives an attacker that can MitM (and we must expect that not only the NSA can do this) 7-10 days (!!!) to conceal updates from a system and exploit the security holes they fix. Especially since many server systems update automatically, this is quite problematic IMHO.
Cheers, Chris.
smime.p7s
Description: S/MIME cryptographic signature
