Package: ftp.debian.org Severity: important Tags: security
Dear ftp masters. I've thought about that before but then forgot it again and it came back to my mind during the recent thread[0] about security, that I've started on debian-devel. As Jakub Wilk pointed out[1] these are the current validity periods for Release files: unstable, experimental: 7 days testing: 7 days wheezy: no limit wheezy(-proposed)-updates: 7 days wheezy/updates at security.d.o: 10 days wheezy-backports: 7 days squeeze: no limit squeeze(-proposed)-updates: 7 days squeeze/updates at security.d.o: 10 days squeeze-lts: 7 days IMHO all of them are far too long. Maintainers and our Security Team are usually doing a great job in trying to provide fixes for security issues ASAP. But even if they're incorporated only hours or less after being released, an attacker can do a downgrade attack for 7-10 days and trick a system into not "seeing" these new packages. Such downgrade attack is very easy to perform, as soon as one can MitM, and we generally must expect that not only powerful groups like NSA and friends are able to do this. Since many unattended systems (especially in the stable branches) are more or less automatically updated, and since an attacker that can MitM can likely also block any security announcement mails, users/admins have no chance to take note about such updates being available for 7-10 days. I'd suggest to reduce the validity to at most 1 day in all cases. Actually I'd choose much smaller values if this causes no other problems. Many users run unstable/testing as their normal system, so it's not enough to only tighten the periods for the stable branches. My proposal would be something like that: unstable/testing: 4-12 hours [wheezy|squeeze]/updates at security.d.o: 1-6 hours For the others, it depends how security updates are distributed, i.e. since they come via [wheezy|squeeze]/updates at security.d.o it probably makes not much sense to have that short times for wheezy and for squeeze. Not sure about wheezy(-proposed)-updates, squeeze(-proposed)-updates and wheezy-backports, squeeze-lts. Cheers, Chris. btw: I'll CC the security team, the debian lts guys and affect the bug to release.debian.org... at least these are hopefully the responsible guys acording to [1]. [0] https://lists.debian.org/debian-devel/2014/06/msg00171.html [1] https://lists.debian.org/debian-devel/2014/06/msg00407.html -- To UNSUBSCRIBE, email to debian-lts-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140623155202.22464.62148.report...@heisenberg.scientia.net
