The security repository generally serves up a field in its metadata saying that ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		jkaplowitz on Jan 21, 2019 \| parent \| context \| favorite \| on: Why does APT not use HTTPS? The security repository generally serves up a field in its metadata saying that the data shouldn't be trusted for more than 7 days, if it hasn't changed since 2014 when I encountered this duration as part of my day-job work. It's safe to assume the trusted duration hasn't increased, at least.

dooglius on Jan 21, 2019 [–]

http://security-cdn.debian.org/dists/stable/updates/Release is 10 days in the future. I still think it should be shorter, as it's pretty conceivable to exploit a 1-day vulnerability in that timeframe, but it's not that bad.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact