> If the attacker has such control over your infrastructure he could just
> as well block you from connecting to update sites completely [...]
A DOS like that is much easier to detect than freezing of the Release
file. You'd get an error message if the download site is not reachable --
but that it has no new updates is not a cause for an error.
FWIW, slowing the victim's clock to keep valid-for-one-week metadata
current for much longer (as discussed in the Debian bug) is also quite