Hello Kristian, On 23.10.2016 15:04, Kristian Erik Hermansen wrote: > [...] > Although APT theoretically protects tampering of packages in transit > over HTTP based on the signing key, there are numerous ways to exploit > the plaintext HTTP protocol in transit and the way APT handles some > aspects of validation. [...]
I'm a developer of a tool which downloads and validates Debian archives in a similar way APT does. As you use the word "theoretically", that suggests that practically one can bypass the validation. Could you please list all numerous ways to bypass it, so we'd fix our software?