Bug#659015: apt-build disables apt's signature verification

Ansgar Burchardt Mon, 30 Mar 2015 08:47:35 -0700

retitle 659015 apt-build: disables apt's signature checking
severity 659015 grave
tag 659015 + security
found 659015 0.12.42
thanks


apt-build unconditionally passes -o Apt::Get::AllowUnauthenticated=true
to apt-get, that is it disables *all* signature checks allowing MitM
attacks to serve malicious data. It looks like this was introduced in
0.12.42:

  * Allow non authenticated installation from apt-build repository.
    Closes: #316572, #369173

See also the recent thread on debian-security@[1], esp. [2] suggesting
to use "deb [trusted=yes] ..." in sources.list which would allow
dropping the (global) AllowUnauthenticated=true.

Ansgar

  [1] <https://lists.debian.org/debian-security/2015/03/msg00020.html>
  [2] <https://lists.debian.org/debian-security/2015/03/msg00026.html>


-- 
To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/5519678a.2010...@debian.org

Bug#659015: apt-build disables apt's signature verification

Reply via email to