TLDR: Is it possible to disable InRelease processing by apt-get?
Long: Very short summary of the bug: (my own words) During apt-get upgrading signature verification can be tricked resulting in arbitrary package installation, system compromise. sources: - https://security-tracker.debian.org/tracker/CVE-2016-1252 - https://www.debian.org/security/2016/dsa-3733 - https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1647467 How to upgrade from the insecure apt-get version 1.0.9.8.3 to the patched apt-get version 1.0.9.8.4 without being compromised during that upgrade? Is it possible to disable InRelease processing by apt-get [for that upgrade or generally]? And have it check Release.gpg (which is provided anyway) instead?
