On Sat, Jan 26, 2019 at 11:42:27AM +0100, Alexandre Belgrand wrote: > Le mercredi 23 janvier 2019 ŕ 18:05 +0100, Marek Marczykowski-Górecki a > écrit : > > We have just published Qubes Security Bulletin (QSB) #46: > > APT update mechanism vulnerability. > > Keep in mind that all PGP Debian/Ubuntu signing keys have been stolen > and injection may occur during apt-get install/update using man-in-the- > middle attack, at least in some countries. Unless packages are compiled > with reproducible builds and fingerprints are available online, there > is no way to avoid such an attack.
What a great start to the week. Do you have *any* evidence for this claim? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190127005426.3qne7kcdcvv6pses%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
