Control: tag -1 + pending
Hi,
Ansgar Burchardt wrote:
> Axel Beckert writes:
> > I've though observed two possibly minor issues with it:
> >
> > * An existing /etc/apt/sources.list.d/apt-build.list is not updated to
> > add "[trusted=yes]".
>
> Could probably be added in postinst (apt-build.l
Axel Beckert writes:
> I've though observed two possibly minor issues with it:
>
> * An existing /etc/apt/sources.list.d/apt-build.list is not updated to
> add "[trusted=yes]".
Could probably be added in postinst (apt-build.list is not a conffile),
e.g. something like
sed -i 's/^deb file:/de
Hi Ansgar,
Axel Beckert wrote:
> Ansgar Burchardt wrote:
> > apt-build unconditionally passes -o Apt::Get::AllowUnauthenticated=true
> > to apt-get, that is it disables *all* signature checks allowing MitM
> > attacks to serve malicious data.
>
> Thanks for the heads up. I'll have a look into it
Hi Ansgar,
Ansgar Burchardt wrote:
> apt-build unconditionally passes -o Apt::Get::AllowUnauthenticated=true
> to apt-get, that is it disables *all* signature checks allowing MitM
> attacks to serve malicious data.
Thanks for the heads up. I'll have a look into it and will publish my
proposed QA
retitle 659015 apt-build: disables apt's signature checking
severity 659015 grave
tag 659015 + security
found 659015 0.12.42
thanks
apt-build unconditionally passes -o Apt::Get::AllowUnauthenticated=true
to apt-get, that is it disables *all* signature checks allowing MitM
attacks to serve maliciou
5 matches
Mail list logo
