Package: src:xdeb
Version: 0.6.6
Severity: grave
Tags: security
According to xdeb's documentation it uses apt to download source
packages and defaults to using the system's sources.list, that is
usually remote repositories.
However xdeb disables apt's signature checking:
+---
| apt_pkg.config.set('APT::Get::AllowUnauthenticated', str(True))
+---[ http://sources.debian.net/src/xdeb/0.6.6/aptutils.py/?hl=159#L159 ]
I assume (but did not verify) that this means xdeb will not complain
about a compromised remote repository and build potentially malicous
packages.
Ansgar
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
