Bug#703146: Better debootstrap InRelease handling fix
Le mercredi, 27 mars 2013 12.59:15, Benjamin Cama a écrit :
> attached version fix both problems (and is based on latest master, after
> Julien disabled InRelease support). Please not that it will still print
> what's _before_ the BEGIN header, if present (there shouldn't be
> anything, but if you really want to be picky…)
Well, yes, we want to be picky: the whole point of checking the signature is
to avoid letting unsigned content be considered valid by debootstrap / apt /
etc. See CVE-2013-1051.
That said, I think I would prefer a gpgv patch to only output verified content
than such sed hackery (although nice).
Cheers,
OdyX
Reply to: