Re: Revival of the signed debs discussion
* Steve Langasek (email@example.com) [031202 22:10]:
> AFAIK, apt does not sanity check the relationship between package names
> and filenames (and it's not obvious that this should be part of its
> responsibilities), and dpkg only gets a list of .debs to install once
> they've been downloaded.
So this should be handled for a safer environment.
E.g. dpkg could get an explicit "I want downgrade"-switch, along with
an "install without signature validation". With these (and these
switches not used by apt by default), there would be no danger in your
scenario (except wasted bandwith).
PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C