Re: holes in secure apt

["Thijs Kinkhorst" <thijs@debian.org>]

Hi Chris,

On Thu, June 12, 2014 01:06, Christoph Anton Mitterer wrote:
> reopen 749795
> stop

A better way would be to add more 'found' versions so the BTS version
tracking shows this bug as affecting stable.

> Anyone who believed in getting trusted sources might have been attacked
> with forged packages, and even the plain build of such package might
> have undermined users' security integrity.
>
> The same is the case with all debian build systems which probably rely
> on secure APT.

It's possible, yes, but you could have noted in that exploitation would
still require someone to be able to successfully position themselves to
perform mitm operations between different Debian machines, which is far
from trivial to say the least.

> It's really saddening to see that such an issue could slip through,
> especially when I've personally started already a few threads on
> debian-devel about the security of secure APT.

We (the security team) will contact the maintainer about a fix for stable.

In the future, I suggest you familiarize yourself with the proper contact
points when you want to raise an issue. The address for security issues is
team@security.debian.org, not debian-devel. You're always welcome on
#debian-security if you're unsure about how to handle an issue or where
it's best reported.

> From the APT perspective:

If you want to discuss your plans to work on improving APT, you're more
on-topic at deity@lists.debian.org.


Cheers,
Thijs