On Thu, 2014-06-12 at 00:07 -0400, Joey Hess wrote: > AAICS, #749795 talked about bringing this to the security team's > attention, but they never seem to have been CCed. Thanks for doing that now... > So the security team may not be aware that a security hole in apt was > recently fixed, that caused apt-get source to not give any indication > when the Release file was lacking a signature. > > Whether it's closed in unstable or not, this bug is open still in > stable, and needs to get a CVE assigned, and a DSA issued. Absolutely.... But I somehow feel a more concentrated approach is needed... Secure APT seems to be one of the core elements of Debians overall security and integrity... and as I've mentioned in my previous post,... in many places it seems unclear how far stuff is really verified or not. That goes from end-user/admin tools over the whole upload/build/distribution infrastructure to maintenance platforms (alioth) and the hosting of the repos of packages (questions like "are all things secured/verified when things like git-buildpackage is used to maintain packages"?). Cheers, Chris.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature