[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: holes in secure apt

On Thu, 2014-06-12 at 00:07 -0400, Joey Hess wrote: 
> AAICS, #749795 talked about bringing this to the security team's
> attention, but they never seem to have been CCed.
Thanks for doing that now...

> So the security team may not be aware that a security hole in apt was
> recently fixed, that caused apt-get source to not give any indication
> when the Release file was lacking a signature.
> Whether it's closed in unstable or not, this bug is open still in
> stable, and needs to get a CVE assigned, and a DSA issued.

But I somehow feel a more concentrated approach is needed... Secure APT
seems to be one of the core elements of Debians overall security and
integrity... and as I've mentioned in my previous post,... in many
places it seems unclear how far stuff is really verified or not.
That goes from end-user/admin tools over the whole
upload/build/distribution infrastructure to maintenance platforms
(alioth) and the hosting of the repos of packages (questions like "are
all things secured/verified when things like git-buildpackage is used to
maintain packages"?).


Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply to: