client-side signature checking of Debian archives (Re: When should we https our mirrors?)
On 23.10.2016 15:04, Kristian Erik Hermansen wrote:
> Although APT theoretically protects tampering of packages in transit
> over HTTP based on the signing key, there are numerous ways to exploit
> the plaintext HTTP protocol in transit and the way APT handles some
> aspects of validation. [...]
I'm a developer of a tool which downloads and validates Debian archives
in a similar way APT does.
As you use the word "theoretically", that suggests that practically
one can bypass the validation. Could you please list all numerous ways
to bypass it, so we'd fix our software?