signature checking in libcupt (Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?))
To one of your side questions,
On 24.10.2016 02:33, Kristian Erik Hermansen wrote:
>> 1) Checking chain (e.g. gpgv and its callers) have bugs. True, same as checking layer for secure transports also have bugs.
> Agreed. Please let me know of a good test case to validate that your
> tools, which are not APT (?), are doing the right things. You said you
> maintained a tool which "downloads and validates Debian archives in a
> similar way APT does", which means not exactly the way APT does. Let
> me know the name of your tool and how to setup some test cases to
> validate your tool is doing things properly. Glad to spend some time
> on it and contribute any potential findings for the community benefit.
The tool I maintain is minor, not widely used package manager, which may or may not be worth your time. It's called
Cupt, the sources are at [1a] or [1b]; namely, the checking code at  and tests for common situations at . One can
play with those test cases, or install the tool and point it  to malicious servers.
There might be other packages in Debian which access repos not through libapt.
 same as APT, via /etc/apt/sources.list