Bug#659015: apt-build disables apt's signature verification
retitle 659015 apt-build: disables apt's signature checking
severity 659015 grave
tag 659015 + security
found 659015 0.12.42
thanks
apt-build unconditionally passes -o Apt::Get::AllowUnauthenticated=true
to apt-get, that is it disables *all* signature checks allowing MitM
attacks to serve malicious data. It looks like this was introduced in
0.12.42:
* Allow non authenticated installation from apt-build repository.
Closes: #316572, #369173
See also the recent thread on debian-security@[1], esp. [2] suggesting
to use "deb [trusted=yes] ..." in sources.list which would allow
dropping the (global) AllowUnauthenticated=true.
Ansgar
[1] <https://lists.debian.org/debian-security/2015/03/msg00020.html>
[2] <https://lists.debian.org/debian-security/2015/03/msg00026.html>
Reply to: