Re: [qubes-devel] Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252

To: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Cc: Patrick Schleizer <adrelanos@riseup.net>, debian-security@lists.debian.org, deity@lists.debian.org, "qubes-devel@googlegroups.com" <qubes-devel@googlegroups.com>, Whonix-devel <whonix-devel@whonix.org>
Subject: Re: [qubes-devel] Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Sat, 17 Dec 2016 10:17:07 +0000
Message-id: <[🔎] 1481969827.14497.4.camel@adam-barratt.org.uk>
In-reply-to: <[🔎] 20161217034228.GM1239@mail-itl>
References: <[🔎] 20161216003213.GA26904@debian.org> <[🔎] 735685eb-5968-79ae-e22f-71d0d2fd9c56@riseup.net> <[🔎] 20161217014728.obnbanv4e2mmamzh@crossbow> <[🔎] 20161217034228.GM1239@mail-itl>

On Sat, 2016-12-17 at 04:42 +0100, Marek Marczykowski-Górecki wrote:
> On Sat, Dec 17, 2016 at 02:47:28AM +0100, David Kalnischkies wrote:
> > In terms of stable (which seems to be what you are asking about) there
> > is a trivial 99,9% shortcut: stable has no InRelease file for technical
> > reasons ATM, so something is fishy if you get one (aka apt should
> > display Ign lines).²
> 
> Not fully true:
> http://security.debian.org/dists/jessie/updates/InRelease

It _is_ correct. security.d.o/updates is not the stable distribution.

The reasons that David mentioned specifically apply to the stable
distribution in the main archive - i.e. stable - and the way that it's
signed, not any other repositories or distributions that sit alongside
stable and may have stable somewhere in their names.

Regards,

Adam

Reply to:

References:
- Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252
  - From: Julian Andres Klode <jak@debian.org>
- Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252
  - From: Patrick Schleizer <adrelanos@riseup.net>
- Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252
  - From: David Kalnischkies <david@kalnischkies.de>
- Re: [qubes-devel] Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252
  - From: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>

Prev by Date: Re: [qubes-devel] Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252
Next by Date: Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252
Previous by thread: Re: [qubes-devel] Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252
Next by thread: Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252
Index(es):
- Date
- Thread