[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [qubes-devel] Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252

On Sat, 2016-12-17 at 04:42 +0100, Marek Marczykowski-Górecki wrote:
> On Sat, Dec 17, 2016 at 02:47:28AM +0100, David Kalnischkies wrote:
> > In terms of stable (which seems to be what you are asking about) there
> > is a trivial 99,9% shortcut: stable has no InRelease file for technical
> > reasons ATM, so something is fishy if you get one (aka apt should
> > display Ign lines).²
> Not fully true:
> http://security.debian.org/dists/jessie/updates/InRelease

It _is_ correct. security.d.o/updates is not the stable distribution.

The reasons that David mentioned specifically apply to the stable
distribution in the main archive - i.e. stable - and the way that it's
signed, not any other repositories or distributions that sit alongside
stable and may have stable somewhere in their names.



Reply to: