Bug#203741: apt-secure
- To: Jason Gunthorpe <jgg@debian.org>
- Cc: 203741@bugs.debian.org, Colin Walters <walters@verbum.org>, Isaac Jones <ijones@syntaxpolice.org>, debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>
- Subject: Bug#203741: apt-secure
- From: Matt Zimmerman <mdz@debian.org>
- Date: Mon, 8 Sep 2003 18:20:32 -0400
- Message-id: <[🔎] 20030908222032.GY18829@alcor.net>
- Mail-followup-to: Jason Gunthorpe <jgg@debian.org>, 203741@bugs.debian.org, Colin Walters <walters@verbum.org>, Isaac Jones <ijones@syntaxpolice.org>, debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>
- Reply-to: Matt Zimmerman <mdz@debian.org>, 203741@bugs.debian.org
- In-reply-to: <[🔎] Pine.LNX.3.96.1030908155451.7784B-100000@wakko.debian.net>
- References: <[🔎] 20030908141224.GD18829@alcor.net> <[🔎] Pine.LNX.3.96.1030908155451.7784B-100000@wakko.debian.net>
On Mon, Sep 08, 2003 at 04:02:46PM -0600, Jason Gunthorpe wrote:
> Any sort of query during install isn't going to work so well without much
> bigger changes. Mostly this has to do with the way multiple instances of
> the same package are handled, the various origins are not uniquified and
> it cannot retain the md5sum information to figure out what makes sense.
>
> So even though it says it's coming from a secure source because one
> instance is listed as secure it may very well decide to download and
> verify it from an insecure one. I haven't the faintest clue about how
> you'd go about fixing this.
Hmm...where in the code does this magic happen? I suppose it could be
changed to consider a package to be coming from an insecure source if any of
the available origins are insecure, and sidestep the problem that way. I
don't think this will be much a problem in practice, since sources having
the same packages available will typically also have the same Release, same
signature, etc.
--
- mdz
Reply to: