Quoting Frank Lichtenheld (djpig@debian.org): > reassign 454666 apt > thanks > > On Thu, Dec 06, 2007 at 02:33:06PM -0800, bear@pagansexcult.org wrote: > > Exploitation of this flaw would allow an attacker to > > substitute arbitrary code for any legitimate Debian package > > using a "man in the middle" attack undetected whenever a > > user is installing new software, or to put up a debian > > mirror site or repository containing arbitrary code > > disguised as legitimate Debian software and having the same > > checksums. > > dpkg does at no time verify anything about the origin of packages. > Only apt does. Apart from that, I don't really understand the urgency of riding big horses at the speed of light reporting an RC bug against part of our architecture only because an (sorry for being rude) obscure proof of concept just got unveiled. I don't think that ringing the trumpets of Apocalypse is exactly the best way to work on the issue. Please call me wrong as long as you want but I'd really like to see people I trust in this project bring some advice on that issue.
Attachment:
signature.asc
Description: Digital signature