Package: apt-offline Version: 1.6.1 Severity: wishlist -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hi, Does apt-offline check the clock (and use valid-until) so it isn't vulnerable to a MITM showing an old version of the archive with a known critical bug meanwhile that bug has been fixed in the present? Information about this can be found on bug #752450, a debian-devel thread talking about the same bug[1] or a debian-devel thread about attacks on package managers[2] [1]: http://thread.gmane.org/gmane.linux.debian.devel.bugs.general/1163225 [2]: http://thread.gmane.org/gmane.linux.debian.devel.general/152551/focus=152579 - -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386, armhf Kernel: Linux 4.1.0-2-amd64 (SMP w/2 CPU cores) Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages apt-offline depends on: ii apt 1.0.10.2 ii less 458-3 ii libpython2.7-stdlib [python-argparse] 2.7.10-4 ii python 2.7.9-1 pn python:any <none> Versions of packages apt-offline recommends: ii debian-archive-keyring 2014.3 ii python-magic 1:5.24-2 ii python-soappy 0.12.22-1 apt-offline suggests no packages. - -- no debconf information -----BEGIN PGP SIGNATURE----- iQEcBAEBCgAGBQJWCtxaAAoJECI/Fcparw54kiMH/iHVeLUxRiYeBVr/i85yQN0X YYlyJevMIK0AB0q0pdyhJ23pCG5QL+4lslLX2TrpMDgBsQL1RLcpnTjlRj8ZUcVo I8X/g8EH/yc27w18rJxcjCL+Rp9bz1NJOH6RGlI1zbEwsCNfsB1IKp9g/gNtBoYF dE7TkPHO3MNeiElJcKdZFX9DOv+rqnvlg3fYdjPPtNEhQ0ZFCcmJGIF5lhkvAesi APDLV61SDOms4Vsss8VG5v1GEpn+ME7NX5iKuhFteNnFgTYVBYUUlCOg4GMn834/ pqC3JO+I68LcBeT9secEg+cNhwSXbZ0M/rXdWGGXG1yYetfWahzr+SrE7mRpjkM= =tKWY -----END PGP SIGNATURE-----
