On Fri, May 30, 2014, at 11:08 PM, Adam D. Barratt wrote: > >> The cryptographic signatures that are validated automatically by apt. > > > > What's stopping the attacker from serving a compromised apt? > > How would you get the client's system to install it in the first place? > (More specifically, how would you get the cryptographic signature to > match your package, given a lack of access to any of the keys trusted by > the client's system?)
As what I posted earlier, all you would need to do is to MITM the install of APT during an install. Who cares what the signatures look like since you've NOPed the checksumming code! Alfie -- Alfie John alf...@fastmail.fm -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1401455611.6597.123286253.5d5a4...@webmail.messagingengine.com
