On Fri, 27 Oct 2017, Hans-Christoph Steiner wrote: > This idea that GPG signatures on the index files is enough has been > totally disproven. There was a bug in apt where Debian devices could be > exploited by feeding them crafted InRelease files: > > https://www.debian.org/security/2016/dsa-3733
This was the *one* bug of this sort in the entire lifetime of apt thus far, AFAIK. > If HTTPS was used, that would mean exploiting that would require One of the dozens of zero-days already found in the TLS stack we had to run like crazy to patch ? In fact, the TLS stack is so complex, we can be reasonably sure there is still at least one remotely-exploitable zero-day there. Have you ever looked at the library stack in APT's http method, and compared it with the one in APT's https method? > HTTPS does not entirely solve all these problems, but it does > drastically improve things. That is *not* an opinion shared by everyone, to put it mildly. -- Henrique Holschuh
