The specific bug I am interested in is case 2 from comment 70: 2. Some people had bad files on the local box (through proxy or direct download) and for them the fix was "sudo mv /var/lib/apt/lists /var/lib/apt/lists.old ; sudo mkdir -p /var/lib/apt/lists/partial".
This can happen because of common, transient network errors and I'm sure the black hats have ways of inducing or simulating such errors as well. The bug is NOT that Ubuntu doesn't notice that the files are bad. The bug is that when it notices that the files are bad, it responds only by rather quietly suspending updates from the repositories corresponding to the bad files. The BAD SIG error message does not even go anywhere that the user is going to see until they start investigating and try running command line tools instead of the GUI stuff. To me the obvious first step in fixing this is for the update manager to automatically apply the manual "fix" of clobbering the bad files in /var/lib/apt/lists, and if that doesn't work, wave a red flag at the user. The security implication that I see is that this bug represents a way for bad guys to block security updates to selected machines, possibly forever. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/24061 Title: GPG error with apt-get/aptitude/update-manager behind proxy (BADSIG 40976EAF437D05B5) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/24061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
