

Apt security update - TimWolla
https://lists.debian.org/debian-security-announce/2014/msg00138.html

======
Alupis
This seems like a relatively low impact security problem. I can't recall the
last time I used a package manager to get a package's source.

(Usually when I want the source it's because I'm compiling a package from
source, and I get the tarball from the project's website)

~~~
mcpherrinm
The usual case for this is when there are patches applied by the distribution.

It's also more likely to work out of the box without having to hunt for build
dependencies.

This is mostly useful when you care about contributing bugfixes to the distro
patches, or you can't get the upstream source to build easily.

------
femtards885
Seems ironic their cert doesnt match and I get a browser warning. What
happened to Debian? Is Security something they have only heard about in
folklore terms?

~~~
TheHippo
Looks fine:
[https://www.ssllabs.com/ssltest/analyze.html?d=lists.debian....](https://www.ssllabs.com/ssltest/analyze.html?d=lists.debian.org)

~~~
hadoukenio
What about it? That's the URL for the Debian mailing list and not where
packages are downloaded from.

In fact, you download packages from Debian mirrors and most of these are over
HTTP and not HTTPS. How do you know you're not downloading a compromised APT?
Checksums you say? Don't forget you downloaded the package footprints via HTTP
too!

The MITM for APT is the elephant in the room here.

~~~
TimWolla
Luckily it only affected fetching the source and not the pre built binaries.
Otherwise this would be a total nightmare.

~~~
hadoukenio
No, the nightmare is still there. Most Debian mirrors only serve HTTP and you
most likely installed Debian from an ISO that you downloaded over HTTP. And
when you did an md5 of the downloaded ISO you probably compared it to a
fingerprint hosted on a website served via HTTP (at the same time forgetting
that md5sum could have been compromised itself since you downloaded it via
HTTP). Then when using APT to install packages, they too are being installed
via HTTP.

~~~
TimWolla
apt checks the package signatures using GPG.

~~~
hadoukenio
It checks and verifies using the tools you downloaded via HTTP which could
have been compromised via MITM?

