Package: apticron Version: 1.1.55 Severity: normal Dear Maintainer,
I noticed that apticron uses --allow-unauthenticated by default. I can't see a reason for this as on a normal system, all packages should be authenticated. In my opinion this option shouldn't be used by default as this at least allows an active attacker to generate apticron e-mails containing false information. Additionaly there seems to be no way to remove this option at the moment besides patching apticron. -- System Information: Debian Release: 7.4 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (x86_64) Kernel: Linux 3.4.74 (SMP w/16 CPU cores) Locale: LANG=C, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
