package cupt severity 533753 serious thanks Goswin von Brederlow wrote: > But if the file is there then apt-get/aptitude will consider it good > without checking. So > > cupt update > apt-get install > > would install packages even if the signature is bad. > > Not a good idea. Can't you download the file to the partial directory > like apt-get and only move it when it checks out? Actually, Cupt downloads it to partial/ directory and do gpg check while the file is there. Then it unconditionally moves it to usual place.
But you are right. Since this breaks default apt-get/etc. behavior, I will turn this off by default. > It doesn't really break it, at least I assume cupt can install > unauthenticated debs too, but it makes it impossible to see when the > signature is actualy bad and when it is just ia32-apt-get mangling. It > makes it insecure. Agreed. > Cupt will need a wrapper so "cupt update" works right. The wrapper > could also set the option to ignore signature checks other than when > downloading. So that would work. > > Does cupt have an equivalent to > > apt-get.real --no-list-cleanup --no-download update > > That just parses the existing Packages files and updates its caches > without fetching any files. This needs to be run by ia32-apt-get after > mangling the Packages files to fit (in the cupt wrapper). Cupt doesn't have any cache files for indexes, it generates them on the fly by demand. Does this remove the problem for cupt update (besides the security problem above which will be fixed)? -- Eugene V. Lyubimkin aka JackYF, JID: jackyf.devel(maildog)gmail.com C++/Perl developer, Debian Maintainer
signature.asc
Description: OpenPGP digital signature
