[Bug 879943] [NEW] Synaptic messes sources.list and sources.list.d

Launchpad Bug Tracker 879943 at bugs.launchpad.net
Tue Feb 14 12:23:30 UTC 2012 

You have been subscribed to a public bug:

Consider the following situation

1) I carefully edit by hand the /etc/sources.list file or the files in /etc/sources.list.d files
(this is something I do to have them aligned between different machines. In fact it is not a real edit, but a copy from another machine)

2) Try the lists with apt-get update. Everything is fine.

3) Start synaptic. Go to the settings window to edit the repos. Go to
the other software tab.

4) Do any possible little action. For instance activate and disactivate
the source repo for ubuntu partners. Assure that your action has nothing
to do with the changes you made in 1)

5) See how synaptic has horribly restored the repo list as it was before
your hand edit.

6) Exit synaptic and go to the /etc/apt dir. Verify how everything has
gone back exactly as it was before your hand edit. Repos that you erased
are there again. Repos you edited have their changes reverted.

IMHO this is not just wrong, but also very dangerous.
Suppose that I had added a repo from a third party source.
Suppose that I then find out that this repo is dangerous. For instance because it replaces some package with a bugged package or a package with a back door.
Suppose that I consciously restore the package to the original version and I hand erase the crappled repo from my list of repos by removing the corresponding file from the /etc/apt/sources.list.d dir
Now I feel safe. However, any time I use synaptic I risk having that repo back.

To me this is a security vulnerability. Anyone can convince me to add a
test repo to see what is in it. At the time I test that repo can be
perfectly fine. I test, I remove the repo, I feel safe, the repo gets
automatically added back by synaptic, the repo owner adds in a package
that looks like an update to a package that I have in my system and
without even realizing it I can have my system infected by a malicious
package.

ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: synaptic 0.75.2ubuntu8
ProcVersionSignature: Ubuntu 3.0.0-12.20-generic 3.0.4
Uname: Linux 3.0.0-12-generic x86_64
ApportVersion: 1.23-0ubuntu3
Architecture: amd64
Date: Sat Oct 22 16:45:31 2011
InstallationMedia: Kubuntu 9.10 "Karmic Koala" - Release amd64 (20091027)
SourcePackage: synaptic
UpgradeStatus: Upgraded to oneiric on 2011-10-16 (6 days ago)

** Affects: software-properties (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug oneiric
-- 
Synaptic messes sources.list and sources.list.d
https://bugs.launchpad.net/bugs/879943
You received this bug notification because you are a member of Ubuntu Foundations Bugs, which is subscribed to software-properties in Ubuntu.

More information about the foundations-bugs mailing list