Rejecting SHA1-signed repositories by default (Ubuntu edition)
Colin Watson
cjwatson at ubuntu.com
Thu Nov 24 17:14:20 UTC 2016
On Thu, Nov 24, 2016 at 07:18:44AM -0500, Marc Deslauriers wrote:
> There is also: An attacker could simply supply the Trusty file that includes a
> Valid-Until line to Xenial users.
I believe that at least generates a warning now, and perhaps could be
promoted to an error at some point (perhaps conditionally on a new
flag?). pkgAcqMetaBase::VerifyVendor in apt-pkg/acquire-item.cc:
// One day that might become fatal…
auto const ExpectedDist = TransactionManager->MetaIndexParser->GetExpectedDist();
auto const NowCodename = TransactionManager->MetaIndexParser->GetCodename();
if (TransactionManager->MetaIndexParser->CheckDist(ExpectedDist) == false)
_error->Warning(_("Conflicting distribution: %s (expected %s but got %s)"),
Desc.Description.c_str(), ExpectedDist.c_str(), NowCodename.c_str());
--
Colin Watson [cjwatson at ubuntu.com]
More information about the ubuntu-devel
mailing list