group.of.nepali.translators team mailing list archive

[Julian Andres Klode <julian.klode@xxxxxxxxxxxxx>]

I think I vaguely recall some issues that occured after this SRU in
bionic, but I'm not sure anymore. It certainly means that tools stop
working for people behind proxies in quite a few cases (e.g. various apt
proxies not allowing https connect; or access to changelogs.ubuntu.com).

So we need to consider whether the benefits of backporting this to
xenial outweight the risks.

** Also affects: update-manager (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Also affects: ubuntu-release-upgrader (Ubuntu Xenial)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1744318

Title:
  changelogs.ubuntu.com should be using HTTPS

Status in ubuntu-release-upgrader package in Ubuntu:
  Fix Released
Status in update-manager package in Ubuntu:
  Fix Released
Status in ubuntu-release-upgrader source package in Xenial:
  New
Status in update-manager source package in Xenial:
  New
Status in ubuntu-release-upgrader source package in Bionic:
  Fix Released
Status in update-manager source package in Bionic:
  Fix Released

Bug description:
  Although the packages listed in meta-release files on
  changelogs.ubuntu.com are signature-checked there doesn't appear to be
  any way to verify the meta-release files are valid so a man-in-the-
  middle could maliciously supply an alternate meta-release.

  meta-release files should be signed with the archive GPG key and/or
  delivered over HTTPS.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-release-upgrader/+bug/1744318/+subscriptions