touch-packages team mailing list archive

Thread
Date

[Bug 1329274] Re: apt-get source fails to warn on unauthenticated packages

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Forest Bond <forest@xxxxxxxxxxxxxx>
Date: Wed, 23 Jul 2014 19:58:28 -0000
Reply-to: Bug 1329274 <1329274@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Question: Why are --force-yes and --assume-yes not honored as they are
when checking authenticity of binaries?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1329274

Title:
  apt-get source fails to warn on unauthenticated packages

Status in APT:
  Fix Released
Status in “apt” package in Ubuntu:
  Fix Released
Status in “apt” source package in Lucid:
  Fix Released
Status in “apt” source package in Precise:
  Fix Released
Status in “apt” source package in Saucy:
  Fix Released
Status in “apt” source package in Trusty:
  Fix Released
Status in “apt” source package in Utopic:
  Fix Released

Bug description:
  apt-get source foo will not warn if the repository that foo belongs to
  has no signature attached.

  It should fails in this case - this is CVE-2014-0478

To manage notifications about this bug go to:
https://bugs.launchpad.net/apt/+bug/1329274/+subscriptions