On Fri, May 30, 2014, at 11:24 PM, Michael Stone wrote: > On Fri, May 30, 2014 at 11:13:31PM +1000, Alfie John wrote: > >As what I posted earlier, all you would need to do is to MITM the > >install of APT during an install. Who cares what the signatures look > >like since you've NOPed the checksumming code! > > That's why you verify the initial install media per the link I posted > earlier...
Well yes, that's something. But serving Debian over HTTPS would prevent the need for this. Alfie -- Alfie John alf...@fastmail.fm -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1401456358.9280.123291613.503b4...@webmail.messagingengine.com
