On Tue, 2015-09-29 at 20:45 +0200, Víctor Cuadrado Juan wrote: > Hi, > Does apt-offline check the clock (and use valid-until) so it isn't > vulnerable to a MITM showing an old version of the archive with a > known > critical bug meanwhile that bug has been fixed in the present? > > Information about this can be found on bug #752450, a debian-devel > thread > talking about the same bug[1] or a debian-devel thread about attacks > on > package managers[2] > > [1]: > http://thread.gmane.org/gmane.linux.debian.devel.bugs.general/1163225 > [2]: > http://thread.gmane.org/gmane.linux.debian.devel.general/152551/focus > =152579 > >
Victor, Thank you for filing this bug report. I remember @dkg mentioning the same during the DebConf demo but I couldn't recollect the specifics. I will look into it soon. -- Ritesh Raj Sarraf RESEARCHUT - http://www.researchut.com "Necessity is the mother of invention."
signature.asc
Description: This is a digitally signed message part
