Package: apt Version: 0.7.14 Severity: normal By default, APT https method does not check server certificate, but only that the identity in the certificate does match the server name. From a security standpoint (even if list of packages can otherwise be signed, this might not be the case), this makes https useless without explicitly setting the (undocumented) option to true.
I already sent some comments and a set of patches that fixes the issue (and others) for discussions, directly to [EMAIL PROTECTED], but got not reply: http://permalink.gmane.org/gmane.linux.debian.apt.devel/14771 I decided to file a bug report. Is that the correct way to handle that. Cheers, a+
pgp8IqmVTmXgJ.pgp
Description: PGP signature
