Am I right in thinking  that the recently discovered apt vulnerability
(DSA 4371-1) in Debian based systems could and should have been
mitigated against many years ago  by downloading and activating an apt
package; "apt-transport-https", which forces apt updates via https? The
researcher (Max Justicz) who discovered the vulnerability has stated it
couldn't have been exploited if https had been implemented.

If "apt-transport-https" is the magic bullet, why in the past hasn't it
been implemented by default? And, why for the future, is it not being
implemented immediately by Qubes, Debian et al?

During the past decade many people with good foresight had predicted the
apt vulnerabilty and urged administrators to install the
solution;"apt-transport-https". Regrettably, the vocal majority of
so-called experts said that's unnecessary because the packages are
signed. Was that incompetent advice? or was it a coordinated response
from agents of State Actors to hide a deliberate backdoor? I've no idea,
but given Snowdens revelations I would not rule anything out.

You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
To post to this group, send email to
To view this discussion on the web visit
For more options, visit

Reply via email to