Hi Kristian, To one of your side questions,
On 24.10.2016 02:33, Kristian Erik Hermansen wrote: >> 1) Checking chain (e.g. gpgv and its callers) have bugs. True, same as >> checking layer for secure transports also have bugs. > > Agreed. Please let me know of a good test case to validate that your > tools, which are not APT (?), are doing the right things. You said you > maintained a tool which "downloads and validates Debian archives in a > similar way APT does", which means not exactly the way APT does. Let > me know the name of your tool and how to setup some test cases to > validate your tool is doing things properly. Glad to spend some time > on it and contribute any potential findings for the community benefit. The tool I maintain is minor, not widely used package manager, which may or may not be worth your time. It's called Cupt, the sources are at [1a] or [1b]; namely, the checking code at [2] and tests for common situations at [3]. One can play with those test cases, or install the tool and point it [4] to malicious servers. There might be other packages in Debian which access repos not through libapt. [1a] https://alioth.debian.org/plugins/scmgit/cgi-bin/gitweb.cgi?p=cupt/cupt.git;a=tree [1b] https://github.com/jackyf/cupt [2] cpp/lib/src/internal/cachefiles.cpp:verifySignature() [3] test/t/query/repo-signatures/* [4] same as APT, via /etc/apt/sources.list