** Summary changed: - placeholder + python-apt downloads from untrusted sources where apt does not
** Description changed: - Placeholder bug. + ptyhon-apt never checked whether the hashes it got were signed in the + first place. So, python-apt is happy to download files from unsigned + repositories when it shouldn't. + + Making the code only fetch trusted packages means that using it on + untrusted packages will fail. There might be use cases broken by this. ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to python-apt in Ubuntu. https://bugs.launchpad.net/bugs/1858973 Title: python-apt downloads from untrusted sources where apt does not Status in aptdaemon package in Ubuntu: Fix Released Status in python-apt package in Ubuntu: Fix Released Bug description: ptyhon-apt never checked whether the hashes it got were signed in the first place. So, python-apt is happy to download files from unsigned repositories when it shouldn't. Making the code only fetch trusted packages means that using it on untrusted packages will fail. There might be use cases broken by this. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/aptdaemon/+bug/1858973/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
