There is also another scenario we should test for. If we decide to add a key to the downloaded keyring, an attacker could then add a duplicate key id for the new key in the spoofed keyring. I'm not sure what gpg would do in that scenario, which key would get parsed first, etc.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/857472 Title: net-update verifcation checking insecure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/857472/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
