Or is there anything going to happen wrt to https/TLS? I, personally, are not convinced of doing this...
In this specific case, and rogue mirror could have still exploited the hole, and I'd assume there is nothing done to check the trustworthiness of mirror operators (there's no real way to do so). Also, the X.509 trust model is inherently broken. 150 root CAs alone in the mozilla bundle (many of them which cannot be trusted per se by any sane person) and even more sub CAs... all of which can issue literally any certificate. Using TLS would IMO only help (a tiny bit) if Debian (respectively the derivates) would operate their own CA (and only accept that for services they offer, like mirrors, BTS, gitlab, etc.). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1812353 Title: content injection in http method (CVE-2019-3462) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1812353/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
