I found out the cause for this, but other backends are affected too probably - basically the packagekit daemon assumes that packages can be trusted themselves, so backends that do not have trust information in packages need to explicitly reject local packages as untrusted, so that PackageKit reprompts for trusted.
I'm not sure how to proceed there - I can come up with a fix for aptcc, but upstream can't put in the work for other backends, but then releasing just an apt fix while other backends are vulnerable would not be a good call either. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1882098 Title: Packagekit lets user install untrusted local packages in Bionic and Focal To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/packagekit/+bug/1882098/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs