On Thu, Nov 24, 2016 at 07:18:44AM -0500, Marc Deslauriers wrote:
> There is also: An attacker could simply supply the Trusty file that includes a
> Valid-Until line to Xenial users.
I believe that at least generates a warning now, and perhaps could be
promoted to an error at some point (perhaps conditionally on a new
flag?). pkgAcqMetaBase::VerifyVendor in apt-pkg/acquire-item.cc:
// One day that might become fatal…
auto const ExpectedDist =
TransactionManager->MetaIndexParser->GetExpectedDist();
auto const NowCodename = TransactionManager->MetaIndexParser->GetCodename();
if (TransactionManager->MetaIndexParser->CheckDist(ExpectedDist) == false)
_error->Warning(_("Conflicting distribution: %s (expected %s but got
%s)"),
Desc.Description.c_str(), ExpectedDist.c_str(),
NowCodename.c_str());
--
Colin Watson [[email protected]]
--
ubuntu-devel mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
