from Hacker News

Attacks against GPG signed APT repositories

by jcapote on 2/21/18, 7:58 PM with 13 comments

• by whacker on 2/21/18, 10:36 PM

  This is such a frustrating clickbait headline!

  Most of the 'attack' s are:

  1. Plain old bugs in apt. 2. Involve disabling the very security features (GPG and checksum verification) designed to prevent that attack!

• by parliament32 on 2/22/18, 1:06 PM

  The main recommendation is "always serve your apt repo over TLS", however, apt doesn't use TLS by design: https://whydoesaptnotusehttps.com/

• by jwilk on 2/21/18, 10:58 PM

  --force-yes is bad, but for reasons that have nothing to do with replay attacks.

  This option effectively disables package authentication. This is because it forces "yes" answer to all questions, including the question about installing unauthenticated packages.

• by jwilk on 2/21/18, 11:10 PM

  For a moment I thought there's a new research paper about attacks on APT. Nope. The paper the article links to is from 2008.