> There is also: An attacker could simply supply the Trusty file that includes a
> Valid-Until line to Xenial users.
I believe that at least generates a warning now, and perhaps could be
promoted to an error at some point (perhaps conditionally on a new
flag?). pkgAcqMetaBase::VerifyVendor in apt-pkg/acquire-item.cc:
// One day that might become fatal…
auto const ExpectedDist = TransactionManager->MetaIndexParser->GetExpectedDist();
auto const NowCodename = TransactionManager->MetaIndexParser->GetCodename();
if (TransactionManager->MetaIndexParser->CheckDist(ExpectedDist) == false)
_error->Warning(_("Conflicting distribution: %s (expected %s but got %s)"),
Desc.Description.c_str(), ExpectedDist.c_str(), NowCodename.c_str());
--
Colin Watson [cjwatson@ubuntu.com]
--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel