Thursday 24 November 2016

Re: Rejecting SHA1-signed repositories by default (Ubuntu edition)

On Thu, Nov 24, 2016 at 07:18:44AM -0500, Marc Deslauriers wrote:
> There is also: An attacker could simply supply the Trusty file that includes a
> Valid-Until line to Xenial users.

I believe that at least generates a warning now, and perhaps could be
promoted to an error at some point (perhaps conditionally on a new
flag?). pkgAcqMetaBase::VerifyVendor in apt-pkg/acquire-item.cc:

// One day that might become fatal…
auto const ExpectedDist = TransactionManager->MetaIndexParser->GetExpectedDist();
auto const NowCodename = TransactionManager->MetaIndexParser->GetCodename();
if (TransactionManager->MetaIndexParser->CheckDist(ExpectedDist) == false)
_error->Warning(_("Conflicting distribution: %s (expected %s but got %s)"),
Desc.Description.c_str(), ExpectedDist.c_str(), NowCodename.c_str());

--
Colin Watson [cjwatson@ubuntu.com]

--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel