Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Arnaud Ebalard <arno <at> natisbad.org>
Subject: Bug#485960: APT https method does not verify peer certificate by default
Newsgroups: gmane.linux.debian.apt.devel
Date: Thursday 12th June 2008 16:32:09 UTC (over 9 years ago)
Package: apt
Version: 0.7.14
Severity: normal

By default, APT https method does not check server certificate, but only
that the identity in the certificate does match the server name. From a
security standpoint (even if list of packages can otherwise be signed,
this might not be the case), this makes https useless without explicitly
setting the (undocumented) option to true.

I already sent some comments and a set of patches that fixes the issue
(and others) for discussions, directly to [email protected], but
got not reply:

http://permalink.gmane.org/gmane.linux.debian.apt.devel/14771

I decided to file a bug report. Is that the correct way to handle that.

Cheers,

a+
 
CD: 4ms