[Bug 1858973] Re: python-apt downloads from untrusted sources where apt does not
Steve Beattie
sbeattie at ubuntu.com
Fri Jan 31 19:49:42 UTC 2020
** Summary changed:
- placeholder
+ python-apt downloads from untrusted sources where apt does not
** Description changed:
- Placeholder bug.
+ ptyhon-apt never checked whether the hashes it got were signed in the
+ first place. So, python-apt is happy to download files from unsigned
+ repositories when it shouldn't.
+
+ Making the code only fetch trusted packages means that using it on
+ untrusted packages will fail. There might be use cases broken by this.
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to python-apt in Ubuntu.
https://bugs.launchpad.net/bugs/1858973
Title:
python-apt downloads from untrusted sources where apt does not
Status in aptdaemon package in Ubuntu:
Fix Released
Status in python-apt package in Ubuntu:
Fix Released
Bug description:
ptyhon-apt never checked whether the hashes it got were signed in the
first place. So, python-apt is happy to download files from unsigned
repositories when it shouldn't.
Making the code only fetch trusted packages means that using it on
untrusted packages will fail. There might be use cases broken by this.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/aptdaemon/+bug/1858973/+subscriptions
More information about the foundations-bugs
mailing list