Bug 169190

Summary: [3.1] Adept does not warn if packages are unsigned/signature fails
Product: adept Reporter: Scott Kitterman <kde>
Component: generalAssignee: Peter Rockai <me>
Status: RESOLVED UNMAINTAINED    
Severity: normal CC: adaptee
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: Ubuntu   
OS: Linux   
Latest Commit: Version Fixed In:

Description Scott Kitterman 2008-08-15 18:15:44 UTC 
Version:            (using KDE 3.5.9)
Installed from:    Ubuntu Packages
OS:                Linux

Generally other package managers (e.g apt or synaptic) warn the user if packages are unsigned. While this might have at one point been a nice to have feature, in the current era of DNS cache poisoning attacks package signatures are the only guarantee we have that the package being installed is authentic. This is essential.

In the past, I would have categorized this as a wish, but no longer.
Comment 1 Peter Rockai 2008-08-15 18:21:04 UTC 
The possibility of attack has been roughly the same, DNS poisoning or not. I don't think the risk is nowadays any higher than it's been a few years ago. (Really, do you know how efficient are http certificate warnings? Below 1 %, at least that's a quote from a private study evaluating man-in-the-middle attacks against https. Sad, I know. But users generally just ignore security warnings. I have no idea why, really.)
Comment 2 Jekyll Wu 2013-09-21 04:44:18 UTC 
Adept has been in the unmaintained state for a few years.  Use muon[1] as replacement .

[1] https://launchpad.net/muon