Bug 169190 - [3.1] Adept does not warn if packages are unsigned/signature fails
Summary: [3.1] Adept does not warn if packages are unsigned/signature fails
Status: RESOLVED UNMAINTAINED
Alias: None
Product: adept
Classification: Miscellaneous
Component: general (show other bugs)
Version: unspecified
Platform: Ubuntu Linux
: NOR normal
Target Milestone: ---
Assignee: Peter Rockai
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-08-15 18:15 UTC by Scott Kitterman
Modified: 2013-09-21 04:44 UTC (History)
1 user (show)

See Also:
Latest Commit:
Version Fixed In:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Scott Kitterman 2008-08-15 18:15:44 UTC
Version:            (using KDE 3.5.9)
Installed from:    Ubuntu Packages
OS:                Linux

Generally other package managers (e.g apt or synaptic) warn the user if packages are unsigned. While this might have at one point been a nice to have feature, in the current era of DNS cache poisoning attacks package signatures are the only guarantee we have that the package being installed is authentic. This is essential.

In the past, I would have categorized this as a wish, but no longer.
Comment 1 Peter Rockai 2008-08-15 18:21:04 UTC
The possibility of attack has been roughly the same, DNS poisoning or not. I don't think the risk is nowadays any higher than it's been a few years ago. (Really, do you know how efficient are http certificate warnings? Below 1 %, at least that's a quote from a private study evaluating man-in-the-middle attacks against https. Sad, I know. But users generally just ignore security warnings. I have no idea why, really.)
Comment 2 Jekyll Wu 2013-09-21 04:44:18 UTC
Adept has been in the unmaintained state for a few years.  Use muon[1] as replacement .

[1] https://launchpad.net/muon