Debian Bug report logs - #848279
deprecate InRelease in favor of Release.gpg

Package: apt; Maintainer for apt is APT Development Team <deity@lists.debian.org>; Source for apt is src:apt (PTS, buildd, popcon).

Reported by: Patrick Schleizer <adrelanos@riseup.net>

Date: Thu, 15 Dec 2016 22:18:02 UTC

Severity: wishlist

Done: Julian Andres Klode <jak@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, whonix-devel@whonix.org, APT Development Team <deity@lists.debian.org>:
Bug#848279; Package apt. (Thu, 15 Dec 2016 22:18:04 GMT) (full text, mbox, link).

Acknowledgement sent to Patrick Schleizer <adrelanos@riseup.net>:
New Bug report received and forwarded. Copy sent to whonix-devel@whonix.org, APT Development Team <deity@lists.debian.org>. (Thu, 15 Dec 2016 22:18:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Patrick Schleizer <adrelanos@riseup.net>
To: submit@bugs.debian.org
Subject: deprecate InRelease in favor of Release.gpg
Date: Thu, 15 Dec 2016 22:16:00 +0000
Package: apt
Severity: wishlist
X-Debbugs-CC: whonix-devel@whonix.org

In light of CVE-2016-1252...

When there is Release.gpg implemented in apt, why not deprecate InRelease?

Reply sent to Julian Andres Klode <jak@debian.org>:
You have taken responsibility. (Thu, 15 Dec 2016 22:36:05 GMT) (full text, mbox, link).

Notification sent to Patrick Schleizer <adrelanos@riseup.net>:
Bug acknowledged by developer. (Thu, 15 Dec 2016 22:36:05 GMT) (full text, mbox, link).

Message #10 received at 848279-done@bugs.debian.org (full text, mbox, reply):

From: Julian Andres Klode <jak@debian.org>
To: Patrick Schleizer <adrelanos@riseup.net>, 848279-done@bugs.debian.org
Subject: Re: Bug#848279: deprecate InRelease in favor of Release.gpg
Date: Thu, 15 Dec 2016 23:33:02 +0100
On Thu, Dec 15, 2016 at 10:16:00PM +0000, Patrick Schleizer wrote:
> Package: apt
> Severity: wishlist
> X-Debbugs-CC: whonix-devel@whonix.org
> 
> In light of CVE-2016-1252...
> 
> When there is Release.gpg implemented in apt, why not deprecate InRelease?

You got that wrong. We deprecated Release.gpg in preference
of InRelease: Unfortunately, Release.gpg breaks atomic updates
of repositories (because Release and Release.gpg need to be updated
at the same time) and thus breaks update runs randomly with hash
sum mismatches.

So, there's really nothing we can do here.

-- 
Debian Developer - deb.li/jak | jak-linux.org - free software dev
                  |  Ubuntu Core Developer |
When replying, only quote what is necessary, and write each reply
directly below the part(s) it pertains to ('inline').  Thank you.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 13 Jan 2017 07:28:30 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Jul 27 04:51:13 2018; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.