This site may contain outdated or incomplete information.
APT didn’t enforce signature validation for source packages
It was discovered that APT’s crypto-based routines to verify binary package authenticity wasn’t being used for source packages.
Impact
- A CVE was assigned
- APT was fixed via a patch
- Discussion followed around further supply chain concerns
Type of compromise
Negligence - Insufficient client-side package authenticity verification
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.