This site may contain outdated or incomplete information.

Follow along or join the revision effort!

APT didn’t enforce signature validation for source packages

It was discovered that APT’s crypto-based routines to verify binary package authenticity wasn’t being used for source packages.

Impact

A CVE was assigned
APT was fixed via a patch
Discussion followed around further supply chain concerns

Type of compromise

Negligence - Insufficient client-side package authenticity verification

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.