Still, a valid point for the vast majority of other package managers, including apt. At some point, you have to trust somebody though.
Which is where your $PATH is often contained.
If an attacker can modify your $PATH (and has write-access to $HOME), you're pretty much done for.
Reading 'apt' source code highly unlikely for the majority of programmers I know.
1) Find list of applicable binary packages, for example by taking a look at https://packages.debian.org/source/wheezy/apt
2) Download http://security.debian.org/dists/wheezy/updates/InRelease, and verify the gpg signature against the archive signing key, found in /etc/apt/trusted.gpg alt. in /etc/apt/trusted.gpg.d/*.gpg
3) Download http://security.debian.org/dists/wheezy/updates/main/binary-..., and verify that its sha256 sum matches what you have in your previously downloaded InRelease file.
4 Inside the downloaded Packages.bz2 you'll find the relative paths as well as the sha256 sums of the packages you want to download.
If nothing else this is a good exercise to see how the different pieces fit together.
There are four specific scenarios that are vulnerable, and none of them appears to be the common scenario of updating packages. Details still sparse, but this seems like a minor security update.
Original trust is a problem with no possible solution inside a computer.
You can check the package signatures for the downloaded debs in /var/cache/apt/archives by following the links for your architecture at the bottom of https://packages.debian.org/wheezy/apt
(You might need to check the rest of the apt-related debs as well. Just replace apt in the URL with the relevant package name and follow the links at the bottom to get the package hashes. If you're tracking sid instead of wheezy then just replace the distribution name in the URL.)
Interestingly both are given "urgency=low" ratings; at least 3 other updates have been medium urgency this year.
Edit: sorry should have said on Ubuntu; I've got libapt-inst1.5:amd64 (1.0.1ubuntu2.3) from trusty/main.
But it seems like the CVEs are unavailable, I'm getting 502 Proxy Errors.
It seems like four separate attack vectors are addressed in this update. This all is kind of surprising.
Anybody know how to find better descriptions of these bugs, or the patches that fixed them?
In the end I decided to close my eyes and hope for the best.
Also, does it really affect regular apt-get upgrades? "apt-get download" isn't a common way to run apt.
If you're asking more about verifying the files on your install, assuming you trust debsums and its data not to be powned then you'd run debsums -c or whatever. Of course a real attacker would have their highest priority to mess with debsums and its data, hmm. Also debsums is quite slow and resource intensive, so pausing for 10 minutes doesn't mean its crashed or infinite looped, it just means its doing its thing. Finally if you run vanilla and never compile and overwrite your own copy of "whatever" then debsums will work, but if for example you installed debian's apache and then compiled your own apache and overwrote the debian apache binaries (why?), all debsums is going to know is your apache isn't standard debian apache so that doesn't necessarily prove your powned or un powned, it just proves you're not running Debian's apache binary.
Google debsums, and this link will probably help
https://packages.debian.org/sid/debsums
Whatever you do, don't run "debsums -e" and freak out. At least not without reading the manpage and thinking about it a bit. OK debsums, thanks for letting me know someone modified /etc/ntp.conf, but I think that was me seeing as we have three GPS clocks on the LAN I feel no need to panic. It is an interesting command to use to see how modified a machine's install is. Oh I see you're running stock /etc/detault/ssh and no modifications at all to /etc/sysctl.conf, how interesting.
You can write a script yourself, and run it independently of apt, though.
*Speaking in terms of the number of derivatives that also use apt
There's still plenty of disinfo about it, though. Which is sad, as it is probably the only sane distro left (besides CRUX and Gentoo, perhaps). Patrick Volkerding really is a genius.
Another bonus of going back to Slack would be avoiding the looming systemd switch in Jessie. I'm still on the fence about it; I'm not a conspiracy nut who thinks it's trying to destroy GNU/Linux, but I don't care for how big it's getting either. So far Pat has been good about staying with a traditional "if it ain't broke don't fix it" approach, which I find comforting. Let the other guys deal with bleeding edge! :)
