This is such a frustrating clickbait headline!<p>Most of the 'attack' s are:<p>1. Plain old bugs in apt.
2. Involve disabling the very security features (GPG and checksum verification) designed to prevent that attack!
The main recommendation is "always serve your apt repo over TLS", however, apt doesn't use TLS by design: <a href="https://whydoesaptnotusehttps.com/" rel="nofollow">https://whydoesaptnotusehttps.com/</a>
--force-yes is bad, but for reasons that have nothing to do with replay attacks.<p>This option effectively disables package authentication. This is because it forces "yes" answer to <i>all</i> questions, including the question about installing unauthenticated packages.