Attacks against GPG signed APT repositories

This is such a frustrating clickbait headline!<p>Most of the &#x27;attack&#x27; s are:<p>1. Plain old bugs in apt. 2. Involve disabling the very security features (GPG and checksum verification) designed to prevent that attack!

The main recommendation is &quot;always serve your apt repo over TLS&quot;, however, apt doesn&#x27;t use TLS by design: <a href="https:&#x2F;&#x2F;whydoesaptnotusehttps.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;whydoesaptnotusehttps.com&#x2F;</a>

--force-yes is bad, but for reasons that have nothing to do with replay attacks.<p>This option effectively disables package authentication. This is because it forces &quot;yes&quot; answer to <i>all</i> questions, including the question about installing unauthenticated packages.

For a moment I thought there&#x27;s a new research paper about attacks on APT. Nope. The paper the article links to is from 2008.