[rlpb]

Additionally the article appears to intentionally conflate "issues" such as "if you turn security off" or "if the repository isn't signed" to make their list of possible issues look bigger. None of these are "Attacks against GPG signed APT repositories".

[jdamato]

We never suggest that you turn security off -- several versions of APT come with various settings defaulted to off, as described in the article.

All of the attacks presented (replay attacks, freeze attacks, and downgrade attacks) affect GPG signed APT repositories.

[codedokode]

What about replay attack? Providing apt with old metadata and packages?

[jdamato]

Yes, plain text APT repositories (signed with GPG or not) are vulnerable to freeze attacks.

[whacker]

The release files have 'Valid-Until' fields, which will cause apt to reject it on replay.

[jdamato]

APT will not reject it on replay if the 'Valid-Until' date has not been met yet.

Imagine a version of, say, libEXAMPLE has a vulnerability allowing remote code execution. The `Valid-Until` date is some time in the future, maybe a few days from now. The authors release a new version of libEXAMPLE to patch the vulnerability and the APT repository metadata is updated.

However, a malicious actor performing a MitM against your machine has saved the metadata with the vulnerable version. The malicious actor replays that metadata to your system, preventing your system from seeing the newly patched libEXAMPLE. This gives the attacker up until the `Valid-Until` date to attempt to launch an attack against you.