[wildmusings]

That’s not quite the same attack. What you describe can only keep you from updating at all, freezing you at whatever your current version is. The attack described above would let the MITM choose the exact version to update you to.

[jbk]

Absolutely not: the installer blocks downgrade attacks.

[wildmusings]

I’m not talking about a downgrade attack. I’m talking about upgrading to a known vulnerable version. You are at version X, attacker upgrades you to known vulnerable version X+1, even though the real latest version X+2 has a fix.