Ironic, given the previous discussion on why apt shouldn't use HTTPS connections. With full end-to-end SSL validation, this kind of vulnerability can't exist. Should be interesting to see how the community reacta to this.

Weren't PGP signatures supposed to ensure integrity? How is this being bypassed?

Please use the original title.