That ought to be enough for anybody

Lessons From the apt Remote Code Execution Vulnerability

Well, it’s happened before, so it was bound to happen again: a remote code execution bug was found in APT. And it’s particularly interesting in the context of an age-old debate that has been dragging on in Debian-related circles about the use of HTTPS – a question that has been asked often enough that the answer has its own website now.

How bad was it? What is there to learn from this? And what does it tell us about the importance of HTTPS in package management security?