Comment 71 for bug 24061

I am on a university network that fake DNS responses to re-direct you to a login page before you are allowed to access the external network. This is a pretty common setup for wifi on e.g. airports, restaurants, hotels, etc.

I hit this bug reliably if an apt-get update is run while I am connected to the network but not logged in. Presumably apt-get thinks it is fetching index files, but gets copies of the login page instead, which breaks the cache. It is possible that a lot of these bug reports are caused by Ubuntu's automatic update of the apt cache running while the user is on such a network.

Apart from the annoyance, isn't this a security issue? Since Ubuntu default is to automatically update the package index without user request, one cannot be sure what kind of network the user is on when it happens. If it is an untrusted network there is obviously the risk of denial-of-service (breakage of the user's apt cache), if not worse (feed user fake data?). Isn't some kind of key-signature thing needed before any changes happens in the apt cache?