I am aware that installing and updating packages through apt-get should be fairly secure because an attacker supposedly should not be able to interfere or inject packets into the downloads as well as because the packages are signed, with the checksums being verified before(?) the installation.
Consider the case of an attacker performing a man-in-the-middle attack on an apt-get command. If the attacker caused a DNS cache poisoining and redirected the downloads to a server he controls, especially since the downloads are requested using HTTP only, couldn’t the attacker cause the system to download a compromised version of the Release and Packages files, and then push compromised versions of packages to the system? Wouldn’t that then look all correct to apt-get which could then go on to install a compromised package?
Can the attacker not make a mirror of an official repository, compromise some of the packages, say only the firefox or tor packages, modify the Release and Packages file accordingly with the new checksums/hashes then redirect through DNS spoofing the system to download these?
I’m limiting the discussion to downloads from official repositories only.