Debian/Ubuntu security apt phun

Debian/Ubuntu security apt phun https://www.ubuntu.com/usn/usn-3156-1/ 13th December, 2016 An attacker could trick APT into installing altered packages. https://www.debian.org/security/2016/dsa-3733 can take advantage of this flaw to circumvent the signature of the InRelease file, leading to arbitrary code execution. Likely besides the nsa, others enjoyed this too (have seen multi user debian mirror with world writable stuff at /etc) And how do you update apt if it is broken? ;)