debian's apt is still vulnerable to replay attacks, are you kidding me? how is this not a priority?