Re: Apt sources.list

To: debian-user@lists.debian.org
Subject: Re: Apt sources.list
From: davidson <davidson@freevolt.org>
Date: Sun, 16 Apr 2023 00:14:46 +0000 (UTC)
Message-id: <[🔎] alpine.DEB.2.21.2304152316260.2425@azone.org>
In-reply-to: <[🔎] ZDsvBre6FCnnTyfU@wooledge.org>
References: <[🔎] 20230415081117.13655c70@yosemite.mars.lan> <[🔎] 15042023132141.bd720baf79f7@desktop.copernicus.org.uk> <[🔎] ZDqd9oXDlldenbOa@wooledge.org> <[🔎] 20230415130127.GC2480@phcomp.co.uk> <[🔎] 20230415110052.13e41140@yosemite.mars.lan> <[🔎] 20230415161857.tsuodcy3nzdqnjnq@randomstring.org> <[🔎] ZDri2FEbSo1KNAhw@tuxteam.de> <[🔎] alpine.DEB.2.21.2304152053090.2425@azone.org> <[🔎] ZDsvBre6FCnnTyfU@wooledge.org>

On Sat, 15 Apr 2023 Greg Wooledge wrote:

On Sat, Apr 15, 2023 at 10:54:10PM +0000, davidson wrote:

In case you wish to obscure what software you *install*, but need not
conceal the software you *download*:

 Step one: Make a list of the packages you want, and then augment it
 with as many plausible alternatives and red herrings as you like.

 Step two:
 $ apt-get -d install <many packages>

This downloads the packages only, so you can download packages you
will *not* install, along with ones you will. Then install the proper
subset you want installed, without the '-d' option.


I'm at a loss as to what threat model this is supposed to protect
against.


The answer to *that* question was written on the tin.

Instead, you mean to question the existence of actors who *do* care
what some administrator installs, but do not care what they download.

An entirely fair question. Their existence is a logical possibility.
Since you ask, I don't think their presence is inconceivable.

Ritter wrote...

  "It's nice not to be telling everyone who can sniff a plaintext
  connection which packages you are installing"

I consider it an interesting problem.

In the obvious one ("Comrade Davidson has downloaded package A.  Let's
bump up the priority of his surveillance."), downloading flagged package A
*and* possibly-flagged package B is just going to make your situation
worse, not better.


I explicitly stated, twice (both from the start, and at the conclusion
trimmed by you) that the method does NOT apply to such a threat model.

So here you have helpfully provided a hypothetical narrative to
illustrate a point I wished to make extremely clear.

Now, personally I don't feel this is a threat model that I need to
worry about.  I just use plain old http sources at home, and if
"They" learn that I've downloaded rxvt-unicode and mutt, well, good
for Them.


We do not seem to be having an argument.

--
Hackers are free people. They are like artists. If they are in a good
mood, they get up in the morning and begin painting their pictures.
-- Vladimir Putin

Reply to:

References:
- Apt sources.list
  - From: <paulf@quillandmouse.com>
- Re: Apt sources.list
  - From: Brian <ad44@cityscape.co.uk>
- Re: Apt sources.list
  - From: Greg Wooledge <greg@wooledge.org>
- Re: Apt sources.list
  - From: Alain D D Williams <addw@phcomp.co.uk>
- Re: Apt sources.list
  - From: <paulf@quillandmouse.com>
- Re: Apt sources.list
  - From: Dan Ritter <dsr@randomstring.org>
- Re: Apt sources.list
  - From: <tomas@tuxteam.de>
- Re: Apt sources.list
  - From: davidson <davidson@freevolt.org>
- Re: Apt sources.list
  - From: Greg Wooledge <greg@wooledge.org>

Prev by Date: Re: youtube-dl → yt-dlp, was Re: OT: Detecting ISP throttling (was: Re: Potentially OT. Videos lagging & buffering in any browser but Google Chrome.)
Next by Date: Re: Apt sources.list
Previous by thread: Re: Apt sources.list
Next by thread: Re: Apt sources.list
Index(es):
- Date
- Thread