Re: task-laptop: please recommend automatic apt proxying

To: Phil Morrell <debian@emorrp1.name>
Cc: debian-devel@lists.debian.org, 994409@bugs.debian.org
Subject: Re: task-laptop: please recommend automatic apt proxying
From: Russ Allbery <rra@debian.org>
Date: Wed, 15 Sep 2021 10:29:51 -0700
Message-id: <[🔎] 87czp9sq5s.fsf@hope.eyrie.org>
In-reply-to: <[🔎] 20210915171046.GB7578@mithrandir.lan.emorrp1.name> (Phil Morrell's message of "Wed, 15 Sep 2021 18:10:46 +0100")
References: <162963701727.2536441.3655242380753523899.reportbug@tiny> <[🔎] YS9EywR3MQKlBn47@alf.mars> <[🔎] 3be2fcffdc1187466bd56e19e61a405a51e6e936.camel@43-1.org> <[🔎] 87r1e82w28.fsf@hope.eyrie.org> <[🔎] 20210902102215.f99248e0ff859b8cc478128b@iijmio-mail.jp> <YTiZ2fipJll/LgKz@alf.mars> <[🔎] 24dc1dc6-10f9-11ec-9b6a-00163eeb5320@msgid.mathom.us> <[🔎] YTsKZKro5X4g4UAf@alf.mars> <[🔎] 20210915171046.GB7578@mithrandir.lan.emorrp1.name>

Phil Morrell <debian@emorrp1.name> writes:

> Package: task-laptop
> Version: 3.53
> Severity: wishlist

> I'm not sure on the difference between auto-apt-proxy and
> squid-deb-proxy-client. Avahi is already pulled in by task-laptop.

Please do not do this.  I do not want to have to reason about the security
impact of someone who controls local DNS taking over my apt sources.  I
understand that people believe that this is harmless because of apt
signature checking, but it still opens more attack paths and routes to
exercise other possible vulnerabilities.

The safe default for Debian in any standard installation mode, which I
believe includes tasks, is to talk explicitly to Debian infrastructure.
If people would like to improve local performance, they should automate
the configuration of the machines that they control, with the permission
and understanding of the people who are using those machines.

We should not enable people who control the local network but not the
Debian system to dynamically change security-relevant configuration of
that system, which I believe includes apt sources, without explicit
permission.

-- 
Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: task-laptop: please recommend automatic apt proxying
  - From: Russ Allbery <rra@debian.org>

References:
- Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
  - From: Helmut Grohne <helmut@subdivi.de>
- Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
  - From: Ansgar <ansgar@43-1.org>
- Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
  - From: Russ Allbery <rra@debian.org>
- Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
  - From: Hideki Yamane <henrich@iijmio-mail.jp>
- Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
  - From: Helmut Grohne <helmut@subdivi.de>
- Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
  - From: Michael Stone <mstone@debian.org>
- Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
  - From: Helmut Grohne <helmut@subdivi.de>
- task-laptop: please recommend automatic apt proxying
  - From: Phil Morrell <debian@emorrp1.name>

Prev by Date: task-laptop: please recommend automatic apt proxying
Next by Date: Re: task-laptop: please recommend automatic apt proxying
Previous by thread: task-laptop: please recommend automatic apt proxying
Next by thread: Re: task-laptop: please recommend automatic apt proxying
Index(es):
- Date
- Thread