[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: task-laptop: please recommend automatic apt proxying

Phil Morrell <debian@emorrp1.name> writes:

> Package: task-laptop
> Version: 3.53
> Severity: wishlist

> I'm not sure on the difference between auto-apt-proxy and
> squid-deb-proxy-client. Avahi is already pulled in by task-laptop.

Please do not do this.  I do not want to have to reason about the security
impact of someone who controls local DNS taking over my apt sources.  I
understand that people believe that this is harmless because of apt
signature checking, but it still opens more attack paths and routes to
exercise other possible vulnerabilities.

The safe default for Debian in any standard installation mode, which I
believe includes tasks, is to talk explicitly to Debian infrastructure.
If people would like to improve local performance, they should automate
the configuration of the machines that they control, with the permission
and understanding of the people who are using those machines.

We should not enable people who control the local network but not the
Debian system to dynamically change security-relevant configuration of
that system, which I believe includes apt sources, without explicit

Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>

Reply to: