Re: task-laptop: please recommend automatic apt proxying

To: debian-devel@lists.debian.org
Subject: Re: task-laptop: please recommend automatic apt proxying
From: Russ Allbery <rra@debian.org>
Date: Wed, 15 Sep 2021 10:32:49 -0700
Message-id: <[🔎] 878rzxsq0u.fsf@hope.eyrie.org>
In-reply-to: <[🔎] 87czp9sq5s.fsf@hope.eyrie.org> (Russ Allbery's message of "Wed, 15 Sep 2021 10:29:51 -0700")
References: <162963701727.2536441.3655242380753523899.reportbug@tiny> <[🔎] YS9EywR3MQKlBn47@alf.mars> <[🔎] 3be2fcffdc1187466bd56e19e61a405a51e6e936.camel@43-1.org> <[🔎] 87r1e82w28.fsf@hope.eyrie.org> <[🔎] 20210902102215.f99248e0ff859b8cc478128b@iijmio-mail.jp> <YTiZ2fipJll/LgKz@alf.mars> <[🔎] 24dc1dc6-10f9-11ec-9b6a-00163eeb5320@msgid.mathom.us> <[🔎] YTsKZKro5X4g4UAf@alf.mars> <[🔎] 20210915171046.GB7578@mithrandir.lan.emorrp1.name> <[🔎] 87czp9sq5s.fsf@hope.eyrie.org>

Russ Allbery <rra@debian.org> writes:

> Please do not do this.  I do not want to have to reason about the
> security impact of someone who controls local DNS taking over my apt
> sources.

Incidentally, this is also exactly why I believe we should be using https
by default, so that a compromise of the local DNS to point to an untrusted
apt server fails at the TLS certificate validation stage rather than
continuing on to talk to an untrusted apt server for sufficiently long to
start downloading files and checking signatures and thus exposing more
attack surface.

-- 
Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>

Reply to:

References:
- Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
  - From: Helmut Grohne <helmut@subdivi.de>
- Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
  - From: Ansgar <ansgar@43-1.org>
- Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
  - From: Russ Allbery <rra@debian.org>
- Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
  - From: Hideki Yamane <henrich@iijmio-mail.jp>
- Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
  - From: Helmut Grohne <helmut@subdivi.de>
- Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
  - From: Michael Stone <mstone@debian.org>
- Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
  - From: Helmut Grohne <helmut@subdivi.de>
- task-laptop: please recommend automatic apt proxying
  - From: Phil Morrell <debian@emorrp1.name>
- Re: task-laptop: please recommend automatic apt proxying
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: task-laptop: please recommend automatic apt proxying
Next by Date: Bug#994427: ITP: obs-text-slideshow -- plugin for OBS Studio to present texts in videos
Previous by thread: Re: task-laptop: please recommend automatic apt proxying
Next by thread: Bug#993436: ITP: golang-github-itchyny-timefmt-go -- Efficient time formatting library (strftime, strptime) for Go
Index(es):
- Date
- Thread