[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: task-laptop: please recommend automatic apt proxying

Russ Allbery <rra@debian.org> writes:

> Please do not do this.  I do not want to have to reason about the
> security impact of someone who controls local DNS taking over my apt
> sources.

Incidentally, this is also exactly why I believe we should be using https
by default, so that a compromise of the local DNS to point to an untrusted
apt server fails at the TLS certificate validation stage rather than
continuing on to talk to an untrusted apt server for sufficiently long to
start downloading files and checking signatures and thus exposing more
attack surface.

Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>

Reply to: