On 2023-04-15 at 19:11, Greg Wooledge wrote: > On Sat, Apr 15, 2023 at 10:54:10PM +0000, davidson wrote: > >> In case you wish to obscure what software you *install*, but need >> not conceal the software you *download*: >> >> Step one: Make a list of the packages you want, and then augment >> it with as many plausible alternatives and red herrings as you >> like. >> >> Step two: $ apt-get -d install <many packages> >> >> This downloads the packages only, so you can download packages you >> will *not* install, along with ones you will. Then install the >> proper subset you want installed, without the '-d' option. > > I'm at a loss as to what threat model this is supposed to protect > against. My guess is that it's supposed to make it harder for people to guess what exploits your computer may be vulnerable to, by obfuscating which of the various packages you downloaded are actually installed and therefore potentially in use. <snip> > Now, personally I don't feel this is a threat model that I need to > worry about. I just use plain old http sources at home, and if > "They" learn that I've downloaded rxvt-unicode and mutt, well, good > for Them. My understanding is that mandating HTTPS for all connections is supposed to make it so that those who might be watching can't treat the choice by the user to connect via HTTPS as a sign that the user has something to hide, and therefore is worth observing more closely. I seem to remember having seen suggestions that some regimes might even prohibit the use of HTTPS entirely, so as to ensure that they can spy on their subjects' connections, and that such a prohibition would be less practical for them to impose if everything requires HTTPS. I'm not sure about the real-world basis for that, however. -- The Wanderer The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man. -- George Bernard Shaw
Attachment:
signature.asc
Description: OpenPGP digital signature