Phil Morrell <deb...@emorrp1.name> writes: > Package: task-laptop > Version: 3.53 > Severity: wishlist
> I'm not sure on the difference between auto-apt-proxy and > squid-deb-proxy-client. Avahi is already pulled in by task-laptop. Please do not do this. I do not want to have to reason about the security impact of someone who controls local DNS taking over my apt sources. I understand that people believe that this is harmless because of apt signature checking, but it still opens more attack paths and routes to exercise other possible vulnerabilities. The safe default for Debian in any standard installation mode, which I believe includes tasks, is to talk explicitly to Debian infrastructure. If people would like to improve local performance, they should automate the configuration of the machines that they control, with the permission and understanding of the people who are using those machines. We should not enable people who control the local network but not the Debian system to dynamically change security-relevant configuration of that system, which I believe includes apt sources, without explicit permission. -- Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/>
