On Sat, 15 Apr 2023 Greg Wooledge wrote:
On Sat, Apr 15, 2023 at 10:54:10PM +0000, davidson wrote:In case you wish to obscure what software you *install*, but need not conceal the software you *download*:Step one: Make a list of the packages you want, and then augment it with as many plausible alternatives and red herrings as you like. Step two: $ apt-get -d install <many packages> This downloads the packages only, so you can download packages you will *not* install, along with ones you will. Then install the proper subset you want installed, without the '-d' option.I'm at a loss as to what threat model this is supposed to protect against.
The answer to *that* question was written on the tin. Instead, you mean to question the existence of actors who *do* care what some administrator installs, but do not care what they download. An entirely fair question. Their existence is a logical possibility. Since you ask, I don't think their presence is inconceivable. Ritter wrote... "It's nice not to be telling everyone who can sniff a plaintext connection which packages you are installing" I consider it an interesting problem.
In the obvious one ("Comrade Davidson has downloaded package A. Let's
bump up the priority of his surveillance."), downloading flagged package A
*and* possibly-flagged package B is just going to make your situation
worse, not better.
I explicitly stated, twice (both from the start, and at the conclusion trimmed by you) that the method does NOT apply to such a threat model. So here you have helpfully provided a hypothetical narrative to illustrate a point I wished to make extremely clear.
Now, personally I don't feel this is a threat model that I need to worry about. I just use plain old http sources at home, and if "They" learn that I've downloaded rxvt-unicode and mutt, well, good for Them.
We do not seem to be having an argument. -- Hackers are free people. They are like artists. If they are in a good mood, they get up in the morning and begin painting their pictures. -- Vladimir Putin
