7 Sep
2019
7 Sep
'19
10:20 a.m.
Hi,
On 6 Sep 2019, at 20:14, Roman Mamedov rm@romanrm.net wrote:
Where does the security weakpoint risk come from? Does apt-transport-tor/onion service repository availability help in your mind here?
As with adding any third-party repository, it means trusting the repository provider to install and run any root-privilege code on the machine. In case the repository server (or actually the release process, including signing) is compromised, on the next update it can serve malicious or backdoored versions of the software. So naturally from the security standpoint it is beneficial to add (and trust) as few repositories as possible, just to reduce the "attack surface".
So one thing Tor could do here is run easily and securely without root?
T