[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

Recent Security Guide apt-get updating changes

There are a few problems with:

It makes an assumption, that is wrong. Based on the wrong assumption, everything that follows is also wrong.

Debian has a distribution channel that provides security updates only so that administrators can choose to run a stable system with only the absolute minimum of changes.
This is wrong, see: https://lists.debian.org/debian-security/2013/11/msg00019.html

But considering to make that change is good anyway. Someone else could get the same conclusion as you did and run only with security.debian.org, and therefore be vulnerable. Actually the advice would have to be the other way around - do not remove Debian stable mirror as per linked debian-security mailing list thread.

I read
Please use passive, non-personal instead.

(Unless it is work of opinion which is marked by name.) I know the wiki may still be doing that, but this is a bug:
https://github.com/Whonix/Whonix/issues/61

Security updates are spread immediately, without the delay incurred by mirror updates (which can add about 1 day of propagation time).
Reference required.
Mirrors can go stale. Direct distribution avoids that problem.
What do you mean by "Direct distribution"? How does "Direct distribution" avoid the problem?
If an attacker managed to upload a malicious package somewhere
Then apt-get would reject it - unless they have also stolen debian-archive-keyring or broken gnupg.
Using
-o Acquire::Check-Valid-Until=false
with apt is a bad idea.It disables release file validation. Won't counter stale mirrors. Will make them go unnoticed.http://manpages.debian.org/cgi-bin/man.cgi?&query=apt.conf
I don't think it is useful to document a negative list of things. There are many more options you can use to screw up security in apt-get, such as disabling gpg verification. And generally speaking, doing copy and paste of commands in a forum without second guessing them is also a bad idea.

We’re implicitly covering this here:
https://www.whonix.org/wiki/DoNot#Don.27t_change_settings_if_you_don.27t_know_their_consequences.
Maybe it could be extended a bit to suggest to second guess what others say in forums or even in Whonix documentation and to read the man page and check if such workarounds really are sane.

I mistakenly posted the entire reply from StackExchange I had referred to in the other thread. I thought you had vetted it and agreed with its conclusions. Given the number of votes I took its information to be valid. Its not me who uses the non-passive sentence tense but the original posted from StackExchange.

Please correct it as you see fit to make sure no wrong information leads to unsafe configurations. I will be more specific in discussing potential documentation changes about things I am not sure about next time.

Link please? I want to re-read to find out where I may have implied that.

Its not me who uses the non-passive sentence tense but the original posted from StackExchange.
We must also obey licenses when using material from third parties.
site design / logo © 2014 stack exchange inc; user contributions licensed under cc by-sa 3.0 with attribution required

Must be carefully obey this.

Link please? I want to re-read to find out where I may have implied that.
Here I assumed you read it and were ok with it https://www.whonix.org/forum/index.php?action=post;quote=3435;topic=448.0;last_msg=3449
Must be carefully obey this.

Yes definitely. Its only fair to the writers anyway.

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]