There are a few problems with:
It makes an assumption, that is wrong. Based on the wrong assumption, everything that follows is also wrong.
Debian has a distribution channel that provides security updates only so that administrators can choose to run a stable system with only the absolute minimum of changes.This is wrong, see: https://lists.debian.org/debian-security/2013/11/msg00019.html
But considering to make that change is good anyway. Someone else could get the same conclusion as you did and run only with security.debian.org, and therefore be vulnerable. Actually the advice would have to be the other way around - do not remove Debian stable mirror as per linked debian-security mailing list thread.
I readPlease use passive, non-personal instead.
(Unless it is work of opinion which is marked by name.) I know the wiki may still be doing that, but this is a bug:
https://github.com/Whonix/Whonix/issues/61
Security updates are spread immediately, without the delay incurred by mirror updates (which can add about 1 day of propagation time).Reference required.
Mirrors can go stale. Direct distribution avoids that problem.What do you mean by "Direct distribution"? How does "Direct distribution" avoid the problem?
If an attacker managed to upload a malicious package somewhereThen apt-get would reject it - unless they have also stolen debian-archive-keyring or broken gnupg.
UsingI don't think it is useful to document a negative list of things. There are many more options you can use to screw up security in apt-get, such as disabling gpg verification. And generally speaking, doing copy and paste of commands in a forum without second guessing them is also a bad idea.-o Acquire::Check-Valid-Until=falsewith apt is a bad idea.It disables release file validation. Won't counter stale mirrors. Will make them go unnoticed.http://manpages.debian.org/cgi-bin/man.cgi?&query=apt.conf
We’re implicitly covering this here:
Tips on Remaining Anonymous.
Maybe it could be extended a bit to suggest to second guess what others say in forums or even in Whonix documentation and to read the man page and check if such workarounds really are sane.