Russ Allbery <r...@debian.org> writes: > Please do not do this. I do not want to have to reason about the > security impact of someone who controls local DNS taking over my apt > sources.
Incidentally, this is also exactly why I believe we should be using https by default, so that a compromise of the local DNS to point to an untrusted apt server fails at the TLS certificate validation stage rather than continuing on to talk to an untrusted apt server for sufficiently long to start downloading files and checking signatures and thus exposing more attack surface. -- Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/>