My personal opinion aligns with YC actually. It's specifically in the handling of a Thunderbolt device not just any USB device. If a thunderbolt device is automatically authenticated it does improve the usability at the expense of security.
A nefarious Thunderbolt device can trivially perform a DMA attack if automatically authorized in a situation that DMA mitigation such as IOMMU (VT-d) is not used. Until there is a guarantee of DMA mitigation presence (which is going to be coming in 4.21 and a newer version of bolt) it's much safer to adjust to prompt for authorization or open a notification to do such. I feel if this change is included Canonical's security team should review as well. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1800715 Title: Prompt for credential when it shouldn't To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bolt/+bug/1800715/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
