Regarding the /var/log/apt/history.log permissions

Dear Community,

I would like to address concerns about the history.log file and its content in relation to sensitive user information.

It is important to note that the history.log file does not contain user inputs, except for the command used to install packages.

While it is true that part of the current system package composition can be found in the history.log file, it is also accessible in the /var/lib/dpkg/status database. As a result, any vulnerabilities discovered by scanning package versions can be discovered more easily by utilizing the dpkg database.

We are considering introducing an apt history command, similar to dnf, in the future. However, since APT does not maintain a database like other package managers, the command will use the machine-readable history.log file. Therefore, having the file not world-readable would create a sub-optimal user experience.

We will continue to evaluate our options and keep you updated on any changes. Thank you for your understanding and support.