A security researcher just found a security bug in APT (the package manager by default in PureOS) which can result in arbitrary remote code execution from either MitM or compromised repo. There’s also a good PoC video.
One way to defend against this is by using HTTPS instead of HTTP for APT, via installing
apt-transport-https. I also noticed this wasn’t installed by default on PureOS (then again, most distros don’t do this either).
Since these devices are affected, I thought I’d share for your security awareness.