It's specifically in the handling of a Thunderbolt device not just any USB device. If a thunderbolt device is automatically authenticated it does improve the usability at the expense of security.
A nefarious Thunderbolt device can trivially perform a DMA attack if automatically authorized in a situation that DMA mitigation such as IOMMU (VT-d) is not used.
Until there is a guarantee of DMA mitigation presence (which is going to be coming in 4.21 and a newer version of bolt) it's much safer to adjust
to prompt for authorization or open a notification to do such.
I feel if this change is included Canonical's security team should review as well.
My personal opinion aligns with YC actually.
It's specifically in the handling of a Thunderbolt device not just any USB device. If a thunderbolt device is automatically authenticated it does improve the usability at the expense of security.
A nefarious Thunderbolt device can trivially perform a DMA attack if automatically authorized in a situation that DMA mitigation such as IOMMU (VT-d) is not used.
Until there is a guarantee of DMA mitigation presence (which is going to be coming in 4.21 and a newer version of bolt) it's much safer to adjust
to prompt for authorization or open a notification to do such.
I feel if this change is included Canonical's security team should review as well.