-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Andrew David Wong: > A new announcement, "Security challenges for the Qubes build process," > has just been posted on the Qubes website: > > https://www.qubes-os.org/news/2016/05/30/build-security/
It seems my partially related patch [0] got lost. I think it would be a good idea to centralize the download and verification step. I.e. a component only indicates that it wants to download $url and what key/sha2sum should be used for verification and qubes-builder does the download and verification. This way there would be only one place to audit the download verification. What do you think? > We would be very happy to accept community patches for this so that it > can be implemented before the upcoming Qubes 3.2 release. What is the (rough) schedule for 3.2? HW42 [0]: https://groups.google.com/d/msgid/qubes-devel/564FB7B1.4020809%40ipsumj.de -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJXTET2AAoJEOSsySeKZGgWZ2sP/ixW09+vysRkUCBzetQaYJp4 k+e5cwW4sqrv/QLDW415srPh/2M3j4/YjWQwBnTzH+Yica8OBF8r1JaZJsReqIYp Dcy00sbvujQjJruAS7ynWGm6ZhD+/cqfcvR7a3q3KFbtwYiIGYk6K2tDx4EISCtF lBniGctcuJimzcJXRJmfqH/LSjs2/GROp8Ciu8KlFvuDv07LCjJe/CfqlcY2F0ji 7gI7PEZChd9fw5QHDMhQBt/DWBE78uY6qMdTrrZdERErUvcC0M8ECGHxdW3PaNzd ffLT3WWTCBlVV2sp5hoA8fybwwG1XM2HYy2xmlxNMw6YKaz5l/gMgF51L0VJoW7n xI5sDeZuXzCZ+7nWsRG4jBUefc/MwXEKEi4GmZKC1WYfYZABl49MMH1wdNEpjyUs eP6aHOgWO4v8EuAi+rBoocT4dpZ7w8fTsL5HKXpDEmvbzDRzZTbaLMCDheVhFkkn 663UqfgMw6AOeF4WavFGoKGl3op0zUxsVzSS47Mvsxfr3W4/Clu3NJH9SBBpHeNA lTw0aJz47Fe54w56sUvUBMn9RldFg+MM9ZugyVkY6ujoaq07Nv5jIJyWbBvUKoXK cAaCfTwimLDYHzDxxL8+sLHRiV3FUS6f84x4+rbnMoCUnqnvxT9YE9WbKakajceE Eu4gfhB1AHfe8tRPATkE =p5IZ -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/fd8ec0f1-247b-c3c1-2958-9f5713372c24%40ipsumj.de. For more options, visit https://groups.google.com/d/optout.
