-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Mon, May 30, 2016 at 03:49:44PM +0200, HW42 wrote: > Andrew David Wong: > > A new announcement, "Security challenges for the Qubes build process," > > has just been posted on the Qubes website: > > > > https://www.qubes-os.org/news/2016/05/30/build-security/ > > It seems my partially related patch [0] got lost.
Indeed, applied. Thanks! > I think it would be a good idea to centralize the download and > verification step. I.e. a component only indicates that it wants to > download $url and what key/sha2sum should be used for verification and > qubes-builder does the download and verification. This way there would > be only one place to audit the download verification. What do you think? Generally it looks like a good idea, but practically it would be quite complex, as almost every component (upstream project) have slightly different approach: sometime have .sig files (Xen), sometimes .asc (Libvirt), sometimes signature is on uncompressed content (Kernel), and so on. And sometimes the approach is changed between versions. It will turn to be a big pile of per-component cases, something even harder to maintain. This is why we've introduced verify-sources target, but as noted in above post, source verification should be integrated into get-sources target. > > We would be very happy to accept community patches for this so that it > > can be implemented before the upcoming Qubes 3.2 release. > > What is the (rough) schedule for 3.2? There are still few blockers (see github issues), but we hope to resolve them somehow this week and have 3.2-rc1 shortly after. From this point, final 3.2 will be probably in two months. > HW42 > > > [0]: > https://groups.google.com/d/msgid/qubes-devel/564FB7B1.4020809%40ipsumj.de > - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJXTKYUAAoJENuP0xzK19cs8dsH/jHha9VKC3JlIYaMWQzD9+Yb Imt7Gh8bWLLSU/xi3x8CjEwCEQzA8mAHr2By8brMBYO0klSPNIyhBbEf6oVct0ya XL7+cGyIhtSsO9snreVHpFnrLSw2t6qAEYzGA6q9ryRfNR61JyH3lmQYZkYVChLs h9xNHfvjQIeIa1GCqUgUcS651chMKwmBVE9alVetfMa41N+X5GHUYlYlwMPOxEwj 52otx89MdEBVWSWOudYUY5AJrvmD28FI+mG8cO4EyJUUFPfUoPRa1yOfFgoDNn7L dp8QByMeStAovDUiug/oCwqLcwG6H9+AJEjMB04NBnwQ8gYo1DC8nx0I1Z6jaHU= =lMOU -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20160530204404.GJ1593%40mail-itl. For more options, visit https://groups.google.com/d/optout.
