On 01/06/2017 06:24 AM, Andrew David Wong wrote:
It sounds like you may be focusing exclusively on the hypothetical
example at the expense of the general point, but for the sake of
discussion:
If the Qubes Project is not authoring some of the packages, it
sounds unlikely to work as a primary step in verifying integrity.
This may /necessarily/ be true until the upstream suppliers for
dom0 change.
I don't see why. Maybe we're thinking of different things. Here's the
general idea:
https://github.com/QubesOS/qubes-issues/issues/2524
Assuming GPG is an attack vector (a BIG assumption), I don't think
having users compare hashes with each other over HTTPS links, for
example, is going to suffice in addition to GPG if the former
won't suffice on its own.
It's not supposed to. The idea is that hashing with minimal
pre-parsing is a safe first-pass that mitigates (but does not
eliminate) the risk of GPG verification (with pre-parsing). GPG
verification is not replaced; it's still required.
If neither GPG nor 'collaborative hashing' is considered safe on its
own, and if GPG is a supposed attack vector, then the weaknesses of the
two procedures could *increase* risk instead of canceling it out.
This 'great new idea' may be unique for good reasons, the primary one
being that simple GPG verification is considered safe.
We would need some way of obtaining upstream packages without any
invocation of GPG and then verify them somehow without invoking
GPG.
That's the whole idea. Roughly:
1. Download <package>.
2. $ sha512sum <package>.
3. Check hash.
If match:
4. $ gpg --verify <package>.
If no match:
5. $ rm <package>.
What happens if you're the first one to hash a package? You don't get to
use GPG at all? Or the order gets reversed... GPG is used before hashing
and exploit might ensue?
Is the hash uploaded before or after running GPG?
After that point (assuming at least some packages will need to be
compiled) we need to deal with the much more real threat of the
/compiler/ being targeted for attack.
This seems like an orthogonal threat that exists either way, though.
It doesn't really exist either way, does it? A big reason why I'm
debating the thinking behind this is that its based on a low-quality
assessment done here:
https://groups.google.com/d/msg/qubes-devel/TQr_QcXIVww/SHLNsoPgWTAJ
That is the whole 'I don't trust GPG' rationale right there. My takeaway
from it could be that verbose mode gives me super-powers of perception
with hardly any effort ...or not.
That is all /prior/ to the step of generating a hash and uploading
it to a database.
--
I will say that if moving away from GPG does turn out to be
warranted (though I'll make a guess that it won't be), I'd suggest
replacing it in the development procedures first before trying it
with general distribution---fundamental changes should be
practiced by developers first.
Indeed, that's why I'm such a fan of this:
https://github.com/QubesOS/qubes-issues/issues/2524
I didn't see where hashes are shared and compared. Are they?
Chris
--
You received this message because you are subscribed to the Google Groups
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-devel/96ccec2c-3a73-17e5-a3c3-9af39c62da3d%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.
