Hi all, On 19 January 2018 at 19:32, Marek Marczykowski-Górecki < [email protected]> wrote:
> 1. After upgrading templates to fedora-26 and debian-9, there is no way > the installation image will fit on DVD. Right now it takes 4908384256 > bytes. We probably could try to cut it down by eliminating even more > packages from templates, but I think there is no much non-essential > packages left there. For example we no longer ship vim in debian-9. > Right now I see two options: > - abandon the goal of fitting the image on DVD (I'd go for this) > - exclude some template from default installation... > I think it's absolutely critical from a security point of view to provide a DVD image. DVDs have two important properties: (a) They are read-only (once you close the "session"), and (b) They don't have any microcontrollers in them, so the entire contents of them can be checked. Consider the follow threat model. An adversary owns a random subset of my computers (and my friends computers). The adversary does not own the brand-new laptop I plan to install Qubes on. In this situation, I can burn a Qubes installer DVD on one (infected) computer, and then check the hash on several machines. As long as one machine is not owned (and is properly configured not to parse anything from the DVD), then I will be sure that the DVD is the right one. If I used a USB stick instead, then any of the computers used to check the image could infect either the data stored on the USB, or the firmware of the microcontroller inside the USB stick. Bottom line: please provide a minimal image that fits on a DVD. It doesn't need Debian or Whonix, as these can be downloaded later. The important thing is to provide a way to bootstrap safely. Kind regards, Andrew -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/CAAXZBW%2BX_aSxm5pnUF2Xj98-fC6a6AzaLEz20tdH%2BXARKCofLg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
