Hi, Is there an accepted way to perform commit and archive verification independently from the download process in qubesbuilder v2? Looking at the fetch scripts it seems like both steps are combined. Even if it’d be executed in a dvm, it feels like it breaks the Qubes security model for a qube with internet access to enforce signature verification on code that will eventually (after compilation and packaging) be transferred to dom0. Ideally what I’d like to do is download and verify once on an internet-connected qube, transfer sources to the airgap development environment via qvm-copy, and then verify again before building.
Best, Alex -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/qubes-devel/BCD3C91F-575C-4ECD-A887-8ED246150F2A%40alex0.net.
