Hey all! I know Qubes [assumes trust on the Fedora maintainers](https://doc.qubes-os.org/en/latest/developer/system/security-critical-code.html#buggy-code-vs-backdoored-code), but I'm wondering if there is value in keeping Fedora repositories and its signing key enabled in dom0 after the respective version's EOL, especially by default.
As I understand it, the TCB code installed in dom0 is kept up to date via Qubes-controlled repositories. From what I've seen, by the time Qubes 4.2 (and likely also 4.3) comes out, its Fedora version is already EOL. The only use-case I see for wanting this repo after install is to be able to add additional dom0 packages (which is generally discouraged). Qubes' trust on the Fedora maintainers is not being put into question. The problem I'd like to highlight is that key holders may not have the same level of care about assumed-EOL singing keys: there could be a perceived risk difference between EOL keys and current keys. This could be as simple as not considering it necessary to do a key compromize disclosure for EOL keys (should it ever happen), under the assumption that nobody would be affected, where in fact, for Qubes users even more affected than for active fedora release keys. To summarize, I see the risks as (1) having dom0 compromized due to a mismanaged EOL key and the benefits: (2) installing extra dom0 packages and (3) building the Qubes ISO using fedora repo's directly (which I have not checked if it's actually needed). Unless I'm missing a use-case for dom0's Fedora repos, I think this is a risk worth mitigating. Here are some mutually-exclusive proposed solutions: - Disable Fedora repo in dom0 for 4.3 and its key by default— advanced users who want to install additional dom0 software would be able to, by enabling the repo and importing its (already-present) key. This would still expose risks during the ISO building process (assuming packages are installed from fedora and not built from source). - Mirror dom0 Fedora repository, but re-sign all artifacts with a Qubes key — Under the assumption that Qubes releases always ship an EOL Fedora this would be a once-per minor release operation: essentially a trusted snapshot of every package's state. Would this be something that makes sense for Qubes? Cheers, deeplow -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/qubes-devel/JaWeSBUisNYuerruf8364NgQTXUN3-cJ6FGT-8CHvg4H-r4QARyC0FqxgiZiu83y28TMSXCOt-GPCe_y0GtLduFqjwhvCFNeTrDlmtMIyK8%3D%40protonmail.com.
