-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Tue, Dec 20, 2016 at 12:37:21PM -0500, Chris Laprise wrote:
> Regarding the "Alternate Patching Method" using normal apt update: Its
> possible the template was attacked via updates even before the bug was
> announced, or sometime between the Debian announcement and now. The "check
> InRelease" only helps if the attack occurs only during the next update and
> not before. Otherwise, the user has no way of knowing if their template has
> been compromised before doing this special update procedure.
> 
> Replacing the template as described in "Patching" section provides much more
> certainty.

Yes, exactly, both are true. This is why for more trusted templates it
is recommended to replace them. And why this method is the primary one.

But for less trusted (like those you may assume being compromised
anyway) it's ok to ust "alternative" method. For example I have one
template which I use only for stuff distributed as not signed tarballs
only. I'm fairly sure there were far easier methods to compromise this
template in the past. And I use it only for some testing VMs.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJYWW8gAAoJENuP0xzK19csR10H/jAKT5S3yS5b5hMZZ7DbFWYK
3OncMxl+Tcca336Xn96ekP2othIWgpLfqaRgrSr9wtAIlZST9/97Wf/4jI8OcIFy
2KHR4CfUb/hAhG8nfEGdBrSc103l8/YVDuOMQYY7ndUxX8SKCB45278VBiCAXtNH
xp7rVxwfIM8+g+HOIdqTdBXudjtGFcHP5RSVBwzmUU2KCXAuTtYLyWkmZLRLGg5A
zi9QaWbvvwD/Kpxo0vuljW26JS3FoB+9/pxgawcFRWk+A263enV9K2/6tL5cJaQP
SoxRzGhsYUQwJf8lqTrlUAEgVmB0rs6nrDBQPNQz85cCRWDg5D/tpxYcLH/sOkI=
=jh0W
-----END PGP SIGNATURE-----

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161220174919.GT1239%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Reply via email to