On 12/28/2016 07:39 AM, john.david.r.smith wrote:
currently when i have qubes and need a new image (e.g. to
reinstall/install on a new machine), i need to download the image from
qubes-os.org and then check the signature.
this may be a source of errors for some users, or even insecure
(mitm + exchanging the master signing key information on the website +
patching the downloaded image).
also checking signatures manually should unnecessary since a package
manager is build to do such stuff.
i would propose to add the qubes-images as packages to the repos.
maybe you could get other official repos to add them, too.
(debian (+ubuntu), fedora and arch should reach a significant portion
of the linux users)
also: is the public qubes master signing key somewher in dom0?
in case a user has not saved it, this could circumvent the problem of
an mitm exchanging the information about the signing key
-john
I would support a version of this idea: A built-in downloader script
that can perform the download of an .iso and then verify it against the
key built into Qubes. A brief message could be displayed warning the
user to only download + burn isos where there is no suspicion that the
system has been breeched.
Chris
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/23c2671d-ee80-b5a0-ac19-0a7feb4781d7%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.