-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 2017-03-14 16:41, Chris Laprise wrote: > On 03/14/2017 05:19 PM, cubit wrote: >> 14. Mar 2017 04:39 by [email protected] >> <mailto:[email protected]>: >> >> GPG is sufficient for verification, although using HTTPS would >> conceal which software packages you are using >> >> >> GPG does not protect against a MITM downgrade attack to a validly >> signed but older vulnerable version of a piece of software >> > > [...] Fedora *unfortunately* is the blacksheep here. It doesn't > sign a repo file, therefore an attacker can hold back individual > packages withing what appears to the user as a stream of normal > update cycles. >
Downloading updates over Tor mitigates this risk (which is a single-click affair from the Qubes installer). - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJYyIvgAAoJENtN07w5UDAwVDgQAJ7mtrxWQ6iLxOyMuMXhroKE t+Nx48Fpcfy04oJx+huI/SmA/6DtE/yGyg6PTai9fA8TNauGNKwgeGLvei4VpUtW dY8ymXTGVZAJWGdAfdDMs6/c0Lw0TzWulvezGkuPVlCimfay9nJ5O9BwFgB9YI58 WUPKAhCazFC6R5b+OoRqZzx2piMGfLQtX44X3VUj98zrpsyyIt3H7mgImXp+dL7i WE31KX74S5jS+HfO4t4EaHwHh/1p9ezYL7pdMW7JkXCzsWT7hJd/lj6A53glBdmo khUdimFpKXkuXpT81PccmW75fOGURjI+evPdEqV5BljZmux6L3LeU8Yakd+6zIxJ MsP7T+hH+Js0c/pYpNscMBmbWKkt28+PcF89BztxKRz5Cr/Nn9fhYIdZuJZ3Rfnd ZAWeYhISoWvtoM+Kqard2ijrWjss6oFBEedoDomJAk0jsL5krU/Xl80IUNOma09O y/4H0knMiOpCdy2qwcfckAxx58MqVUOav/+0vVHlM0DD58bKTzYhH/14Luq4OcJa SKZ0Q1EZ8KQxu4HHHIqdIbdoFSTBgNlQL8jd7dcTCYvnB1aErnP/PKuTl/Q7xdbP HiBbD/ZtP163bx+RTY/d8Nr3V1pIEWT4Ml15S5M04a2bBxyGXWLROwKAyynlN4EU Lu+ablbcKtArylVLNTle =V+m9 -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c8292dee-0cfe-3d48-5245-2f6da5ba5f2a%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
