On Thu, Mar 05, 2020 at 06:45:04PM +0000, Mark Fernandes wrote: > On Thu, 5 Mar 2020 at 18:21, Chris Laprise <[email protected]> wrote: > > > On 3/5/20 7:31 AM, Mark Fernandes wrote: > > > I want to get a genuine copy of Qubos, from here in the UK (United > > Kingdom). > > > > > > The only way described on the Quebos website at present, appears to be > > > to download the ISO. > > > > > > I have the classic security problem described on the website > > > <https://www.qubes-os.org/doc/install-security/>, where not having a > > > trust-worthy machine, means that I have a never-ending chain of trust > > > issues for each machine that I use in the obtaining of the software. > > > > Many of us work with a threat model that assumes at least some computers > > available by retail are not compromised "out of the box", or else if > > compromised then not at the BIOS/UEFI firmware level. For this model, > > verifying the Qubes ISO with gpg is acceptable. > > > > > Hello Chris, > > I've only heard of gpg as a binary running over an operating system. Is it > available as something you can run directly off boot-able media? > > In any case, you still need to ensure that gpg hasn't been compromised. If > it has to run off an OS, that OS needs to have not been compromised. If you > need to download gpg, the OS which you use for downloading gpg has to be > not compromised. The website doesn't appear to address these issues. The > security Qubes OS offers may be great. But getting from a position where > you don't have Qubes OS at all, to having Qubes OS installed, appears to be > a serious security concern. >
What is your threat model? What do you trust? Download multiple live distros on different machines, not traceable to you, some via Tor. Cross validate the iso images. Boot on assorted machines, and use assorted gpg to verify assorted Qubes images. I would suggest you validate gpg code for yourself and compile a binary to use, but why trust the compiler? (Ken Thompson) At some stage you hit bottom - if you dont, your security concerns are not serious. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200306134158.GB14342%40thirdeyesecurity.org.
