On Wed, Mar 11, 2020 at 06:53:58PM +0100, dhorf-hfref.4a288...@hashmail.org wrote: > On Wed, Mar 11, 2020 at 10:46:12AM -0700, redpoll...@gmail.com wrote: > > I've downloaded some ubuntu templates with the .rpm extension. I have been > > told by someone that I need to put the rpm file into dom0 and then install > > via cli with dnf etc. > > this means you are giving the person who created those rpms or anyone > who managed to compromise their build process or storage/distro chain > full root access in your dom0 == full control over the whole system. > > "not recommended" >
I provide Ubuntu templates - have done for years. I dont know if these are mine. I provide pre-built Qubes packages for Ubuntu too, at https://qubes.3isec.org I *always* recommend building your own, but there are users who want to try them out or dont think they are able to use QubesBuilder - for those people - "recommended" (with or without quote marks) let's dig in to your comment a bit - Compromise the build process - are you aware of new issues in the QubesBuilder process? Compromise storage/distro chain - Nothing is trusted here - the infrastructure is never trusted. *Any* package to be installed in dom0 should be signed, and it's for users to determine whether they choose to trust the signer, in awareness of the risk. Dont underestimate it, but dont exaggerate either. And for anyone wondering about OPs original questions, dom0 has dolphin file manager. You can verify the signature on a package using `rpm -K `. `rpm -qpi ` will show you the keyID used to sign the package You should verify the key from multiple sources. If you are satisfied, then you may be prepared to copy the package in to dom0. If you have downloaded in /home/user/Downloads on "dload", and package is "foo.rpm", the canonical way to do this is: qvm-run -p dload 'cat /home/user/Downloads/foo.rpm' > foo.rpm Then verify the package again, and install as you will, with `dnf install foo.rpm` -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200312161411.GB31957%40thirdeyesecurity.org.
