On Friday, 7 August 2020 00:13:52 UTC+8, Chris Laprise wrote: > > IIRC that setting refers to checking packages, not the repomd.xml files. > That's why an attacker can't replace packages with their own versions; > they have to manipulate the metadata to hold back packages from > receiving updates. > > -- > Chris Laprise, tas...@posteo.net <javascript:> > https://github.com/tasket > https://twitter.com/ttaskett > PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 >
So as long as I verify that the version numbers of packages in dom0 match those of the actual repo website, I can assume that my dom0 updates have not been tampered with by adversaries? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7dc6bda2-e90f-47d1-a8c2-809cf1d996dco%40googlegroups.com.