On 8/8/20 10:20 AM, fiftyfourthparal...@gmail.com wrote:
So the new overview of the script is: have a dedicated (and hardened?)
tor VM --basically, whonix-ws-- download the metadata from a few mirror
sites, compare them to the metadata from Tor, and if all checks out,
compare the tor version to the packages installed in dom0. If it doesn't
check out, alert user and ask whether to proceed. To do this entirely in
dom0 (keeping it safe and simple for a newbie at programming), I'm going
to use qvm-run with --pass-io somewhere in my script, along with
something to read the whonix output and run cross checks.
Just an idea: Use the Qubes Security Bulletins as your reference for
checking package versions:
https://www.qubes-os.org/security/pack/
These bulletins are signed txt files, which makes them secure. The
difficult part would be parsing the QSBs themselves but I wonder if
Qubes devs would agree to a standard format going forward to make it
easier + reliable.
A concern: I've noticed that a lot of Qubes mirrors are often offline.
Would this create vulnerabilities?
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/9c464f30-6ae5-9ace-3168-6d2cc9daf8e6%40posteo.net.
