How does this look? *Outline of qubes-dom0-update-guard*
*Usage: Use in conjunction with manual dom0 update* * sudo qubes-dom0-update -y && qubes-dom0-update-guard* <START SCRIPT> Prompt 1: "Please enter the name of a clean VM with access to Tor (e.g. anon-whonix): " Check if entered name is a VM If false, alert and prompt again If true, proceed Check if VM has Tor access If Tor inaccessible, alert and prompt again If Tor accessible, enter input into variable 'VM1' and proceed Prompt 2: "Please enter the name of a clean, Debian-based disposable VM template with no assigned NetVM: " Check if enter name is a VM If false, alert and prompt again If true, proceed Check if VM is a disposable VM template (via qvm-prefs) If false, alert and prompt again If true, proceed Check if VM is based on Debian (via qvm-prefs) If false, alert and prompt again If true, proceed Check if VM has no NetVM assigned (via qvm-prefs) If false, alert and prompt again If true, enter input into variable 'VM1' and proceed Start VM1 Retreive repodata from Onion and HTTPS mirrors Alert if less than 3 mirrors accessible Maybe halt process or give choice to continue? Maybe instead alert if low proportion (predefined) of mirrors available Since that might indicate trouble Move repodata files to VM2 (starts VM2) In VM2 Cross-check Onion and HTTPS repodata If any are different, alert, list differences, <EXIT SCRIPT> If all match, proceed Write output of dom0 'rpm -qa' or 'yum list installed' to a file, overwriting old version Copy into VM2 (same folder as repodata) In VM2, parse and re-write cross-checked Onion repodata into same format as 'rpm -qa' or 'yum list installed' output Include newest version of each package only Cross-check output against dom0 output using same method for repodata If one or more differences, alert (loudly) and list differences, then <END SCRIPT> If both match, notify and <END SCRIPT> I think the part that will pose the biggest challenge to my almost non-existence programming skills is the last part, where I have to write a program that will parse and repackage Onion repodata into a list of most recent packages. The rest seems workable, especially since I'm using Chris' qubes4-multi-update as reference for the script, which will be in Python. On Monday, 10 August 2020 at 21:13:46 UTC+8 fiftyfour...@gmail.com wrote: > On Monday, 10 August 2020 18:39:53 UTC+8, Andrew David Wong wrote: >> >> The QSB formats are actually pretty standardized already, though our >> expectation has been that they'd be read by humans rather than >> programmatically. We use a template [1] for the overall structure, and >> in particular, the "Patching" section always follows this format: >> > > Chris, Andrew, > > I'm grateful for your pointers. As a newcomer to programming, I don't > think I'm ready to integrate bulletin parsing and PGP verification into my > script. As of right now I'm trying to figure out whether I should use bash, > sh, or Python to write the script and using Chris' qubes-scripts and > qubes-vm-hardening as reference on how I should proceed. Maybe I'll get > around to integrating PGP verification into the process, but for now I want > to focus on the basics. > > Besides, don't the bulletins cover only a tiny (though critical) portion > of the updates dom0 receives? The PGP verification will provide a strong > additional layer of assurances, but I think cross-checking 'rpm -qa' > against the onion repodata, which itself has been cross-checked with at > least three other HTTPS repodata, should suffice for now, given my > abilities. > > Oh, and if someone more proficient at programming than I am (probably > > 90% of the people here) would like to write the script, then by all > means--I'll take my time and will likely come up with something substandard > and in need of multiple major revisions. I can still practice even though > someone else has written it, so please don't think of this little project > as 'mine' or anything--I'd hate to get in the way of others improving > Qubes' security. > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2b0d3b92-7c9b-4595-860f-18bf4561f57dn%40googlegroups.com.