How does this look?
*Outline of qubes-dom0-update-guard*
*Usage: Use in conjunction with manual dom0 update*
* sudo qubes-dom0-update -y && qubes-dom0-update-guard*
<START SCRIPT>
Prompt 1: "Please enter the name of a clean VM with access to Tor (e.g.
anon-whonix): "
Check if entered name is a VM
If false, alert and prompt again
If true, proceed
Check if VM has Tor access
If Tor inaccessible, alert and prompt again
If Tor accessible, enter input into variable 'VM1' and proceed
Prompt 2: "Please enter the name of a clean, Debian-based disposable VM
template with no assigned NetVM: "
Check if enter name is a VM
If false, alert and prompt again
If true, proceed
Check if VM is a disposable VM template (via qvm-prefs)
If false, alert and prompt again
If true, proceed
Check if VM is based on Debian (via qvm-prefs)
If false, alert and prompt again
If true, proceed
Check if VM has no NetVM assigned (via qvm-prefs)
If false, alert and prompt again
If true, enter input into variable 'VM1' and proceed
Start VM1
Retreive repodata from Onion and HTTPS mirrors
Alert if less than 3 mirrors accessible
Maybe halt process or give choice to continue?
Maybe instead alert if low proportion (predefined) of mirrors
available
Since that might indicate trouble
Move repodata files to VM2 (starts VM2)
In VM2
Cross-check Onion and HTTPS repodata
If any are different, alert, list differences, <EXIT SCRIPT>
If all match, proceed
Write output of dom0 'rpm -qa' or 'yum list installed' to a file,
overwriting old version
Copy into VM2 (same folder as repodata)
In VM2, parse and re-write cross-checked Onion repodata into same format as
'rpm -qa' or 'yum list installed' output
Include newest version of each package only
Cross-check output against dom0 output using same method for repodata
If one or more differences, alert (loudly) and list differences,
then <END SCRIPT>
If both match, notify and <END SCRIPT>
I think the part that will pose the biggest challenge to my almost
non-existence programming skills is the last part, where I have to write a
program that will parse and repackage Onion repodata into a list of most
recent packages. The rest seems workable, especially since I'm using Chris'
qubes4-multi-update as reference for the script, which will be in Python.
On Monday, 10 August 2020 at 21:13:46 UTC+8 fiftyfour...@gmail.com wrote:
> On Monday, 10 August 2020 18:39:53 UTC+8, Andrew David Wong wrote:
>>
>> The QSB formats are actually pretty standardized already, though our
>> expectation has been that they'd be read by humans rather than
>> programmatically. We use a template [1] for the overall structure, and
>> in particular, the "Patching" section always follows this format:
>>
>
> Chris, Andrew,
>
> I'm grateful for your pointers. As a newcomer to programming, I don't
> think I'm ready to integrate bulletin parsing and PGP verification into my
> script. As of right now I'm trying to figure out whether I should use bash,
> sh, or Python to write the script and using Chris' qubes-scripts and
> qubes-vm-hardening as reference on how I should proceed. Maybe I'll get
> around to integrating PGP verification into the process, but for now I want
> to focus on the basics.
>
> Besides, don't the bulletins cover only a tiny (though critical) portion
> of the updates dom0 receives? The PGP verification will provide a strong
> additional layer of assurances, but I think cross-checking 'rpm -qa'
> against the onion repodata, which itself has been cross-checked with at
> least three other HTTPS repodata, should suffice for now, given my
> abilities.
>
> Oh, and if someone more proficient at programming than I am (probably >
> 90% of the people here) would like to write the script, then by all
> means--I'll take my time and will likely come up with something substandard
> and in need of multiple major revisions. I can still practice even though
> someone else has written it, so please don't think of this little project
> as 'mine' or anything--I'd hate to get in the way of others improving
> Qubes' security.
>
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/2b0d3b92-7c9b-4595-860f-18bf4561f57dn%40googlegroups.com.
