While working on the script, I realized that a much simpler way of achieving the goal of verifying that repomd hasn't been tampered with is to just verify that the repomd.xml used for updating matches the onion version (itself cross-checked against multiple HTTPS copies) before the update, instead of comparing a list of installed packages against a parsed list of available packages. This means I won't have to write something to parse that list and makes the script much more compact.
Unfortunately, this seems to mean tinkering with qubes-dom0-update itself and mandating the use of sys-whonix as the dom0 update VM instead of writing a separate script to be run after the fact. On Friday, 14 August 2020 at 22:38:33 UTC+8 54th Parallel wrote: > On Friday, 14 August 2020 at 19:24:11 UTC+8 disrupt_the_flow wrote: > >> I am so confused. Please explain what you want to do, but no like in a >> pseudo-script method. >> > > The thread above contains all the pertinent information--if you're using > Google Groups, try 'expanding all' and reading through them. > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4d86b885-d756-480b-b43f-b3e95ca9547dn%40googlegroups.com.
