Re: [qubes-users] Curious: https for yum repos

2017-03-15 Thread Unman
On Wed, Mar 15, 2017 at 03:39:04PM -0700, Andrew David Wong wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On 2017-03-15 01:15, haaber wrote: > > Chris, > > > >> Fedora *unfortunately* is the blacksheep here. It doesn't sign a > >> repo file, therefore an attacker can hold back

Re: [qubes-users] Curious: https for yum repos

2017-03-15 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2017-03-15 01:15, haaber wrote: > Chris, > >> Fedora *unfortunately* is the blacksheep here. It doesn't sign a >> repo file, therefore an attacker can hold back individual >> packages withing what appears to the user as a stream of normal >>

Re: [qubes-users] Curious: https for yum repos

2017-03-15 Thread haaber
Chris, > Fedora *unfortunately* is the blacksheep here. It doesn't sign a repo > file, therefore an attacker can hold back individual packages withing > what appears to the user as a stream of normal update cycles. I read this as "fedora is less safe" since exposed to described attacks. Actually

Re: [qubes-users] Curious: https for yum repos

2017-03-14 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2017-03-14 18:00, Unman wrote: > [...] The move to Tor does make this still more difficult, but > again, the correlation of a number of requests to what are > relatively uncommon sites may be enough to identify a Whonix or > Qubes user. (I should

Re: [qubes-users] Curious: https for yum repos

2017-03-14 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2017-03-14 16:41, Chris Laprise wrote: > On 03/14/2017 05:19 PM, cubit wrote: >> 14. Mar 2017 04:39 by tas...@openmailbox.org >> : >> >> GPG is sufficient for verification, although using HTTPS would >> conceal

Re: [qubes-users] Curious: https for yum repos

2017-03-14 Thread Chris Laprise
On 03/14/2017 05:19 PM, cubit wrote: 14. Mar 2017 04:39 by tas...@openmailbox.org : GPG is sufficient for verification, although using HTTPS would conceal which software packages you are using GPG does not protect against a MITM downgrade attack to a

Re: [qubes-users] Curious: https for yum repos

2017-03-14 Thread cubit
14. Mar 2017 04:39 by tas...@openmailbox.org: > GPG is sufficient for verification, although using HTTPS would conceal which > software packages you are using GPG does not protect against a MITM downgrade attack to a validly signed but older vulnerable version of a piece of software --

Re: [qubes-users] Curious: https for yum repos

2017-03-13 Thread Chris Laprise
On 03/14/2017 12:03 AM, InfusingPrivacy wrote: As part of my exploration of Qubes, I took a look inside yum.repos.d and I noticed that there were quite a few repos that used http. Most are default fedora repos, but some are Qubes repos, which raised a question of curiosity (primarily for

[qubes-users] Curious: https for yum repos

2017-03-13 Thread InfusingPrivacy
As part of my exploration of Qubes, I took a look inside yum.repos.d and I noticed that there were quite a few repos that used http. Most are default fedora repos, but some are Qubes repos, which raised a question of curiosity (primarily for discussion): Would it be helpful if certain Qubes