On 3/5/20 7:31 AM, Mark Fernandes wrote:
I want to get a genuine copy of Qubos, from here in the UK (United Kingdom).
The only way described on the Quebos website at present, appears to be
to download the ISO.
I have the classic security problem described on the website
<https://www.qubes-os.org/doc/install-security/>, where not having a
trust-worthy machine, means that I have a never-ending chain of trust
issues for each machine that I use in the obtaining of the software.
Many of us work with a threat model that assumes at least some computers
available by retail are not compromised "out of the box", or else if
compromised then not at the BIOS/UEFI firmware level. For this model,
verifying the Qubes ISO with gpg is acceptable.
You can also qualify the model somewhat and say that an attacker cannot
successfully infect all of your (hopefully diverse) computers, so that
makes checking a signature on several different computers a form of
reassurance.
OTOH, you may have decided to discard the above threat model because of
some intent or capability known to you. In that case, I think the Qubes
community has only two answers: Find a trusted service that can flash a
known good/uncompromised firmware suite onto one of your machines, or
find a system vendor like Insurgo or NitroKey that sell re-flashed
systems and uses anti-interception measures (like tamper-evident
packaging and signatures) in addition to offering Qubes pre-installed.
--
Chris Laprise, [email protected]
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/702ec52e-4ee6-3bec-5a7b-22cd8640f5fb%40posteo.net.