On Thursday, 6 August 2020 18:05:25 UTC+8, Chris Laprise wrote: > > I hate to break that feeling, but Fedora is unique in that it doesn't > sign its repo metadata, and sadly that is what matters. They put a > bandaid on it by fetching more hashes via https... so the update > security in Fedora is based on the strength of https. That is bad, as > https can be subverted by resourceful attackers. > > https://bugzilla.redhat.com/show_bug.cgi?id=1130491 > > What this potentially allows is an attacker to blind Fedora systems to > specific package updates, where the systems appear to retrieve updates > normally without the users being aware that particular packages with > known vulnerabilities have been held back. > > -- > Chris Laprise, [email protected] <javascript:> > https://github.com/tasket > https://twitter.com/ttaskett > PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 >
That's highly concerning and might put me off from using Qubes for sensitive work, which defeats the entire purpose of installing Qubes. This is a massive gaping whole that, to me, invalidates all the other security strengths of Qubes, since dom0 is the key to the kingdom. The reason why I'm anxious about the security of packages is because my dom0 has exhibited strange behavior not present before my dom0 update (and I know because I spent a lot of time with my OS before connecting it for the first time). My dom0 update itself has been behaving strangely and I made a post about it earlier, where I also asked about package verification, but received no response. > > Hi all, > > Every time I use qubes-dom0-update in a fresh installation (which I've > done around ten times now), I get strange outputs where the repositories > aren't shown being queried but the update proceeds. It looks something like > this: error:could not delete old database at /var/lib/qubes/dom0-updates/home/user > /.rpmdbold.965 > https:// > mirrors.phx.ms/qubes/repo/yum/r4.0/current/dom0/fc25/repodata/repomd.xml:[Errno > > <http://mirrors.phx.ms/qubes/repo/yum/r4.0/current/dom0/fc25/repodata/repomd.xml:%5BErrno> > 14]curl#6-"Could > not resolve host:mirror.phx.ms" > Trying other mirror. > https://mirror.linux.pizza/ > qubes-os.org/repo/yum/r4.0/current/dom0/fc25/repodata/repomd.xml:[Errno14]HTTPS > > <http://qubes-os.org/repo/yum/r4.0/current/dom0/fc25/repodata/repomd.xml:%5BErrno14%5DHTTPS> > Error > 404 -Not Found > Trying other mirror. > https://mirror.linux.pizza/ > qubes-os.org/repo/yum/r4.0/templates-til/repodata/repomd.xml:[Errno > <http://qubes-os.org/repo/yum/r4.0/templates-til/repodata/repomd.xml:%5BErrno> > 14] > HTTPS Error 404 - Not Found > Trying other mirror. > No Match for argument > No Match for argument > No Match for argument > No Match for argument > No Match for argument > No Match for argument > No Match for argument > No Match for argument > -->Running transaction check > --->Package kernel[...] will be installed > > > [...] > --->Finished Dependency Resolution > [Starts downloading] > This is consistent even when updating over tor, and has been bugging me. > Does anyone else see this when they first update dom0? Also, it dom0 update consistently gives me two [Y/n] prompts in a row before installation, which seems very strange. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3ffe4444-d63d-4247-a548-eb2b7731bd9do%40googlegroups.com.
