Informed by a recent post <https://groups.google.com/d/msg/qubes-users/SbLGJ1CWAWw/zGF81YnxAgAJ>, I've decided to start writing a script that takes a Qubes installation's list of packages installed in dom0 and compare them to the list of available packages in the chosen repo (e.g. 'current') to ensure that the update process hasn't been interfered with by an adversary that has taken advantage of Fedora's insecure updating mechanism (detailed in the thread linked earlier). I'm motivated to do this because this seems to be a flaw that can give attackers the key to the kingdom by blocking patches to dom0 or Xen.
Since I'm not a programmer (I know *basic* Python), this will be a learning experience for me, so stay tuned and please point out any issues/errors you spot in my updates. I'd appreciate it if someone felt charitable enough to point me towards useful commands/functions, but I'd be fine learning the hard way too--I need to start learning programming *somewhere*, and this seems to be a good place to start. Right now my plan is to take the output of 'rpm -qa' or 'yum list installed' and compare it via some sort of 'match' or 'crosscheck' function to a repo list pulled from somewhere secure (i.e. not tampered with by potential adversaries) and maybe imported into dom0 from a specialized secure appVM, creating a security tradeoff. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8df94b46-4dc1-445f-b994-47419a2ac797o%40googlegroups.com.
