On Fri, Aug 07, 2020 at 09:07:39PM -0700, [email protected] wrote: > On Saturday, 8 August 2020 06:38:38 UTC+8, Chris Laprise wrote: > > > > I think this is only properly done via a trusted .onion address, i2p > > address, etc... Unless Tor's DNS lookups have been improved since the > > last time I checked. > > > > Just for reference here, threat model I'm thinking of here is when an > > attacker tries to MiTM while having the cooperation of the certificate > > authority. > > > > -- > > Chris Laprise, [email protected] <javascript:> > > https://github.com/tasket > > https://twitter.com/ttaskett > > PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 > > > > Since dom0 can be updated via tor, is there an onion address? If not, what > would it take to make one or convince someone to make one? Without this > (since i2p is a whole can of worms I don't want to touch), the whole > exercise is meaningless. > > --
Onion? Of course. Check /etc/yum.repos.d/qubes-dom0.repo Also, it's on mirror list at https://www.qubes-os.org/downloads, and has been referenced on this list. The repo is: http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion What you should do is grab a few of those mirror sites, and compare the metadata downloaded through Tor. i.e don't trust *any one* site, but look at them in the mass . Just as you would with an iso or pgp key. unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200808125121.GA14753%40thirdeyesecurity.org.
