On 8/6/20 12:05 PM, Chris Laprise wrote:
On 8/6/20 3:54 AM, [email protected] wrote:
On Thursday, 6 August 2020 12:31:44 UTC+8, Emily wrote:
-- I'm not unman, but I just checked the repo data and it appears
they use sha256
This is reassuring. Thanks, Emily
I hate to break that feeling, but Fedora is unique in that it doesn't
sign its repo metadata, and sadly that is what matters. They put a
bandaid on it by fetching more hashes via https... so the update
security in Fedora is based on the strength of https. That is bad, as
https can be subverted by resourceful attackers.
https://bugzilla.redhat.com/show_bug.cgi?id=1130491
What this potentially allows is an attacker to blind Fedora systems to
specific package updates, where the systems appear to retrieve updates
normally without the users being aware that particular packages with
known vulnerabilities have been held back.
Note that RHEL and Centos _do_ sign their repomd.xml. So we're looking
at some kind of decision made either by Red Hat's marketing department
(keep Fedora off RHEL's expensive turf) or by some idea that Fedora is
not for serious mission critical environments, or both.
So this is a sizable hole in Qubes security. The best advice I can give
is to avoid using Fedora templates and pay attention to Qubes Security
Bulletins when they mention which dom0 components will be updated (and
pay close attention when running qubes-dom0-update to look for the
mentioned components).
Why does the Qubes project continue using Fedora as the base for a
default install. Even dom0 is Fedora. I assume they are well aware of
this issue.
Do the Qubes core team not regard this as a problem or what is the
rationale?
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/bec77142-a177-7cab-63b1-7fa1ce508d7a%40ak47.co.za.
