currently when i have qubes and need a new image (e.g. to
reinstall/install on a new machine), i need to download the image from
qubes-os.org and then check the signature.
this may be a source of errors for some users, or even insecure
(mitm + exchanging the master signing key information on the website +
patching the downloaded image).
also checking signatures manually should unnecessary since a package
manager is build to do such stuff.
i would propose to add the qubes-images as packages to the repos.
maybe you could get other official repos to add them, too.
(debian (+ubuntu), fedora and arch should reach a significant portion of
the linux users)
also: is the public qubes master signing key somewher in dom0?
in case a user has not saved it, this could circumvent the problem of an
mitm exchanging the information about the signing key
-john
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/a04c000f-b0c1-55e4-535f-50cc2e44b2ed%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.
