this may be a source of errors for some users, or even insecure
(mitm + exchanging the master signing key information on the
website + patching the downloaded image).
I know what you mean, but it's worth remembering that the Qubes Master
Signing Key fingerprint is supposed to be verified
out-of-band/multiband. So, in principle, replacing the key and/or
fingerprint only just qubes-os.org shouldn't work as a successful
attack vector.
the problem is (as you wrote) 'supposed to be verified out-of-band'.
for some less technical people, even verifying the signature is a huge step.
i am a fan of providing easy accessible security and using already
existing infrastructure. (in case of the dom0 repo, an ultimately
trusted source).
also depending on the situation a mitm could replace the fingerprint of
different channels, too.
also checking signatures manually should unnecessary since a
package manager is build to do such stuff.
i would propose to add the qubes-images as packages to the repos.
Interesting idea. I wonder whether this would count as a misuse of the
repos/package manager.
One thing is that we'd like to offload most of the traffic to a mirror
(e.g., mirrors.kernel.org, as we currently do).
if offloading is not done for isos: ad a "qubes-images" repo providing
the files and host it on your servers.
if offloading is done for isos: ship the master key with qubes and
provide a convenience command to the user.
this command should download (e.g. via torrent) and verify the image (a
step the user can'd do wrong anymore).
this command could spawn a dispvm, install torrent software, load the
torrent and copy it to dom0. from there the user could qvm-copy it to
the vm with the install medium.
maybe you could get other official repos to add them, too. (debian
(+ubuntu), fedora and arch should reach a significant portion of
the linux users)
Another interesting idea. I've never heard of a distro adding a
different OS's ISO as a package of their own, though.
asking can't hurt.
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/b9970659-6d3d-5fa8-4659-ee94648cb38e%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.
