-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 2017-11-29 15:03, genevieve.c.gauth...@gmail.com wrote: > On Wed, 2017-11-29 at 15:59 +0000, Unman wrote: >> In the Fedora documentation there ARE methods described for >> getting bug reports out of the install process, but they require >> active intervention from the user (copy to another drive or scp >> across network). There's no suggestion that these reports would >> be automatically submitted. >> >> I've had a quick look through the code and i dont see any >> mechanism for passing on bug reports - but it was a very quick >> look. > > Interesting & very good to know this but that would have surprise > me a lot from a Qubes OS installation. Have you learned if it is > specific to Qubes 4.0 rc3 (perhaps the installation part has been > there for a long time before this release) ? > > 3-4 questions remains for me. If you can learn those answer in the > future, I believe this issue would have been truly investigated for > me. > > With an "active" intervention from the user (or if I had connected > to the internet and submitted my report from my computer to the > computer receiving those reports) > > 1.1 : Does my passphrase would have been transmitted ? YES/NO ? > 1.2 encrypted along the way ? YES/NO ? 2.1 : If YES 1.1, where/who > does the passphrase would have been transmitted/ transmitted to > 2.2 : Who would have had access to this information ? > > > I am not looking for an immediate answer. However, I am still > curious about all this. Such a strange 'Bug Report' to see it > like this.. Seems complicated to use those information to comprise > the whole system via dom0 (that's good) >
Hi all, After checking with the Qubes Security Team, I'm happy to report that there is no cause for alarm here: 1. For security, networking is always disabled in the Qubes OS installer, so you would not be able to send that bug report (or anything else, for that matter), even if you wanted to. Disabling networking during installation is necessary for Qubes to protect itself before it creates a NetVM (and hence before the network stack has been isolated). 2. We agree that sensitive user data, especially passwords, should never be included in bug reports. The last thing we want is for any third party (least of all us) to see a Qubes user's private data. In fact, you can think of the entire Qubes OS Project as working to ensure the exact opposite. :) 3. Qubes OS uses an installer called Anaconda [1], which generated the bug report you saw. After it performs an installation, Anaconda saves the data from that installation in /root/anaconda-ks.cfg. We have verified that the LUKS (disk encryption) password is not stored in this file. Only a hash of the user account / screen locker password is stored there (not the password itself, and not even a hash of the LUKS password is stored there). We have also filed an upstream bug report with Fedora about Anaconda including the LUKS password in the bug report. [2] [1] https://en.wikipedia.org/wiki/Anaconda_(installer) [2] https://bugzilla.redhat.com/show_bug.cgi?id=1519895 - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJaI0jZAAoJENtN07w5UDAwYMsQAKkgoqP4VzitWKissQr9ls2c kYpXuOCD9WWj9toAg2weK82W8YvCqMBhuuZfO7UUR1qyYE1d3F8g79dvKBDj1tGD JiNXoaJSPpsjyOpGEMcZAF+5dLtDfZqrfdY6LewpRQ18aIsRy/j3fLOVsnWNTATv 2g1RVRij1Z4nZn4kjr5oP99k+u9z/IBMR9QFo6L4D8+Mxb3mGXOCQqOxVkXuDojP 5vw7b5ICEPbmQRVbylmbuXA2RpQ/I6LPsNR7vELtMoQGyEHN7JHnHlU4sM0tkh8V qiqG5u6g1cqoZs+SvspFz9xd1idrtx8zFvlZFtAXWDsM7M5pfJCbtTPnKRlk4iEQ dGabpRYco/+E9fos7k+ypsP3iqh/sLB8mHxkMPcdDdmJTLZYqj7pRUqOX3e+AiRs QAZ8oOKFMEhmVmKbNWoArE9WNiT7w1zjzywUPuxWN/4nOVcm0TTqnOGGNHP2Ys8C wqOZ7bOnA089mPR8WNYN8JSHiAqd2JpLJQlmSjUUp4kQWfczaCiRh7CodgInihL9 +R++lcCNAQ2c+T9LeUwwa0ibXYiOHWVewMP9tg1K7fVa7nDZXzn3O7LSyw31FcXF 2eoFusB7Ot+GKeDWTPMlRELy2iEaa46oQc1veE3FoU6s9biYw7wrIKRpwEO5Gpu7 wTfnq1qL23hv5QbnlE/E =I7ZH -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/26fe33d1-3233-c946-cb2d-6e6af9887163%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.