On Saturday, 8 August 2020 20:51:25 UTC+8, unman wrote: > > Onion? Of course. > Check /etc/yum.repos.d/qubes-dom0.repo > Also, it's on mirror list at https://www.qubes-os.org/downloads, and has > been referenced on this list. > The repo is: > http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion > > What you should do is grab a few of those mirror sites, and compare the > metadata downloaded through Tor. i.e don't trust *any one* site, but look > at > them in the mass . > Just as you would with an iso or pgp key. > > unman >
I have Awokd, Chris, *and* Unman replying to my post--I feel pampered. So the new overview of the script is: have a dedicated (and hardened?) tor VM --basically, whonix-ws-- download the metadata from a few mirror sites, compare them to the metadata from Tor, and if all checks out, compare the tor version to the packages installed in dom0. If it doesn't check out, alert user and ask whether to proceed. To do this entirely in dom0 (keeping it safe and simple for a newbie at programming), I'm going to use qvm-run with --pass-io somewhere in my script, along with something to read the whonix output and run cross checks. A concern: I've noticed that a lot of Qubes mirrors are often offline. Would this create vulnerabilities? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7cbe0823-78ff-4b71-b4ef-6a276a001805o%40googlegroups.com.
