-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 2020-08-09 3:05 PM, Chris Laprise wrote: > On 8/8/20 10:20 AM, fiftyfourthparal...@gmail.com wrote: >> So the new overview of the script is: have a dedicated (and >> hardened?) tor VM --basically, whonix-ws-- download the metadata >> from a few mirror sites, compare them to the metadata from Tor, >> and if all checks out, compare the tor version to the packages >> installed in dom0. If it doesn't check out, alert user and ask >> whether to proceed. To do this entirely in dom0 (keeping it safe >> and simple for a newbie at programming), I'm going to use qvm-run >> with --pass-io somewhere in my script, along with something to >> read the whonix output and run cross checks. > > Just an idea: Use the Qubes Security Bulletins as your reference > for checking package versions: > > https://www.qubes-os.org/security/pack/ > > These bulletins are signed txt files, which makes them secure. The > difficult part would be parsing the QSBs themselves but I wonder > if Qubes devs would agree to a standard format going forward to > make it easier + reliable. >
The QSB formats are actually pretty standardized already, though our expectation has been that they'd be read by humans rather than programmatically. We use a template [1] for the overall structure, and in particular, the "Patching" section always follows this format: ``` Patching ========= The specific packages that resolve the problems discussed in this bulletin are as follows: For Qubes <supported_release_1>: - <package_1> - <package_2> - <package_3> - <package_etc...> For Qubes <supported_release_2>: - <package_1> - <package_2> - <package_3> - <package_etc...> The packages are to be installed in dom0 via the Qube Manager or via the qubes-dom0-update command as follows: For updates from the stable repository (not immediately available): $ sudo qubes-dom0-update For updates from the security-testing repository: $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing A system restart will be required afterwards. These packages will migrate from the security-testing repository to the current (stable) repository over the next two weeks after being tested by the community. If you use Anti Evil Maid, you will need to reseal your secret passphrase to new PCR values, as PCR18+19 will change due to the new Xen binaries. ``` Feel free to take a look at any QSBs for specific examples. [2] I'm sure it wouldn't be a problem to change the syntax slightly if that would make things easier, as long as it doesn't harm human readability. [1] https://www.qubes-os.org/security/bulletins/template/ [2] https://www.qubes-os.org/security/bulletins/ - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl8xI+QACgkQ203TvDlQ MDBOyg//T0/mxeE+pVlF7LIUuShy1B55Fjxxi35JhlkfX9Ws7fLT7hLh6172cxGQ 55E1WXlZ19AE9OZFeIUNX08ov5X6/OelAy8qFdtAmXFI3dEDzdjDVRk8naRpdtu6 hxqsnP4zsHLj0WQEYnsuPyjfgFuIZCy5TfXRlxm8u4l9oorK/IB6sqhBftwnT078 U37Sls/fPlKpnZ0rPJ6Kv/cGbXG1wKpxuui2LAsTis/IY/3TsRpEY8CLa1oIKX53 okQCY8GXnp7ova+8LEyhHBdoDK4iT1Fl8ohfJ+JzekE2SaR/7CnFGO2XrwyiFyXw Zz9Huu+UIJl+ygIGK80HBBmUNSF+/sSoMSo0SYKZP96JnV0Vka54EEppH5Ctzexy 8yVIpYSwmavHOUO2+GVXh4ykETgkpC0UKg+QLoWacNTRqihT5XTCY3J7SqNLn93Z 21OHE5bAy7/cXNtq0rrnw/BeIzgmrHuaKMrOuW9HExoWIrroyb4a+rpEPbQfsCrb G09/1A5uOt04ZQXKVhly2UYBA8Zzlld6vh4mKlCYBRBFBzAgJ69yHt3gubWcMAVV f42Za2qpOZsNharvb6lvHI/7E0XY7FpqvOHZuVfX1c0UiTifTm5ZLwN0IDpGgw0f 1K26/H7GriIU4MZlC4qjToRGGXf40jV6l9zHZUzUzbdSGxEF20A= =Gs9V -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1074ec2f-3146-f1d6-7c73-6aaefdafd200%40qubes-os.org.
