[qubes-devel] Qubes OS 4.0-rc3 has been released!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear Qubes Community, We're pleased to announce the third release candidate for Qubes 4.0! Our goal for this release candidate is to improve the stability and reliability of Qubes 4.0, so we've prioritized fixing known bugs over introducing new features. Many of the bugs discovered in our [previous release candidate][rc2-announcement] are now resolved. A full list of the Qubes 4.0 issues closed so far is available [here][closed-issues]. As always, we're immensely grateful to our community of testers for taking the time to [discover and report bugs]. Thanks to your efforts, we're able to fix these bugs *before* the final release of Qubes 4.0. We encourage you to continue diligently testing this third release candidate so that we can work together to improve Qubes 4.0 before the stable release. Current users of Qubes 4.0-rc2 can upgrade in-place by downloading the latest updates from the testing repositories in both [dom0][dom0-testing] and [TemplateVMs][domU-testing]. Further details, including full installation instructions, are available in the [Qubes 4.0 release notes][release-notes]. The new installation image is available on the [Downloads] page. This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2017/11/27/qubes-40-rc3/ [rc2-announcement]: https://www.qubes-os.org/news/2017/10/23/qubes-40-rc2/ [closed-issues]: https://github.com/QubesOS/qubes-issues/issues?q=is%3Aissue+milestone%3A%22Release+4.0%22+is%3Aclosed [discover and report bugs]: https://www.qubes-os.org/doc/reporting-bugs/ [dom0-testing]: https://www.qubes-os.org/doc/software-update-dom0/#testing-repositories [domU-testing]: https://www.qubes-os.org/doc/software-update-vm/#testing-repositories [release-notes]: https://www.qubes-os.org/doc/releases/4.0/release-notes/ [Downloads]: https://www.qubes-os.org/downloads/ - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJaHC81AAoJENtN07w5UDAwRk0QALTnXVP1O7F/Wl+7sl8Gs4Gp 2MYaTsTNxP/TtnnBERlZDTwshfzVjqkGPyY4bjyZFOaIYWhhQvmJev1M+QJJElUQ p2Qt6/5G+VGelOZx8vDM76TgqbhbeZh6lT3KjczbitQJcG6qQs8PO3VCZOEWuTwG SlR6MyvfGVDO5g/8+aAnq4AuRrHVyuqxeIDzaMA9iuli4/XDzbqIGkZB1tZtz11m Wm68ivZ5kpR67M+2mSWme6iem2sATF6uIRysYI8sK6aqhtpZSFQKdc+mTUNlzu9d 2EZDnHlAeENyGgQOHgw5/PMG/zCM+riIeGdtmOynyBqaLSjHa6WQmm8SEWPCVlLS bjHU6LFgpmHhhfaZVDg4OYAU0AvIkDcOTHUcPiAOSApILUi5JpPxfCnkURrWEGeK s56S8cTU49+bBbnxYw/TDLhrkRLP5KVWpIsIoGUgPHqQVRA5wmtrELELa+c1gX1u Ai7MHQcO2JvJhcAAFqepxgC2aVWvaZAK0e6+HZN4QefN1luOx9H/alaXBSgSBcKd URGlScGlo56u/PyO2r9qeU+0UxfzGAqq20xyTTX+Go4Dt05b2pcJTQ7PdQsmi5TV uaqKiB+0mw3DGCWqwpzEFZj2vaxYle6hRBTd1f6aCZtDMGFYjHdvfSpBZhtKB2BX nTUdBjzILE0yXi9ty5pM =akky -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To post to this group, send email to qubes-devel@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/bceddf94-e96e-c9fa-59ee-ab80cc3a0d30%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-devel] split-gpg keeps asking for target VM when it shouldn't need to
On Saturday, 25 November 2017 09:03:42 UTC+8, Leo Gaspard wrote: > On 11/24/2017 08:27 AM, Elias MÃ¥rtenson wrote: > > The attack scenario you describe just doesn't seem as serious to me as > > it does to you. This > > scenario would involve a rogue application calling qubes-gpg-client to > > attempt to sign some > > data, and somehow manage to trick me into accepting the request. > > I believe the threat Jean-Philippe is describing is something like: > * You use an untrusted VM to perform some GPG operation > * However it was infected and something was waiting for you to accept this > * This something can now perform any GPG operation they want during > 300s using your secret keys Yes. I don't think we're in disagreement about the thread model. Even in the case you're describing I would still know that something is singing things on my behalf as every signing operation will display a notification. That said, the 300s unlock time isn't particularly beneficial to me, and I will probably set it to something significantly lower, like 1 second or even 0. Regards, Elias -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To post to this group, send email to qubes-devel@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/db84bdfd-48e8-44f9-9645-1bf0a8a5d761%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.