Apr 14, 2024, 13:38 by
skydi...@gmail.com:
> Interesting topic. I tried to use QWT long ago and, fortunately, didn't worked so since the very beginning I got used to use safer ways to copy files from my Windows to other qubes (I prefer not to give details here). In the last two years I have been tempted to debug what was happening with my QWT and trying to install them, but I always got a "feeling" that having those drivers was not a good idea. "Happy" to see I was right...
>
> I think the current protocols for Windows drivers are not trustable thus I'll keep not installing them. Some bullet proof protocol should be created, otherwise it is impossible to get any trust. And this protocol must NOT depend on M$ nor on Qubes (wonderful) team. Something else.
>
>
>
> El dom., 14 abr. 2024 12:15, Gerhard Weck <>
gerhard...@gmail.com> > escribió:
>
>> I think, here a word of caution is appropriate regarding the use of Microsoft-signed keys. As a >> current CISA report <
https://www.cisa.gov/sites/default/files/2024-04/CSRB_Review_of_the_Summer_2023_MEO_Intrusion_Final_508c.pdf>>> shows, there have been severe security breaches in the Microsft environment, and they are still continuing, as Microsoft does not seem able to kick the Russian Midnight Blizzard hackers out of its network. For this reason, one should not, security-wise, put too much (any?) trust into Mircosoft signatures of crypto keys, while, concerning QWT, their use is clearly convenient, as it removes the need for running Windows qubes with test-signing enabled.
>>
>> But apart from that, I would trust the security management of Qubes itself much more, where the philosophy is based on not trusting the infrastructure, checking the code by the developers themselves and possibly by the community, and not relying on the security of some external agent.
>>
>> Andrew David Wong schrieb am Sonntag, 14. April 2024 um 10:14:20 UTC+2:
>>
>>> On 4/13/24 8:56 AM, jmake2 via qubes-devel wrote:
>>> > [...]
>>> >
>>> > So, am I getting it right that QWT is not deprecated? I was afraid for a moment.
>>>
>>> As stated in the QSB, the developers are still working on QWT, so it is not deprecated.
>>>
>>> > As it was discussed previously, the QWT package can be build from secure and available sources and put to R4.2+ repos with different signatures, including secure self-signed but not Microsoft-approved key. Requirement to allow self-signed drivers is not perfect, but still a way better solution than current situation, to my understanding.
>>> >
>>> > [...]
>>>
>>> I believe this is the relevant issue:
>>>
>>>
https://github.com/QubesOS/qubes-issues/issues/9019
>>>
> I think the current protocols for Windows drivers are not trustable thus I'll keep not installing them. Some bullet proof protocol should be created, otherwise it is impossible to get any trust. And this protocol must NOT depend on M$ nor on Qubes (wonderful) team. Something else.
There is no issue with the protocol, security of the Qubes OS (dom0 and other qubes), sources of the Xen drivers or something else, please read QSB. The problem is only with the packaging system of Xen, it could have been compromised and the resulting binaries are less reliable. Otherwise there is no need to avoid QWT as a project, it still provides user great experience of both file copying and clipboard bidirectional access.
Back to the topic, is it possible or preferable to postpone R4.1 EOL until
https://github.com/QubesOS/qubes-issues/issues/9019 is completed (in one way or another), and the QWT be returned to the system?