4) From the trust point of view, do you prefer to build binaries from the sources?
because (hypothetical reason):
a) distributed binaries are not signed
b) to make sure the software is linked to trusted libraries only
Vít Šesták
unread,
Apr 2, 2017, 3:19:35 AM4/2/17
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Sign in to report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to qubes-users
When I install something from a tarball, I try to minimize processing the software in the particular TemplateVM. I try not to run any script from it. Even unpacking is a potential threat (in case of vulnerability in the unpacker). This is also the reason why I don't prefer compilation from source.
Maybe DVM could resolve some of those problems. Unfortunately, this is going to be slow if the DVM is based on the currently running template. Qubes 4 will have redesigned DVMs that seem to avoid this issue.