Installation from a tarball: any Qubes OS particulars?
17 views
Skip to first unread message
David Shleifman
Apr 1, 2017, 11:02:39 PM4/1/17
to Qubes-users
Are there any guidelines (specific to Qubes OS) on installation from a tarball?
I am asking since the guidelines for installing software
https://www.qubes-os.org/doc/software-update-vm/#installing-or-updating-software-in-the-templatevm
assume existence of rpm or deb packages. They do not shed light on the installation
from a tarball. It is not clear, whether any extra steps should be taken.
I wonder how people cope with this situation. For instance:
1) Do you vet the software installer code before running it?
(see https://www.qubes-os.org/doc/software-update-vm/#notes-on-trusting-your-templatevms)
2) Do you update the list of available applications in dom0?
(see https://www.qubes-os.org/doc/managing-appvm-shortcuts/#what-if-my-application-has-not-been-automatically-included-in-the-list-of-available-apps)
3) Do you assemble RPM (from a tarball) to avoid the hassles 1) and 2) ?
4) From the trust point of view, do you prefer to build binaries from the sources?
because (hypothetical reason):
a) distributed binaries are not signed
b) to make sure the software is linked to trusted libraries only
I am asking since the guidelines for installing software
https://www.qubes-os.org/doc/software-update-vm/#installing-or-updating-software-in-the-templatevm
assume existence of rpm or deb packages. They do not shed light on the installation
from a tarball. It is not clear, whether any extra steps should be taken.
I wonder how people cope with this situation. For instance:
1) Do you vet the software installer code before running it?
(see https://www.qubes-os.org/doc/software-update-vm/#notes-on-trusting-your-templatevms)
2) Do you update the list of available applications in dom0?
(see https://www.qubes-os.org/doc/managing-appvm-shortcuts/#what-if-my-application-has-not-been-automatically-included-in-the-list-of-available-apps)
3) Do you assemble RPM (from a tarball) to avoid the hassles 1) and 2) ?
4) From the trust point of view, do you prefer to build binaries from the sources?
because (hypothetical reason):
a) distributed binaries are not signed
b) to make sure the software is linked to trusted libraries only
Vít Šesták
Apr 2, 2017, 3:19:35 AM4/2/17
to qubes-users
When I install something from a tarball, I try to minimize processing the software in the particular TemplateVM. I try not to run any script from it. Even unpacking is a potential threat (in case of vulnerability in the unpacker). This is also the reason why I don't prefer compilation from source.
Maybe DVM could resolve some of those problems. Unfortunately, this is going to be slow if the DVM is based on the currently running template. Qubes 4 will have redesigned DVMs that seem to avoid this issue.
Regards,
Vít Šesták 'v6ak'
Maybe DVM could resolve some of those problems. Unfortunately, this is going to be slow if the DVM is based on the currently running template. Qubes 4 will have redesigned DVMs that seem to avoid this issue.
Regards,
Vít Šesták 'v6ak'
Reply all
Reply to author
Forward
0 new messages