most secure way to add repo to template

[Eva Star]

Hello,

What is the "right" way to add other repositories then RPMFusion to
template?

Do I need to disable Qubes Firewall, then download *.repo file with curl
and add it with sudo dnf intall newrepofile.repo ?
Or some other better and more secure way available?


--
Regards

[Eva Star]

And additional question:

warning:
/var/cache/dnf/rpmfusion-free-1f0078b3844b9b8a/packages/vlc-3.0.0-0.1.fc24.x86_64.rpm:
Header V4 RSA/SHA1 Signature, key ID b7546f06: NOKEY
Importing GPG key 0xB7546F06:
Userid : "RPM Fusion free repository for Fedora (24)
<rpmfusion...@lists.rpmfusion.org>"
Fingerprint: 55E7 903B 6087 98E4 EC78 64CD 9F63 8721 B754 6F06
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-fedora-24
Is this ok [y/N]:


IS IT OK? What to do?


--
Regards

[01v3g4n10]

I created a clone of my fedora-24 template and called it fedora-24-plus and then issued the following commands inside that template. Whether or not you create a clone or not depends on your trust of RPM Fusion.
sudo dnf config-manager --set-enabled rpmfusion-free rpmfusion-nonfree
sudo dnf upgrade --refresh

https://www.qubes-os.org/doc/software-update-vm/

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2016-12-23 17:23, '01v3g4n10' via qubes-users wrote:
> On Friday, December 23, 2016 at 11:14:32 PM UTC, Eva Star wrote:

It would be safer just to create the .repo file manually yourself in
/etc/yum.repos.d/

> I created a clone of my fedora-24 template and called it
> fedora-24-plus and then issued the following commands inside that
> template. Whether or not you create a clone or not depends on your
> trust of RPM Fusion.
>
> sudo dnf config-manager --set-enabled rpmfusion-free
> rpmfusion-nonfree sudo dnf upgrade --refresh
>
> https://www.qubes-os.org/doc/software-update-vm/
>

Eva is asking about repos *other than* RPMFusion.

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJYXgpQAAoJENtN07w5UDAwMjAP/A658PbOpImcBK9VH16D13IZ
r6HlFlY+61ex5/TWREEsw9nNwKVX3ymd1WBDv3xXe9wbyLALVCEHLYodQUkAgdJG
0D0AkFwXAMskK9iRPOOdzZDJTi1BrpjWTzT/SlKE+zLm4CO0RSS2Y3Kf5Ucqe5ml
1BjkWa2nEVsEbNWpjxNLlVvvq3qKw5YLjo//1IotMfE+d9Fs67MCeTtiCbFufEyU
POp8bNBAiXMEwXl6KoE75aVOI6EXZ5uqZJNdtBFW4LV5+8Od5ODFAJ1rYTLf+Ma3
QhjjRHhcGbUuNuOuDldY3mcHu3kjhlj7c/eF2LAJDiF1+PZROqZR9YGMITv9SgAd
IowFe1JQVwsj/QiOrhmYVKgZyK/CF+Gv4pI9xbuWvoMC3WpUfEKZ3iwqo3BpxFgb
/QeSqzfkG0ygtYcIc+4RzHHmu04vbC9LjkcfXWFpxE6UNZon26antNmTkUaenFfp
jiLFJhkvoA2SwICefO9jBZqokCbKLiMA5V0PRLgP0nnWJ9Ea7X/9N4ICQVfFID7O
55dQxF5d7KizwAC0lQyDKfqVrjO/xiX6Qn6RSItA2N2j16XyugxAuJGtmEvvZfcZ
MFXIRWgEN5LIgFFbT34ogXkO4SrGjCdJ/FOJVz5mqWCIA+6pe4FU14S9B4J0I2L2
vLzAkYb7zqkH22b8wjSi
=SlVB
-----END PGP SIGNATURE-----

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Looks like the key is already in your TemplateVM (see the "From") line,
so it should be fine. IIRC, the key is included in the TemplateVM before
it ships. But, it doesn't hurt to check the fingerprint via out-of-band
and/or multi-band channels (e.g., on the website itself and via search
engines via multiple Tor circuits, VPNs, etc.).

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJYXgrlAAoJENtN07w5UDAwh24QAKsVfmiQNbYHwWUF3vSJeaLs
LpoT9fEPOu3HHjYE0srbdAxVhHt8PZ0PG/yeooV7HRnZSD1nktZP0lRpPH2W0hFo
T3WwRWHruEVflkhKXSjMMp0DLJ0E+/wSuc+4WCoARG1fuH4laNclFUkmIDD9vHN/
twtGf5CtRzAaL07+pkF5kwqF/5nomPKfSDlx3d8HaeNGD7VrFThu4NC/B/DI/nkz
LlB6w4rh3EPqE3HqV3VdC7X0lfSY4NiqEL0tnEkAzE0yXGjeI2U0J2jLy8ofLvln
WA2m5cVXNRA0/P0wGZw0hDxx11sTE2fCWXjRkndVii13B39aKeU/OHudNhWeoF/k
IzOmAeekE1MGOwDBx6x61U+zBUTGZYs5DVorUrmpxGALl4WYLJO+0UZD+m/gkyun
zHdfuYu2C07rFmNqNvkTo2scZkhtk3yjpICrfbBw93VWD2CjA2K5+f23iyMA69mh
HUghRPVlxkwed5DNcoUWBCccXMZFIkXyedaYsMZu+7bmVb/lKIOJ5doUZdSJfA94
Z2VM0JI3etANNb03PYc2JPVoX+bbVfk74+ROorHiuo9I9YJFXFRKAt26TFSganbj
T3MPVDbRhFSYLlbumUMI6blrTZeA1cuEKHnwM3hrDSYAR/+jlGzSEcdhAU9+cOeM
FCErmyrYFOc6fwmc7GPN
=OEFT
-----END PGP SIGNATURE-----

[Eva Star]

On 12/24/2016 08:43 AM, Andrew David Wong wrote:

>
> Looks like the key is already in your TemplateVM (see the "From") line,
> so it should be fine. IIRC, the key is included in the TemplateVM before
> it ships. But, it doesn't hurt to check the fingerprint via out-of-band
> and/or multi-band channels (e.g., on the website itself and via search
> engines via multiple Tor circuits, VPNs, etc.).
>

Thanks as always :)

What is about first question: "How to add new repo securely"?


--
Regards

[Eva Star]

On 12/24/2016 08:40 AM, Andrew David Wong wrote:

>
> It would be safer just to create the .repo file manually yourself in
> /etc/yum.repos.d/
>

Got it. Thanks. Maybe add to docs near the paragraph where "how to add
RPMFusion?

--
Regards

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

But that repo is already included in the default (main, full) Fedora
template. You just have to enable it.

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJYXmPTAAoJENtN07w5UDAwvc8P/3OWgkLonOrmOlNu727mHuhb
rm8RlPL1zQ74SqaeI1ZCdnGtbHV2YmphMWXYEO/7WYYLGlsXAsqH43Qpa8vrILNx
ftaYfylj/iDnLFn742NFXRbb1X+fqdnAPmrX0QRTQecpl3Dmvgq6gvUI3fuDvTeP
1RYT2eh2zEWhuac/8X3s6EA50rvJDseh4R/iOxtJ64XQZVnqjJphjFj2BcVfpKX5
a8LtcN6JMUnve2CVzk9ZC1Y9F42w+Bjjw0dXP4/sHOjKIPeKu32D6eahjKPQgJz8
2FTq/y3ZXhHi2JivqZgAzMa1EmbZmy5NHTnKws0U4wi52V/r/VBTstLV49PIJ5/9
Wxj2U0BZcBP2asK0BTTvBd8SrqqPwgrlHPO9boyFUunPZ+QCqfsUAciE0mxiCCkE
CIPVb+NDJB/6dVOf+c6mtDRGY0o9PReuHliZKgS77crxMaut2zHrjbW0OAmIFmSs
duEMvW/KMyCqrj9pDA7qVJ23Oo6bFE3YdkQfCGrACiwEKEOTVMM4J8bm7oFjPwmT
KvpDilDCz6Yu/euu4IgmH4dKiG1kmucghDdRATLNXk/MGywFHyOyFYY7CY28qtEd
xmPiho3pqQ9R9vTRSqoSGxHF9igD+ps6u8owK1vtAZ/PVtRhw9sD0bY++n8ewWjd
R7A9VANDQrGazloH+PFp
=mjFo
-----END PGP SIGNATURE-----

[Eva Star]

On 12/24/2016 03:02 PM, Andrew David Wong wrote:

>
> But that repo is already included in the default (main, full) Fedora
> template. You just have to enable it.
>

I suggest to add paragraph to the docs about "How to add other repos not
included at the default main template)"


--
Regards

[raah...@gmail.com]

well just make sure that it checks for the key. or add the key, hopefully gotten form a couple diff domain thenthe rpm.

[raah...@gmail.com]

you basically just temp allow access to to the template, or by ip and protocol, also you can add domain names too, if you really want, or just use a dispvm and transfer files after verifying. you can probably dummy install it in the dispvm too if you want.

[raah...@gmail.com]

message the dev of the program and ask them for a key too lol

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

This is actually distro-dependent, so users should consult the
uspstream documentation for the appropriate distro. The procedure
should be the same inside a Qubes TemplateVM of that distro.

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJYX5RdAAoJENtN07w5UDAwuRgP/0punwgzMkzm1lVwo46tgubI
ZQQG0ED9m+lqeCfTk18xQjmphi4oGdy9DvryTe9soXXAleO9A+zK69fzbo2uxubU
JdXR6M5ILd1YV48F5YK5MnwcWSOPJko5Y8abYVumSVsfjmLe0YcJgh8bZjQ6OsZv
7dYjioJpiC6mQsE6MdtgyA8qAfuUsaFFGpniBV0aMzWlJ5l5IljcLVaICfmpnwzC
QVCs0gqoKCchwoVisAT+z/e10wLx1Q2p+dHqcg9azAh6M6F8RxpKlTRla9d7eYQy
jBiMPQoPxIlseIMcoFWdflJ8Fmq0uEl6vueANjZ9zDbtIbMBumJpFAbbK4ES9/J3
FAM8o6VradIrPjHMHi6hctJxf6vPOWb+YE5Ey7uXme5wjZfiTy+uAfDHx+O9AEoF
APrUx7Df+Pney2L+E2i6vpbW48Gu0cI0vLRFtwrB+378H2/uC9oj4o1KwHttxUje
J5b6yX3AmnlxMibDbIHRA0Z4gA53pEenUrsoGCwTqRTYtD9IrFBMRMrdJhs6qUvH
aH30/lqBMdTnS3s2SkwKnM6GLvOewnBiIJtnlyn8UaXyYm9fc3q67JTbOZ6USJA6
j4JoxXxzvnbZP9ss0n3olU4X95cbeRrbwjO/o82S4f3adozU2QJ4IDBTxZ7i138A
UUgmkooBc1W1JVtQPoqN
=OTiL
-----END PGP SIGNATURE-----