qubes-builder setup script

[Achim Patzner]

Hi!

Is the setup script for builder.conf in qubes-builder still maintained?
If so, adding fc30 and getting rid of the forced use of the MIT PGP key
server might be necessary. If not: Can it be extended to tell users not
to use it?


Achim

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Fri, Sep 13, 2019 at 06:08:39PM +0200, Achim Patzner wrote:
> Hi!
>
> Is the setup script for builder.conf in qubes-builder still maintained?
> If so, adding fc30

In fact, setup script gets it from example-config/templates.conf. Added.

> and getting rid of the forced use of the MIT PGP key
> server might be necessary.

That's a bit trickier. We need some key server, and recently the whole
WoT basically got broken... From what I understand, we are supposed to
use keys.openpgp.org now. But it looks like there is email verification
to upload the whole key (gpg2 doesn't like keys without any UID).
So, I see two options:
- switch to keys.openpgp.org and ask everyone mentioned in
qubes-builder (Patrick in practice) to upload keys there
- distribute keys as files

Patrick, any opinion?

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl179g0ACgkQ24/THMrX
1yyEzwf7Bhushm0vMa1aaJ4l/KoTfCgKlaPPrBmJYHokp4gF212avdND2A7D7Z+5
tQgiGjaotZeYMz1GgvnFHCEjaCJbl5iHwj1Ru88GaeVXfYOHCS68h6wbueWUw5DJ
oGRCyi2a2P99AWCIv/nYJTLx1Uo8L/rwJwxB+FWwJIr4ZTLjs3PTQYXjEqUCPp3S
9bOThlTfuo/ok8YO5GyvGalMe5dJ1wV6sbe2QFa4RN0u43gJ9nK0SHNPILVzYpYt
M0BwFW+mBcuedIga0vHNYaonrrVkjO/tKb152SiuybRrSvwiByg274cY5NP6M8rZ
kERFd02FU9fYDfoGABCtK6gNGuuZzA==
=N7gE
-----END PGP SIGNATURE-----

[Conor Schaefer]

On 9/13/19 1:03 PM, Marek Marczykowski-Górecki wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On Fri, Sep 13, 2019 at 06:08:39PM +0200, Achim Patzner wrote:
>> Hi!
>>
>> Is the setup script for builder.conf in qubes-builder still maintained?
>> If so, adding fc30
>
> In fact, setup script gets it from example-config/templates.conf. Added.

Thanks for requesting clarification here, Achim. I've often been
confused about which config files are the appropriate ones to modify
when building Qubes templates. Great to have clarity.

>
>> and getting rid of the forced use of the MIT PGP key
>> server might be necessary.
>
> That's a bit trickier. We need some key server, and recently the whole
> WoT basically got broken... From what I understand, we are supposed to
> use keys.openpgp.org now. But it looks like there is email verification
> to upload the whole key (gpg2 doesn't like keys without any UID).
> So, I see two options:
> - switch to keys.openpgp.org and ask everyone mentioned in
> qubes-builder (Patrick in practice) to upload keys there
> - distribute keys as files

For what it's worth, we're undergoing a similar transition, encouraging
team members to to use the "hagrid" keyserver at keys.openpgp.org,
including the verification workflow. The transition introduces a bit of
friction, sure, but given the reliability concerns with the old
architecture, it's by far the best option available.

-Conor

[Simon Gaiser]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Marek Marczykowski-Górecki:

> On Fri, Sep 13, 2019 at 06:08:39PM +0200, Achim Patzner wrote:
>> Hi!
>
>> Is the setup script for builder.conf in qubes-builder still maintained?
>> If so, adding fc30
>
> In fact, setup script gets it from example-config/templates.conf. Added.
>
>> and getting rid of the forced use of the MIT PGP key
>> server might be necessary.
>
> That's a bit trickier. We need some key server, and recently the whole
> WoT basically got broken... From what I understand, we are supposed to
> use keys.openpgp.org now. But it looks like there is email verification
> to upload the whole key (gpg2 doesn't like keys without any UID).
> So, I see two options:
> - switch to keys.openpgp.org and ask everyone mentioned in
> qubes-builder (Patrick in practice) to upload keys there
> - distribute keys as files

Given that the resent events were mostly triggered by the fact that the
key import of GnuPG is, let's say, a bit brittle, I think we should
include the complete keys.

Of course this has the downside that you need to remember to update
them. OTOH this is just qubes-builder so the fallout of forgetting this
should be rather small.

Simon
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3E8ezGzG3N1CTQ//kO9xfO/xly8FAl17/noACgkQkO9xfO/x
ly+oPg/9F2+MHlLlFCXI85tFXc5G/g9otCDua7f8cHV9aaPZxtL0aMWokmsI871I
YnuSeblXS6gdP6tz0Bg6aIabzf6k2tn/nTq0hxT+9H3MDcg7xn3fOtLWIm6C6BQf
4A4U0TAdD1HnhiQfLRgRb7/dESVUZcyseXLOwHyrEJUdHbtcpxFmA6iiXdcDjQuS
THHrYIsgZudMOmLMsqFnJKCPX8lZ/PDQcOWBPd9gqz6F+IQ7ryO12MSmILmgaex8
uoULMAU03EtkAM8s7mxA/uoRrcWo8BN4GNL7yxSwCHVSAJ9kjNnGnU7QSAc2+QZx
YTUJFtOecYEccCpgFVfFZEr5+Gzy5yQmhHaZr2n+xFgYqcvx1NKUfxfgSOA7hC7L
gVQRMZtthmcwyGP+yLfTiUoGvVRytttZsuytCZqWV+hHfZo3hjhX24bbAo956WP2
pE3ns/xk1OSF2kKhHlA1CuPUr/LPpfHwwk4XZwdVCvwxAIwL4FLHUvhk5tKYfU2O
ipjqon6ZjQH346RGMftdXxJ3kt5eN6+4BCF3TkwJg47wW9SKWJMqRfdXCBOQc7di
mY+aVgpuEaVlK1IefqpF5FdOTMcalNM2jkkzWbGIRYOOshdbu/hYRzO9SJDzrzws
T9ephww+SL+ynjiXwnTDo8d2whEl9Bq0I7Jyq03SMmQVOSSkuSA=
=9ZGk
-----END PGP SIGNATURE-----

[Patrick Schleizer]

> Marek Marczykowski-Górecki:
>> On Fri, Sep 13, 2019 at 06:08:39PM +0200, Achim Patzner wrote:
>>> Hi!
>
>>> Is the setup script for builder.conf in qubes-builder still maintained?
>>> If so, adding fc30
>
>> In fact, setup script gets it from example-config/templates.conf. Added.
>
>>> and getting rid of the forced use of the MIT PGP key
>>> server might be necessary.
>
>> That's a bit trickier. We need some key server, and recently the whole
>> WoT basically got broken... From what I understand, we are supposed to
>> use keys.openpgp.org now. But it looks like there is email verification
>> to upload the whole key (gpg2 doesn't like keys without any UID).
>> So, I see two options:
>> - switch to keys.openpgp.org and ask everyone mentioned in
>> qubes-builder (Patrick in practice) to upload keys there
>> - distribute keys as files
>
> Given that the resent events were mostly triggered by the fact that the
> key import of GnuPG is, let's say, a bit brittle, I think we should
> include the complete keys.

Yes, I would suggest to not rely on keyservers for anything.

gpg key import (in Debian buster version) might not be the most robust
for handling untrusted data from keyservers.

Cheers,
Patrick

[Achim Patzner]

On 20190913 at 22:03 +0200 Marek Marczykowski-Górecki wrote:
> On Fri, Sep 13, 2019 at 06:08:39PM +0200, Achim Patzner wrote:
> > Hi!
> >
> > Is the setup script for builder.conf in qubes-builder still maintained?
> > If so, adding fc30
>
> In fact, setup script gets it from example-config/templates.conf. Added.

Ok, next step for you: Build an Arch template 8-).

> > and getting rid of the forced use of the MIT PGP key
> > server might be necessary.
>
> That's a bit trickier. We need some key server, and recently the whole
> WoT basically got broken...

Well, building with qubes-builder setup script is broken right now as
soon as you need a key. The quick fix (removing the command line
options in this script using a specific key server) will help, of
course but if there is no other way: What about publishing all relevant
keys on a web page OR running a Qubes key server and pointing to that
server?

> From what I understand, we are supposed to
> use keys.openpgp.org now. But it looks like there is email verification
> to upload the whole key (gpg2 doesn't like keys without any UID).

I got the keys from any old SKS server after removing the two lines so
that might be a first step.

> - distribute keys as files

I would very prefer that solution. Right now anything having to do with
a PGP key server can take hours.


Achim