python security announcements
83 views
Skip to first unread message
Jean-Philippe Ouellet
Nov 5, 2017, 9:41:41 PM11/5/17
to qubes-devel
To any who may care, I've opened an issue in the Python bug tracker in
the hopes that we might have a guaranteed way of being made aware of
security issues in Python before Qubes users get owned by them.
See here: https://bugs.python.org/issue31953
My hope is that a guarantee of receiving such news means Qubes has a
higher change of making a timely QSB and "update dom0 ASAP!"
announcement if the time ever comes. Many of us follow news in the
security world anyway and might hear of such a potential issue
regardless, but still...
Regards,
Jean-Philippe
the hopes that we might have a guaranteed way of being made aware of
security issues in Python before Qubes users get owned by them.
See here: https://bugs.python.org/issue31953
My hope is that a guarantee of receiving such news means Qubes has a
higher change of making a timely QSB and "update dom0 ASAP!"
announcement if the time ever comes. Many of us follow news in the
security world anyway and might hear of such a potential issue
regardless, but still...
Regards,
Jean-Philippe
Yuraeitha
Nov 10, 2017, 12:51:28 PM11/10/17
to qubes-devel
Please correct me if I'm wrong, but python security issues should only apply for the Qubes Admin, right? and the Qubes Admin only has internet access, if you opt-in to it, correct?
These things are good to know as well, and it doesn't seem to be documented anywhere easy to find yet, albeit I've seen it briefly discussed here and there, but nothing conclusive.
I do not like the idea of having extra attack surface to worry about when I personally do not need the Qubes Admin on my personal machine. Albeit I do think Qubes Admin is an awesome addition to Qubes, as long as it's possible to opt-in or opt-out, and all the security issues that follows goes with it in or out accordingly.
Reply all
Reply to author
Forward
0 new messages