-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 2016-12-28 11:11, john.david.r.smith wrote:
>>> this may be a source of errors for some users, or even insecure
>>> (mitm + exchanging the master signing key information on the
>>> website + patching the downloaded image).
>>
>> I know what you mean, but it's worth remembering that the Qubes
>> Master Signing Key fingerprint is supposed to be verified
>> out-of-band/multiband. So, in principle, replacing the key and/or
>> fingerprint only just
qubes-os.org shouldn't work as a successful
>> attack vector.
>
>
> the problem is (as you wrote) 'supposed to be verified
> out-of-band'. for some less technical people, even verifying the
> signature is a huge step.
Yes, this is why we go to such great lengths to educate users about
this. Qubes is the sort of system that places ultimate trust in users
to safeguard their own security. There are too many ways for users to
shoot themselves in the feet that we can't prevent. Verifying the ISO
is just the first step, before Qubes is even installed. After Qubes is
installed, just think about how many ways there are for a user to
compromise dom0 or a TemplateVM if they're being reckless. (We try to
mitigate this by cutting off all network access from dom0 and allowing
network access only to the Updates Proxy for TemplateVMs, but there
are still uncountable ways to harm oneself.) Ultimately, Qubes is the
sort of OS where we have to educate users, and users have to be
willing to be educated. It's not the sort of OS where we can always
protect users from themselves.
> i am a fan of providing easy accessible security and using already
> existing infrastructure.
Agreed.
> (in case of the dom0 repo, an ultimately trusted source).
>
(I see that this was clarified in the other subthread.)
> also depending on the situation a mitm could replace the
> fingerprint of different channels, too.
>
The greater the number of alternative channels and the more different
they are (in terms of protocol, form, ownership, control, etc.), the
more difficult it would be for an attacker to replace them all. If a
user is very careful (e.g., checks from multiple computers over
different internet connections, VPNs, Tor circuits, Wi-Fi hotspots,
searches for and checks the fingerprint on webpages, PDFs, photos,
etc.), I think it would be exceedingly difficult even for a nation
state attacker to substitute every instance of the fingerprint that
the user could find on the internet (not to mention meatspace
channels). It would almost surely be easier to mount an attack in
other ways.
>>> also checking signatures manually should unnecessary since a
>>> package manager is build to do such stuff.
>>>
>>> i would propose to add the qubes-images as packages to the
>>> repos.
>>>
>>
>> Interesting idea. I wonder whether this would count as a misuse
>> of the repos/package manager.
>>
>> One thing is that we'd like to offload most of the traffic to a
>> mirror (e.g.,
mirrors.kernel.org, as we currently do).
>
> if offloading is not done for isos: ad a "qubes-images" repo
> providing the files and host it on your servers.
>
We *do* want to (and currently do) offload most of the ISO-download
traffic onto third-party servers, since they're better able to handle
the load. This is why we provide
mirrors.kernel.org as the default
download source for Qubes ISOs.
> if offloading is done for isos: ship the master key with qubes and
> provide a convenience command to the user. this command should
> download (e.g. via torrent) and verify the image (a step the user
> can'd do wrong anymore). this command could spawn a dispvm,
> install torrent software, load the torrent and copy it to dom0.
> from there the user could qvm-copy it to the vm with the install
> medium.
>
This is a different proposal, and it would be a much larger
undertaking. It's certainly not something that the core Qubes devs
have time to do, so it would have to be a community-developed feature.
Would you like to take this project on?
>>> maybe you could get other official repos to add them, too.
>>> (debian (+ubuntu), fedora and arch should reach a significant
>>> portion of the linux users)
>>
>> Another interesting idea. I've never heard of a distro adding a
>> different OS's ISO as a package of their own, though.
>
> asking can't hurt.
>
Well... why don't you ask them, then? :)
After all, Qubes is free and open-source software. You don't need our
permission to distribute it. :)
iQIcBAEBCgAGBQJYZCMdAAoJENtN07w5UDAwBSMP/jhfnxe9QGFU4JzCyuoLtKHK
XfUAPibLUeSmum0lL0UpV9y3+v0gk0aKMVIXz4emthUSLjHgyTA8NmMzzqPXDl2g
YQQ0geO6aHgKNi2EM7V0ga/+o1jM96eS1DOzTEhvgcICBx14NpCG9E0zMs6NyS0n
n+nhqvp3/+sislXnTdVD71jWyfPTwIvubg3hHtle0ly5i+9iMb5nd0X7DCZy4Kga
1/OD6G4Ijpg5hRV6nJMYrrzh6vQX+E17M6dLNfddFXFJbiQZBTJYZvVnFS74uL86
8mUNzRoAK+c+nCmM09Rd+EKQktrmVn4TLm3bRas9aVNsq/iSr8v9lAVRqEM44I63
Rtq6XrAKav636VMjGB2us/Ffgk5NO1KjVBdu3xFj7okMw0pAL7JgIGnOHEZ5Golb
2nrPwsd5wVkJHxW1BZQ79wbd5Mlj76WOcWxZ2mAh8wSDqm7B16VJBaICVCY98K5L
KBnlfBq4UPGKFhFuVwQzqZCD0ksLc8Ph9s4rkDCpWzzZ0n9yt9wyTYoU/tbg724V
ap0IjLySTUzQtZ9gIWFfJxP151c1reroWwbIZ2/ePjhVkd9ye6iHet/blGomhuUO
3GOoCx1t9+KvLvBl6ejnBghHNXikGUOGZgOoIfHOBu2+PreE7F4MYeWEYEBpK60B
YDIth+4aNjRZY1naN+EC
=2Nfe
-----END PGP SIGNATURE-----