fedora warning
110 views
Skip to first unread message
haaber
May 26, 2018, 3:55:17 AM5/26/18
to qubes-users
I just installed f27 in ins full and minimal template on Q4.0 from the
repos. When installing extra packages (for example sys-net tools) in
f27-minimal the download works, BUT checksums fails. The point is that
fucking dnf ignorantly installs the packages anyhow without putting any
questions. Result: such a tempate is compromised right from the
beginning, I will have to delete it without ever running it.
The warning to all users is to NEVER run unattended (say, scripted)
updates on fedora based templates since apparently they give a shit on
security.
For me this drastically increases the motivation to compile a
debian-minimal and kick out all fedoras (with the sad exception of dom0).
Bernard
repos. When installing extra packages (for example sys-net tools) in
f27-minimal the download works, BUT checksums fails. The point is that
fucking dnf ignorantly installs the packages anyhow without putting any
questions. Result: such a tempate is compromised right from the
beginning, I will have to delete it without ever running it.
The warning to all users is to NEVER run unattended (say, scripted)
updates on fedora based templates since apparently they give a shit on
security.
For me this drastically increases the motivation to compile a
debian-minimal and kick out all fedoras (with the sad exception of dom0).
Bernard
awokd
May 26, 2018, 7:23:21 AM5/26/18
to haaber, qubes-users
On Sat, May 26, 2018 7:55 am, haaber wrote:
> I just installed f27 in ins full and minimal template on Q4.0 from the
> repos. When installing extra packages (for example sys-net tools) in
> f27-minimal the download works, BUT checksums fails. The point is that
> fucking dnf ignorantly installs the packages anyhow without putting any
> questions. Result: such a tempate is compromised right from the
> beginning, I will have to delete it without ever running it.
Are you sure the checksum failure isn't triggering dnf to re-download the
> I just installed f27 in ins full and minimal template on Q4.0 from the
> repos. When installing extra packages (for example sys-net tools) in
> f27-minimal the download works, BUT checksums fails. The point is that
> fucking dnf ignorantly installs the packages anyhow without putting any
> questions. Result: such a tempate is compromised right from the
> beginning, I will have to delete it without ever running it.
package, until it gets one that doesn't fail? Agree in general though,
Fedora's distribution security has always lagged behind other distros
because they want people to buy Red Hat.
Andrew David Wong
May 26, 2018, 8:28:56 AM5/26/18
to haaber, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Checksums are only for integrity, not authenticity. For security, PGP
signature checking is what matters.
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAlsJUvwACgkQ203TvDlQ
MDA+QxAAyhbtSlB3JE+65GemYZZvj3eteJrBVLa6PX5Yjg5h7QqO0pIxsTcKKk15
UiaGE/xgLz0stKDlpB0Opx5hPpqjo1/pkHYsJDabsXmAz5Z5cxl/2ByH7yW8nITM
ubIr3wB2I+mgZb5lNQe+m4jdYT8MQspDJFCmy/Y6ba83K4XL/qTcik6R43NxTM2e
UrDfb9IDKhJntu3OfOB+0GpyJfnJ+ofh61gXafnrubM1nzFE+YUp+600838wHZXi
vK05B4meJSWGrMI+Bws2VWQtBKADR1/OYXdazWMsYD9YkRB9hHb9iQ8EvEGlWfYP
dxVp6ec2Tld8y1NnLa3nRg0Umywvdae8f4NfAMOuw7P+ISuZ4eqiYYItZ2oE9zvN
sl1jaxTV52S7Ig/rDQ49W0pshLWoexuhzDIGLHXaYvcMbcvktveawkmOFT9u7VGz
MwIBXQn7L9d3ZOAYUxio4hxJnSJLk2IqAfHVO4m4hjhv937as6dYyJQf7UcylnDO
+mA9nCnd18j122w6kO6oqRn3T0j3+gE8f447MQi21fpoZVHg9JCXme4JGvtaLtQr
tu3+jG8LFgP7xjfhoXgaEYqYMNa1NSZCCXbqwTwwV7hq5xiMc/EldhVDTPIJ9Iw2
lGOsxeJBwuwRG//XIqDGf3dQek0DCQTr7K4JMos4i5MeBaoxbmo=
=muOy
-----END PGP SIGNATURE-----
Hash: SHA512
signature checking is what matters.
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAlsJUvwACgkQ203TvDlQ
MDA+QxAAyhbtSlB3JE+65GemYZZvj3eteJrBVLa6PX5Yjg5h7QqO0pIxsTcKKk15
UiaGE/xgLz0stKDlpB0Opx5hPpqjo1/pkHYsJDabsXmAz5Z5cxl/2ByH7yW8nITM
ubIr3wB2I+mgZb5lNQe+m4jdYT8MQspDJFCmy/Y6ba83K4XL/qTcik6R43NxTM2e
UrDfb9IDKhJntu3OfOB+0GpyJfnJ+ofh61gXafnrubM1nzFE+YUp+600838wHZXi
vK05B4meJSWGrMI+Bws2VWQtBKADR1/OYXdazWMsYD9YkRB9hHb9iQ8EvEGlWfYP
dxVp6ec2Tld8y1NnLa3nRg0Umywvdae8f4NfAMOuw7P+ISuZ4eqiYYItZ2oE9zvN
sl1jaxTV52S7Ig/rDQ49W0pshLWoexuhzDIGLHXaYvcMbcvktveawkmOFT9u7VGz
MwIBXQn7L9d3ZOAYUxio4hxJnSJLk2IqAfHVO4m4hjhv937as6dYyJQf7UcylnDO
+mA9nCnd18j122w6kO6oqRn3T0j3+gE8f447MQi21fpoZVHg9JCXme4JGvtaLtQr
tu3+jG8LFgP7xjfhoXgaEYqYMNa1NSZCCXbqwTwwV7hq5xiMc/EldhVDTPIJ9Iw2
lGOsxeJBwuwRG//XIqDGf3dQek0DCQTr7K4JMos4i5MeBaoxbmo=
=muOy
-----END PGP SIGNATURE-----
haaber
May 26, 2018, 3:25:29 PM5/26/18
to qubes-users
>> I just installed f27 in ins full and minimal template on Q4.0 from
>> the repos. When installing extra packages (for example sys-net
>> tools) in f27-minimal the download works, BUT checksums fails. The
>> point is that fucking dnf ignorantly installs the packages anyhow
>> without putting any questions. Result: such a tempate is
>> compromised right from the beginning, I will have to delete it
>> without ever running it.
>>
>> The warning to all users is to NEVER run unattended (say, scripted)
>> updates on fedora based templates since apparently they give a shit
>> on security.
>>
> Checksums are only for integrity, not authenticity. For security, PGP
> signature checking is what matters.
@andrew: you are right, but if even checksums are ignored, pgp won't be
> signature checking is what matters.
considered either ... and that IS an issue.
@ awokd (on your question about re-downloads): I hope I was not
complaining based on a misread and I would have liked to verify once
more: too late for this time however, I had deleted the template this
morning right away. I'll re-do it!
Bernhard
Andrew David Wong
May 26, 2018, 6:59:32 PM5/26/18
to haaber, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hash: SHA512
On 2018-05-26 14:25, haaber wrote:
>
>>> I just installed f27 in ins full and minimal template on Q4.0
>>> from the repos. When installing extra packages (for example
>>> sys-net tools) in f27-minimal the download works, BUT
>>> checksums fails. The point is that fucking dnf ignorantly
>>> installs the packages anyhow without putting any questions.
>>> Result: such a tempate is compromised right from the beginning,
>>> I will have to delete it without ever running it.
>>>
>>> The warning to all users is to NEVER run unattended (say,
>>> scripted) updates on fedora based templates since apparently
>>> they give a shit on security.
>>>
>> Checksums are only for integrity, not authenticity. For
>> security, PGP signature checking is what matters.
> @andrew: you are right, but if even checksums are ignored, pgp
> won't be considered either
What makes you say that? Is the PGP signature checking somehow
>
>>> I just installed f27 in ins full and minimal template on Q4.0
>>> from the repos. When installing extra packages (for example
>>> sys-net tools) in f27-minimal the download works, BUT
>>> checksums fails. The point is that fucking dnf ignorantly
>>> installs the packages anyhow without putting any questions.
>>> Result: such a tempate is compromised right from the beginning,
>>> I will have to delete it without ever running it.
>>>
>>> The warning to all users is to NEVER run unattended (say,
>>> scripted) updates on fedora based templates since apparently
>>> they give a shit on security.
>>>
>> Checksums are only for integrity, not authenticity. For
>> security, PGP signature checking is what matters.
> @andrew: you are right, but if even checksums are ignored, pgp
> won't be considered either
dependent on the checksum checking in dnf's code?
Anyway, _if_ you're right that dnf is failing to check signatures even
when `gpgcheck=1` is in the repo definition, then this is a critical
security bug that should be reported upstream immediately.
> ... and that IS an issue.
>
> @ awokd (on your question about re-downloads): I hope I was not
> complaining based on a misread and I would have liked to verify
> once more: too late for this time however, I had deleted the
> template this morning right away. I'll re-do it!
>
> Bernhard
>
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAlsJ5sYACgkQ203TvDlQ
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
MDBpnA//RDz0E6bysHQoRm/b8kbdv29Zx3PJNPUsdOdHbGa2tGGe3h6hS1F+4v1s
9RXUt23lONmLqOhxKi81S6BVArgZM37mFmf2rqzjd8G4+Dirw8gpisijrY5/AJM/
nx+9bBPXXRPrh/8oR9zBiktuUyrZB1OJPzBwSdi/Ss5Y0Pc3MoCi3ByChA54PsEt
laV/uWql1tJ75ZO3GMnTmdvqN2wFxuHabtQth4iUO3OH4c9okqh9cAo3T9bQvDTa
4/1Xehkz25861sRUqpcDXX5DjV674decIC3uUPXH8F6urml/qwouPJcSE3UPDjdz
WF5uK1400paVj5gPX/WcRi7BHghZ2yz7he2921n52ZlEUXTOAQb3J6iBC6rs7KcM
KdhkVb5jAjqV9fnK8UEtXlYqw8ZbkpelDHqoADfOvgBkC68cfuAZac06BdnxCVb2
qgOZgltuq2Z2u7KaXXD+jFf/jPPNT6QUgQ/OQspwgaQ3474ldGOYWcfSVCVbwBhU
mf1fBBQKXDvy99F89BKVb+VNTTA1tbUVxQ75d/6DJMlkSRX+lFN3LCie9hDP9lzc
9bnLspiPWAWF90tQZIYEVdSvOiJl/4sS/iw3ilszogtj8FD+hNiTGzQPgyuqdUr0
S9FgpB9j4ieteiESDmyr0awNiPh0iWRMaNHH7xltyYaU2HX06RY=
=TVMe
-----END PGP SIGNATURE-----
yre...@riseup.net
May 26, 2018, 7:19:44 PM5/26/18
to qubes...@googlegroups.com
personally, I find the vulgarity doesn't contribute anything, but I'm
not the admin here, so carry friggin on sh*t
not the admin here, so carry friggin on sh*t
Marek Marczykowski-Górecki
May 26, 2018, 7:34:39 PM5/26/18
to haaber, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
dnf warns about failed download (for any reason, including unexpected
checksum), but then retry download from another mirror. If all mirrors
fails then package installation will fail. Example message for such
case:
https://github.com/QubesOS/qubes-issues/issues/2945#issuecomment-318877445
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlsJ7wcACgkQ24/THMrX
1yy+zAf+NXlXwb9YOrkp6P4HQQjmQeKSS2roveXErjI9MA6vTUXb72g2KsJUwTHP
UygpzUQqGl1ToAnILaImuPmIFdo2R+7qTnpHurbYpnk76foaK2sDEWixIMsQM9AD
zmwkkm3NlI3DUX3siagCkBsVE8AwBEX8pIR6pvx4+Glncu70HFBiU84g3dcsqEp0
1HkHUJhIi0f/v1A6/jgkRkhBp7xFl5EfqAN7xSJgiUTeSDoVOeavPRPGT/Oh2yKJ
I7Pw3EuaEdQynrjJLrLDCmvHJrpprorjFGuQjzGkMnEP7T+1qQSuhMSbViqKQScN
de4CBtdaBwbF5ZLWHDPIIsXakKFJxg==
=8fqT
-----END PGP SIGNATURE-----
Hash: SHA256
checksum), but then retry download from another mirror. If all mirrors
fails then package installation will fail. Example message for such
case:
https://github.com/QubesOS/qubes-issues/issues/2945#issuecomment-318877445
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlsJ7wcACgkQ24/THMrX
1yy+zAf+NXlXwb9YOrkp6P4HQQjmQeKSS2roveXErjI9MA6vTUXb72g2KsJUwTHP
UygpzUQqGl1ToAnILaImuPmIFdo2R+7qTnpHurbYpnk76foaK2sDEWixIMsQM9AD
zmwkkm3NlI3DUX3siagCkBsVE8AwBEX8pIR6pvx4+Glncu70HFBiU84g3dcsqEp0
1HkHUJhIi0f/v1A6/jgkRkhBp7xFl5EfqAN7xSJgiUTeSDoVOeavPRPGT/Oh2yKJ
I7Pw3EuaEdQynrjJLrLDCmvHJrpprorjFGuQjzGkMnEP7T+1qQSuhMSbViqKQScN
de4CBtdaBwbF5ZLWHDPIIsXakKFJxg==
=8fqT
-----END PGP SIGNATURE-----
haaber
May 27, 2018, 8:30:24 AM5/27/18
to Marek Marczykowski-Górecki, qubes-users
> dnf warns about failed download (for any reason, including unexpected
> checksum), but then retry download from another mirror. If all mirrors
> fails then package installation will fail. Example message for such
> case:
> https://github.com/QubesOS/qubes-issues/issues/2945#issuecomment-318877445
>
This is probably be true, but especially on longer download lists
> checksum), but then retry download from another mirror. If all mirrors
> fails then package installation will fail. Example message for such
> case:
> https://github.com/QubesOS/qubes-issues/issues/2945#issuecomment-318877445
>
impossible to check even for a patient user (and I guess I am not that
patient :) The point is: re-downloads are not triggered immediately, and
until the requested package arrived (or dl fails), but appear instead
"randomly" somewhere later in the output. This happens sometimes several
screen pages later. Some of these re-downloads re-fail and the procedure
reiterates (I refrain from joining hundreds of lines of actual output
here, to deliver proof of that :) My first post was triggered because I
overlooked in this chaotic output the important successful download
line. This was, I admit, my fault. However, I still argue that if there
is some output, then it should be reasonably verifiable, to my point of
view : (almost) unverifiable outputs may also be sent to /dev/null
directly. Don't you agree on that? Bernhard
cooloutac
May 27, 2018, 10:19:33 AM5/27/18
to qubes-users
It will prompt you for yes or no. But I've found that sometimes I constantly have an update pending arrow showing in qubes-manager cause it might fail to download chrome in fedora template if its repo file not set to https as example when using sys-whonix updatevm.
But user might not notice this since everything else updates.
Reply all
Reply to author
Forward
0 new messages