[prev in list] [next in list] [prev in thread] [next in thread]
List: qubes-devel
Subject: Re: [qubes-devel] Ticket 703: qvm-backup: save backups in AppVM
From: Ángel <qubes () 16bits ! net>
Date: 2017-01-09 19:23:47
Message-ID: 1483989827.1209.30.camel () 16bits ! net
[Download RAW message or body]
Chris Laprise wrote:
> It doesn't really exist either way, does it? A big reason why I'm
> debating the thinking behind this is that its based on a low-quality
> assessment done here:
>
> https://groups.google.com/d/msg/qubes-devel/TQr_QcXIVww/SHLNsoPgWTAJ
>
> That is the whole 'I don't trust GPG' rationale right there. My
> takeaway from it could be that verbose mode gives me super-powers of
> perception with hardly any effort ...or not.
I think this thread digressed too much.
Note that the revived thread deals just with package verification. You
are not dealing with full gpg files. Actually, I would expect the
upstream package manager to use gpgv, not gpg, thus reducing the attack
surface.
Per the man page:
> It is somewhat smaller than the fully-blown gpg and uses a different
> (and simpler) way to check that the public keys used to make the signature are
> valid.
and indeed on a cursory look, it is clear that it handles a only a limited subset of
packets (PKT_SIGNATURE/PKT_ONEPASS_SIG, PKT_PLAINTEXT, PKT_COMPRESSED and \
PKT_GPG_CONTROL), although I agree it is still quite complex. :-(
--
You received this message because you are subscribed to the Google Groups \
"qubes-devel" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to qubes-devel+unsubscribe@googlegroups.com. To post to this group, \
send email to qubes-devel@googlegroups.com. To view this discussion on the web visit \
https://groups.google.com/d/msgid/qubes-devel/1483989827.1209.30.camel%4016bits.net. \
For more options, visit https://groups.google.com/d/optout.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic