[prev in list] [next in list] [prev in thread] [next in thread] 

List:       qubes-devel
Subject:    Re: [qubes-devel] Ticket 703: qvm-backup: save backups in AppVM
From:       Ángel <qubes () 16bits ! net>
Date:       2017-01-09 19:23:47
Message-ID: 1483989827.1209.30.camel () 16bits ! net
[Download RAW message or body]

Chris Laprise wrote:
> It doesn't really exist either way, does it? A big reason why I'm 
> debating the thinking behind this is that its based on a low-quality 
> assessment done here:
> 
> https://groups.google.com/d/msg/qubes-devel/TQr_QcXIVww/SHLNsoPgWTAJ
> 
> That is the whole 'I don't trust GPG' rationale right there. My
> takeaway from it could be that verbose mode gives me super-powers of
> perception with hardly any effort ...or not.

I think this thread digressed too much.

Note that the revived thread deals just with package verification. You
are not dealing with full gpg files. Actually, I would expect the
upstream package manager to use gpgv, not gpg, thus reducing the attack
surface.

Per the man page:
> It is somewhat smaller than the fully-blown gpg and  uses  a  different
> (and  simpler)  way  to  check  that the public keys used to make the signature are
> valid.

and indeed on a cursory look, it is clear that it handles a only a limited subset of 
packets (PKT_SIGNATURE/PKT_ONEPASS_SIG, PKT_PLAINTEXT, PKT_COMPRESSED and \
PKT_GPG_CONTROL),  although I agree it is still quite complex. :-(


-- 
You received this message because you are subscribed to the Google Groups \
"qubes-devel" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to qubes-devel+unsubscribe@googlegroups.com. To post to this group, \
send email to qubes-devel@googlegroups.com. To view this discussion on the web visit \
https://groups.google.com/d/msgid/qubes-devel/1483989827.1209.30.camel%4016bits.net. \
For more options, visit https://groups.google.com/d/optout.


[prev in list] [next in list] [prev in thread] [next in thread]