'[qubes-devel] Re: python security announcements'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       qubes-devel
Subject:    [qubes-devel] Re: python security announcements
From:       Yuraeitha <yuraeitha () gmail ! com>
Date:       2017-11-10 17:51:28
Message-ID: 5804fb53-7522-4a4a-84dc-93b85dc5c0fc () googlegroups ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


On Monday, November 6, 2017 at 2:41:41 AM UTC, Jean-Philippe Ouellet wrote:
> 
> To any who may care, I've opened an issue in the Python bug tracker in 
> the hopes that we might have a guaranteed way of being made aware of 
> security issues in Python before Qubes users get owned by them. 
> 
> See here: https://bugs.python.org/issue31953 
> 
> My hope is that a guarantee of receiving such news means Qubes has a 
> higher change of making a timely QSB and "update dom0 ASAP!" 
> announcement if the time ever comes. Many of us follow news in the 
> security world anyway and might hear of such a potential issue 
> regardless, but still... 
> 
> Regards, 
> Jean-Philippe 
> 


Please correct me if I'm wrong, but python security issues should only 
apply for the Qubes Admin, right? and the Qubes Admin only has internet 
access, if you opt-in to it, correct? 
These things are good to know as well, and it doesn't seem to be documented 
anywhere easy to find yet, albeit I've seen it briefly discussed here and 
there, but nothing conclusive. 

I do not like the idea of having extra attack surface to worry about when I 
personally do not need the Qubes Admin on my personal machine. Albeit I do 
think Qubes Admin is an awesome addition to Qubes, as long as it's possible 
to opt-in or opt-out, and all the security issues that follows goes with it 
in or out accordingly. 

-- 
You received this message because you are subscribed to the Google Groups \
"qubes-devel" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to qubes-devel+unsubscribe@googlegroups.com. To post to this group, \
send email to qubes-devel@googlegroups.com. To view this discussion on the web visit \
https://groups.google.com/d/msgid/qubes-devel/5804fb53-7522-4a4a-84dc-93b85dc5c0fc%40googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.


[Attachment #5 (text/html)]

<div dir="ltr"><br><br>On Monday, November 6, 2017 at 2:41:41 AM UTC, Jean-Philippe \
Ouellet wrote:<blockquote class="gmail_quote" style="margin: 0;margin-left: \
0.8ex;border-left: 1px #ccc solid;padding-left: 1ex;">To any who may care, I&#39;ve \
opened an issue in the Python bug tracker in <br>the hopes that we might have a \
guaranteed way of being made aware of <br>security issues in Python before Qubes \
users get owned by them. <br>
<br>See here: <a href="https://bugs.python.org/issue31953" target="_blank" \
rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F \
%2Fbugs.python.org%2Fissue31953\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFBIE7L_UDvruTAcRXFb1xPUAo29Q&#39;;return \
true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fbugs.pyth \
on.org%2Fissue31953\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFBIE7L_UDvruTAcRXFb1xPUAo29Q&#39;;return \
true;">https://bugs.python.org/<wbr>issue31953</a> <br>
<br>My hope is that a guarantee of receiving such news means Qubes has a
<br>higher change of making a timely QSB and &quot;update dom0 ASAP!&quot;
<br>announcement if the time ever comes. Many of us follow news in the
<br>security world anyway and might hear of such a potential issue
<br>regardless, but still...
<br>
<br>Regards,
<br>Jean-Philippe
<br></blockquote><div><br><br>Please correct me if I&#39;m wrong, but python security \
issues should only apply for the Qubes Admin, right? and the Qubes Admin only has \
internet access, if you opt-in to it, correct? <br>These things are good to know as \
well, and it doesn&#39;t seem to be documented anywhere easy to find yet, albeit \
I&#39;ve seen it briefly discussed here and there, but nothing conclusive. <br><br>I \
do not like the idea of having extra attack surface to worry about when I personally \
do not need the Qubes Admin on my personal machine. Albeit I do think Qubes Admin is \
an awesome addition to Qubes, as long as it&#39;s possible to opt-in or opt-out, and \
all the security issues that follows goes with it in or out accordingly. \
<br></div></div>

<p></p>

-- <br />
You received this message because you are subscribed to the Google Groups \
&quot;qubes-devel&quot; group.<br /> To unsubscribe from this group and stop \
receiving emails from it, send an email to <a \
href="mailto:qubes-devel+unsubscribe@googlegroups.com">qubes-devel+unsubscribe@googlegroups.com</a>.<br \
/> To post to this group, send email to <a \
href="mailto:qubes-devel@googlegroups.com">qubes-devel@googlegroups.com</a>.<br /> To \
view this discussion on the web visit <a \
href="https://groups.google.com/d/msgid/qubes-devel/5804fb53-7522-4a4a-84dc-93b85dc5c0 \
fc%40googlegroups.com?utm_medium=email&utm_source=footer">https://groups.google.com/d/ \
msgid/qubes-devel/5804fb53-7522-4a4a-84dc-93b85dc5c0fc%40googlegroups.com</a>.<br /> \
For more options, visit <a \
href="https://groups.google.com/d/optout">https://groups.google.com/d/optout</a>.<br \
/>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic