How often could the rsync script run? (Keeping the time the mirror lags
behind low and not flooding Qubes server.)
There is already rsync service on ftp.qubes-os.org (which is the same
as yum.qubes-os.org). Exactly for this purpose.
Repository metadata is authenticated anyway, so it shouldn't be a
Not a blocker, but here is why I brought that up:
Yes, repository metadata authenticated. But with rsync we are taking
something from a "somewhat secure" source (https), download it over an
insecure unencrypted rsync transfer. It would be bad if during that
unencrypted transfer a mitm introduced a malicious modification that
later exploits the metadata verification code in
So I think very long term, an encrypted/authenticated replacement for
rsync is desirable. [No such project exists yet to my knowledge.]
Ideally, packages were uploaded over a secure connection and then
downloaded by the user through an onion service. Then there are fewer
chances for a mitm to try exploit the metadata verification code. (Only
on the upload then server side then.)
I don't understand. If that's about above mentioned onion service, it
shouldn't have anything to do with qubes-os.org nor whonix.org
Files then would be available through
is same whonix.org server).
If that sounds alright, then there is no issue.
One more possible problem - managing sources.list. Onion links needs
to be placed there, but the file currently is part of
qubes-core-agent package, which is generic package also for
That could be considered a follow up task. For the context of this
Hardening Qubes[-Whonix] thread (which would document how to change
this) it is not a blocker.