How often could the rsync script run? (Keeping the time the mirror lags
behind low and not flooding Qubes server.)
marmarek:
[quote=“Patrick, post:13, topic:3221”] Technical implementation is
not super simple. Would might require support from Qubes. They
providing rsync access or so. [/quote]
There is already rsync service on ftp.qubes-os.org (which is the same
as yum.qubes-os.org). Exactly for this purpose.
Great!
[quote=“Patrick, post:13, topic:3221”] Then we could add a brain dead
script that downloads from yum.qubes-os.org to whonix.org server over
unencrypted connection (sorry, that is how rsync and mirroring works
nowadays still). [/quote]
Repository metadata is authenticated anyway, so it shouldn’t be a
problem.
Not a blocker, but here is why I brought that up:
Yes, repository metadata authenticated. But with rsync we are taking
something from a “somewhat secure” source (https), download it over an
insecure unencrypted rsync transfer. It would be bad if during that
unencrypted transfer a mitm introduced a malicious modification that
later exploits the metadata verification code in dnf
.
So I think very long term, an encrypted/authenticated replacement for
rsync is desirable. [No such project exists yet to my knowledge.]
Ideally, packages were uploaded over a secure connection and then
downloaded by the user through an onion service. Then there are fewer
chances for a mitm to try exploit the metadata verification code. (Only
on the upload then server side then.)
[quote=“Patrick, post:13, topic:3221”] If domain name is
supposed to include qubes-os.org, then further help from Qubes would
be required (they modify DNS, point to whonix.org server) and I’d
likely could use fortasse’s help for that one whonix.org server
side. [/quote]
I don’t understand. If that’s about above mentioned onion service, it
shouldn’t have anything to do with qubes-os.org nor whonix.org
domain, no?
Files then would be available through
If that sounds alright, then there is no issue.
One more possible problem - managing sources.list. Onion links needs
to be placed there, but the file currently is part of
qubes-core-agent package, which is generic package also for
non-Whonix.
That could be considered a follow up task. For the context of this
Hardening Qubes[-Whonix]
thread (which would document how to change
this) it is not a blocker.