Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use rpmcanon for dom0 updates #6485

Closed
DemiMarie opened this issue Mar 25, 2021 · 1 comment
Closed

Use rpmcanon for dom0 updates #6485

DemiMarie opened this issue Mar 25, 2021 · 1 comment
Labels
C: other P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. security This issue pertains to the security of Qubes OS. T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality.

Comments

@DemiMarie
Copy link

The problem you're addressing (if any)

In the aftermath of QSB#67 it is clear that RPM is not infallible. We should reduce its attack surface as much as possible. Additionally, RPM imports data from package signature headers into the rpmdb, but those headers are not signed.

Describe the solution you'd like

I wrote rpmcanon (part of RPM-Oxide) for canonicalizing RPM packages. This can be used to mitigate much of the attack surface.

Where is the value to a user, and who might that user be?

All users will benefit from the reduced attack surface.

Describe alternatives you've considered

Additional context

QSB#67 was due to bugs in RPM. Using rpmcanon will hopefully mitigate future such bugs.

Relevant documentation you've consulted

Related, non-duplicate issues
@DemiMarie DemiMarie added T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality. P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. labels Mar 25, 2021
@andrewdavidwong andrewdavidwong added C: other security This issue pertains to the security of Qubes OS. labels Mar 25, 2021
@andrewdavidwong andrewdavidwong added this to the TBD milestone Mar 25, 2021
@conorsch conorsch mentioned this issue Apr 6, 2021
Closed
@DemiMarie
Copy link
Author

This has been shipped quite a while ago, closing.

@eloquence eloquence mentioned this issue May 24, 2023
Closed
3 tasks
@andrewdavidwong andrewdavidwong removed this from the Release TBD milestone Jul 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
C: other P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. security This issue pertains to the security of Qubes OS. T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@DemiMarie @andrewdavidwong