-
Notifications
You must be signed in to change notification settings - Fork 40
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proposal: Consider publishing optional keyring+sources package on apt repo for 3rd party tooling #2142
Comments
This is a good idea, I like the concept of getting keys in a manner that's signed by an already trusted key. I wonder if we can reuse or benefit from the work done by the |
Oh, that's great :) And might fit in nicely with some of Dangerzone's other recent priorities. Probably something to revisit in September. |
(update: whoops, only saw after posting that @legoktm had already mentioned
So I guess we'd be talking about a kind of like 'trusted by FPF' keyring. It can already be obtained via
However, there was this thread on the Qubes forum, where various solutions to installing signal were proposed, but above all the biggest issue we found was that discoverability is challenging. Even if they install via extrepo or if they can fetch the GPG keyring via the updates proxy like so:
The above is unfortunately not very discoverable because when people want to install an application, the usual instinct is to look it up online on the official website. So personally, even though keyring availability is part of the challenge, I'd actually suggest that we focus on the broader problem installing more Qubes Applications (as Joanna Calls it) / MultiVM applications. This is currently being tracked in QubesOS/qubes-issues#1939 and even though it's focused on distributing salt formulas, I think it should be salt-agnostic in any final solution. Then adding the FPF-built / trusted formulas would just be a click away from creating a Signal VM or a Dangerzone one. For Dangerzone the Qubes install instructions are (painfully) manual. IMO this is the wider challenge. To elaborate a bit more, something to consider is having a journalist workstation, where the architecture is already in said formulas, but one can choose individual packages to install with a click of a button. Having one VM per application is not practical on Qubes, so the formulas would lay bare the architecture for what goes where and what can communicate to what. For example, "dangerzone-converter" would be its own disposable, but the dangerzone client could go in the same template as signal. |
So, I agree with everything you're saying @deeplow and I do see the bigger picture issue, and I agree - automated (one click even?) provisioning of multi-VM environments, and friendly interoperability, is my horizon-level goal. I wouldn't stop at users being able to apt-get install a Signal binary, I'd want one-click VM provisining, RPC policies, inter-vm communication protocol... etc; basically an extensible desktop environment, as we've all alluded to. But since we have so many competing priorities and since those changes are probably a little ways off, what I'm trying to propose here is a 'first step' goal that could serve that broader goal but be something we could do fairly quickly and without a lot of blockers. I don't have strong feelings about what it should be, so I'm glad there's a discussion, but I think my main point was to avoid the pain of key bootstrapping and/or repo bootstrapping if we can, in a way that will set us on the path for all the future work you / we have outlined. |
Description
Background
We don't currently support additional tooling (Signal, Dangerzone, etc) integrated into SecureDrop Workstation, but they are often-requested features and have been discussed as part of our roadmap: freedomofpress/securedrop-workstation#609, sdw readme, freedomofpress/securedrop-workstation#862, freedomofpress/securedrop-workstation#26.
One challenge with getting set up with additional tooling is configuring the (apt/yum) repos and importing signing keys; it's a manual process and could lead to user error (eg: connecting template to a network, rather than downloading in an AppVM and copying to the template, manually configuring a repo list is not super convenient).
Proposal (discussion!)
We could consider hosting a Debian "extras" keyring package on our apt repo, that included the Dangerzone and Signal apt sources info and release signing keys. This would not be a package that we'd install during workstation provisining; and in fact, we could even go so far as to explicitly mark it as
conflicts
with (some of) our own packages. It would be something that users could install optionally on their own if they wanted, but otherwise wouldn't enter into our provisioning logic.Pros:
apt-get install
the extra keyring package, apt-get install the packages they wantCons:
How will this impact SecureDrop users?
How would this affect the SecureDrop Workstation threat model?
User Stories
The text was updated successfully, but these errors were encountered: