Actions

Dev/project-news

From Whonix

< Dev(Redirected from Dev/emergency-news)

why[edit]

Examples when project news would have been and will be useful.

  • Projects don't have a reliable way to communicate with users. Reliable meaning, that 99,9% of users have a chance to actually read important news such as deprecation notices and action needed in case of security issues.
    • Only a fraction of users checks news blogs first let alone rss subscribes to blogs.
    • Only a fraction of users signs up to mailing lists.
    • History has shown, that Stay Tuned is mostly ignored.
  • apt bugs
  • apt signing key revocation

project news[edit]

  • plugin / settings based
  • on your desktop
  • cli users: local mail

apt-listchanges[edit]

Why not use apt-listchanges instead?

  • Too technical.
  • Lists changelogs, now news.
  • Does not work in case of apt issues.

subscription channels[edit]

  • emergency news only
  • calls for testing
  • all project news
  • ...?

buttons[edit]

  • remind me
  • do not show this again

read and process this[edit]

https://forums.whonix.org/t/apt-get-upgrading-security-issue-cve-2016-1252/3288/17

read and process this also[edit]

https://forums.whonix.org/t/whonix-upgrade-notification/3284

message expiration[edit]

(some) messages (configurable) should only be valid for a certain time

The Update Framework[edit]

https://theupdateframework.github.io/

emergency news signing key security[edit]

The emergency notification messages should be signed with a different key than the one for repo package signing old and new.

multi sig[edit]

Should use multi sig (key splitting).

The Debian apt signing key is on an official debian.org server. The revocation key is on Debian Developer's (DD) machines. (Not necessarily offline machines.)

They would need at least a 7/12 signature to create the Debian apt signing key revocation certificate.

Source: https://ftp-master.debian.org/keys.html

So by using multi sig and not keeping the the emergency news signing key only on DD's machines, it would be safer than Debian's apt signing key.

/etc/emergency-news.d[edit]

The code for downloading the emergency news should be configurable.

Download the emergency news files from:

  • version 1 - download from clearnet web servers
  • version 2 - optionally download from onion web servers
  • version 3 - optionally download from freenet / or something that implements a permanent takedown attack defense

distribution plugins[edit]

  • Debian, Qubes, Ubuntu, Whonix

application plugins[edit]

Should application packages be allowed to use this mechanism also?

Distributions should be able to disable applications pushing news.

annoyance[edit]

Should prevent against fear of annoying spam messages on their desktops.

speak generally[edit]

Do not speak specifically about DDs since derivative distributions would handle this similarly by adding their distribution specific configuration file drop-in.

test cases[edit]

  • multiple notifications at once

message format[edit]

Text only? Clickable hyperlinks? Html, oh well? Security?

project name[edit]

project-news is the proposed package name and project name. It is not fixed. We can still discuss this at Whonix ™ and should leave this open during publication of this concept.

Proposal[edit]

TODO:

  • Take any of the above bullet points one by one and convert those into a good wording that can be posted on the debian-devel mailing list.

alternative package managers[edit]

Sponsors[edit]

  • Should ask core infrastructure initiative once the concept is ready.

Related[edit]


[advertisement] Looking to Sell Your Company? Contact me.


We are looking for video production specialists to help create demonstration, promotional and conceptual videos or tutorials.

https | (forcing) onion
Follow: Twitter.png Facebook.png 1280px-Gab text logo.svg.png Rss.png 1024px-Telegram 2019 Logo.svg.png

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian. Debian is a registered trademark owned by Software in the Public Interest, Inc.

Whonix ™ is produced independently from the Tor® anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.