Erik Moeller

icon indicating a website link https://social.coop/@eloquence icon indicating an email [email protected]

icon location Professional: @freedomofpress. Personal: lib.reviews and other free/open projects.

Results 314 comments of Erik Moeller

Unused kernels can fill up template disk - distro equivalent of autoremove should be applied automatically.

@conorsch @creviera I'm wondering if we can do more in terms of how we ship the grsec package(s) and declare their dependencies to clean up old kernels after each update....

Support Qubes 4.2

Superseded by #965?

Alert journalist users about security issues

See also https://github.com/freedomofpress/securedrop-client/issues/1182 for a similar idea to implement system alerts in the client app. Given that security alerts could potentially be triggered anywhere in the system, keeping this issue...

Include timeouts on spawned processes

(Tracked as epic; we'll likely want to identify a consistent approach across the board and then enumerate all calls that should be updated.)

Investigate using Qubes updater in 4.2

The following flow chart describes the _current_ SecureDrop Workstation preflight updater behavior: ![Screenshot from 2023-06-08 10-40-18](https://github.com/freedomofpress/securedrop-workstation/assets/213636/024a7184-dda0-4fe6-a97b-46baf8151478) [view/edit](https://mermaid.live/edit#pako:eNqVlMlu2zAQhl9lwFwlIHGXxCpQwPGSpE2BoG57iXqgxZFNmCJVkqorBHn3jijKRg5ddNJo5uM_C5cnVhiBLGNby-sdfLnONYDzrUKYQWGUsdlG8WKfQCmVys6m06KYTjto9piztefWQ1MbDY1DC8pspc7Z9xCHNIWc3ZUUF9yjA17XSqKAg_Q7qUFx5-EKdqaxLmdEv4dr0rznjS52sMaisbiwpoY5rdL-j7LaeLBYEKLaIUfUm5PeytgCgevIW7DNUKJrNn3bHfc1hj8fw4ujF4SpzqN3Sd4ZZWmDE9ZceRpYV0kEVo-hvEqStpc0mlLxLUgHDn3SZQcnDikXFc0gTbuC27jy5pTw2ycHPyUP8jF6S9EHtKWxFYWp5Y0xfkh6F3bDWIxtQoWek8HB6FRItx96CnNZhkaCuQolB_Mm1BDM25AwmHediVp0n_lx-KH3YQcOSHlfTv4D1bPUZT_7WGss4SSiTYzQ50cjLZ0NYwdX3bd6VPz477NxUua6BbTW2Lj4vpudldr3XpqOc3yLCfURzo_6u7CSer8Ol-Kc9tqaPWZnEyzE5UXS_6YHKfwum9S_3r3kL0byk5H8q5H865H8m5H825H85Uj-aiQ__Q-eJaxCW3Ep6B186tbnzO-wwpxlZAosedPdwlw_E9of-qWQdNtYVnLlMGG88Wbd6oJl3jY4QAvJ6Q2oIvX8G_oszcw) 1. The updater starts upon user login 2. If and only if updates...

Investigate using Qubes updater in 4.2

The Qubes 4.2 GUI updater provides important new facilities that, in principle, give us the option to migrate to the OS-level updater: - It can keep track of "staleness" of...

Investigate using Qubes updater in 4.2

There are a few important decision-points that should influence any "MVP" migration to the 4.2 updater. Here are some we identified: - Do we want to continue to enforce updates...

Investigate mitigation against reply exfiltration of data

Update from 2022-08-11 review with @tina-ux @nathandyer @l3th3 @eloquence: - Still relevant for future discussion/investigation, keeping open.

sysctl configuration hardening

The next workstation & server kernel releases may be a good opportunity to evaluate these changes.

Implement alternative to qvm-open-in-vm (sd-app → sd-devices)

The [2020 SecureDrop Workstation audit](https://securedrop.org/news/second-independent-audit-of-securedrop-workstation-completed/) flagged the risks of our current MIME type definitions being overwritten as a medium severity issue, identified as `TOB-SDW-017`. From the report: > The salt...