hi @unman @Insurgo this reply is to continue our discussion in firmware backdoor ,
about supply chain or man in the middle attack, also trusting trust attack.
in case that, we are under heavy & serious, targeted attack & active surveillance,
a situation that are real for some people, i.e.
journalist, law activist, political activist, human right activist, whistle blower, etc
or people who live under oppressive / corrupt entity / system,
therefore, these people need to protect themselves from:
supply chain or man in the middle attack, also trusting trust attack.
is it possible for supply chain or man in the middle attack,
to give user, a compromised version of Qubes,
while we download it from correct source ?
how to mitigate from this attack ?
also said in verifying qubes iso ,
*if the machine on which you attempt the verification process is already compromised, *
it could falsely claim that a malicious ISO has a good signature.
which mean now there is trusting trust attack.
and the offered solution is Diverse Double Compiling (DCC) ,
i feel that the article is not easy to understand, anyone can explain DCC in a simple way ?
& how come diverse double compiling can relate with Qubes ISO verification ?
since DCC is about compiling,
but Qubes ISO is about downloading, authenticating, verifying, & installing.
thanks & regards,