The page on how to install software says “be ware! Don’t do it! But here’s how anyway.”
But then there are pages talking about the Qubes-u2f-proxy, which I guess is called the ctap-proxy now? And there’s the Yubikey 2fa login software.
Are those okay, though the docs say don’t install anything?
I guess I have two questions. Is the ctap what used to be the u2f proxy? And what add-ons are considered safe to install in dom0?
Best probably is “downloading the install files to any qube, which has internet connection and moving them to dom0 file by file to install them in dom0 finally”
Yes, you really have to know, what you do…
no - both ctap and u2f packages are available.
CTAP1 is a protocol, defined by U2F messaging specification.
CTAP2 is a different protocol, used by different authenticators.
You are trusting Qubes software anyway, so almost anything officially
Qubes.
You trust Fedora too - take a look here.
That applies equally to dom0 - but the argument against installing
software in dom0 included both the risk of more bugs and increased
attack surface, and the fact that more installed software makes it more
likely that you will actively work in dom0, with attendant risks.
You may also choose to trust other package providers - e.g. community
templates, like Whonix, or some of the templates and packages I provide.
In the end, it’s your judgement as to what to install and use.
The general guidance is not to install extra packages in to dom0, and
not to work there.
If they’re separate packages, it’s a bit weird that when I go to install qubes-u2f, it says it’s installing qubes-ctap. I think I’m missing something basic here, if they really are different packages.
So it really comes down to personal judgement… that’s both cool and a little scary. But hey, that’s the beauty of open source, I guess.
Just to be super clear, I’m assuming anything you’ve got in the qubes-os(.)org docs and inside the github are official packages from the core team?
Thanks for the reply.
Would you recommend doing that even for official qubes packages? I thought Dom0 was already offline and did all its downloading through a proxy.