Qubes.live Canary 1

February 4, 2025, 12:23 AM

We have published Qubes.live Canary 1. The text of this canary and its accompanying cryptographic signatures are reproduced below. For an explanation of this announcement and instructions for authenticating this canary, please see the end of this announcement.

Qubes.live Canary 1

The Qubes.live team members who have digitally signed this file state the following:

1. The date of issue of this canary is February 4, 2025.

2. There have been 0 Qubes.live security bulletins published so far.

3. The Qubes.live team Key fingerprint is:

       994E0 B67DF 22DD4 123E9 CF94D 90394 3F63B 102DD
       D9B95 91EF7 C9A60 038A7 7DEFA 11893 63543 518F6
       8B746 0C32F 801CA 4E8A5 1ED41 9E108 47D2C 54BF9

4. No warrants have ever been served to us with regard to the qubes.live project (e.g. to hand out the private signing keys or to introducebackdoors).

5. We plan to publish the next of these canary statements in the first fourteen days of March 2025. Special note should be taken if no new canary is published by that time or if the list of statements changes without plausible explanation.

# Disclaimers and notes

This canary scheme is not infallible. Although signing the declaration makes it very difficult for a third party to produce arbitrary declarations, it does not prevent them from using force or other means, like blackmail or compromising the signers' laptops, to coerce us to produce false declarations.

The proof of freshness provided below serves to demonstrate that this canary could not have been created prior to the date stated. It shows that a series of canaries was not created in advance.

This declaration is merely a best effort and is provided without any guarantee or warranty. It is not legally binding in any way to anybody. None of the signers should be ever held legally responsible for any of the statements made here.

Proof of freshness

- [Trump to pause tariffs on Canada and Mexico after they agree to strengthen borders](https://www.bbc.com/news/live/c8d90v1m6qvt)

- [特朗普的关税政策会损害美国消费者吗？](https://www.bbc.com/zhongwen/articles/cn0yey2z9nzo/simp)

- [Founder of pro-Russian paramilitary group dies in explosion in Moscow](https://edition.cnn.com/2025/02/03/europe/armen-sarkisyan-bomb-death-moscow-intl-latam/index.html)

- [btc transaction](https://www.blockchain.com/explorer/transactions/btc/4a2a1f1539499bd535857ce4c07f5fd00197b275a424c94635fc15244d86753f)

Footnotes

You can get their PGP public key in https://blog.qubes.live/rule/index.html

Bar’s PGP signature

cccacaia’s PGP signature

tiananmen1989’s PGP signature

What is the purpose of this announcement?

The purpose of this announcement is to inform the Qubes.live that a new Qubes.live canary has been published.

What is a Qubes.live canary?

A Qubes.live canary is a security announcement periodically issued by the Qubes.live team consisting of several statements to the effect that the signers of the canary have not been compromised. The idea is that, as long as signed canaries including such statements continue to be published, all is well. However, if the canaries should suddenly cease, if one or more signers begin declining to sign them, or if the included statements change significantly without plausible explanation, then this may indicate that something has gone wrong.

The name originates from the practice in which miners would bring caged canaries into coal mines. If the level of methane gas in the mine reached a dangerous level, the canary would die, indicating to miners that they should evacuate. (See the Wikipedia article on warrant canaries for more information, but bear in mind that Qubes.live Canaries are not strictly limited to legal warrants.)

Why should I care about canaries?

Canaries provide an important indication about the security status of the project. If the canary is healthy, it’s a strong sign that things are running normally. However, if the canary is unhealthy, it could mean that the project or its members are being coerced in some way.

What are some signs of an unhealthy canary?

Here is a non-exhaustive list of examples:

Dead canary. In each canary, we state a window of time during which you should expect the next canary to be published. If no canary is published within that window of time and no good explanation is provided for missing the deadline, then the canary has died.
Missing statement(s). Every canary contains the same set of statements (sometimes along with special announcements, which are not the same in every canary). If an important statement was present in older canaries but suddenly goes missing from new canaries with no correction or explanation, then this may be an indication that the signers can no longer truthfully make that statement.
Missing signature(s). Qubes.live canaries are signed by the members of the Qubes.live team (see below). If one of them has been signing all canaries but suddenly and permanently stops signing new canaries without any explanation, then this may indicate that this person is under duress or can no longer truthfully sign the statements contained in the canary.

What are the PGP signatures that accompany canaries?

A PGP signature is a cryptographic digital signature made in accordance with the OpenPGP standard. PGP signatures can be cryptographically verified with programs like GNU Privacy Guard (GPG). The Qubes security team cryptographically signs all canaries so that Qubes users have a reliable way to check whether canaries are genuine. The only way to be certain that a canary is authentic is by verifying its PGP signatures.

Why should I care whether a canary is authentic?

If you fail to notice that a canary is unhealthy or has died, you may continue to trust the Qubes.live team even after they have signaled via the canary (or lack thereof) that they been compromised or coerced. Falsified canaries could include manipulated text designed to sow fear, uncertainty, and doubt about the security of Qubes.live or the status of the Qubes.live

Tags: canary