We have published Qubes Canary 028. The text of this canary is reproduced below. Please note that this canary contains an announcement and is accompanied by two letters, which are also reproduced below.
This canary and its accompanying signatures will always be available in the Qubes security pack (qubes-secpack).
View Qubes Canary 028 in the qubes-secpack:
Learn how to obtain and authenticate the qubes-secpack and all the signatures it contains:
View all past canaries:
Qubes Canary 028
---===[ Qubes Canary 028 ]===--- Statements ----------- The Qubes core developers who have digitally signed this file  state the following: 1. The date of issue of this canary is August 31, 2021. 2. There have been 70 Qubes security bulletins published so far. 3. The Qubes Master Signing Key fingerprint is: 427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494 4. No warrants have ever been served to us with regard to the Qubes OS Project (e.g. to hand out the private signing keys or to introduce backdoors). 5. We plan to publish the next of these canary statements in the first fourteen days of December 2021. Special note should be taken if no new canary is published by that time or if the list of statements changes without plausible explanation. Special announcements ---------------------- Joanna Rutkowska will soon begin traveling without her Qubes laptop for extended periods of time, which means she will not be able to sign future canaries on time. She has asked the members of the Qubes security team, Marek Marczykowski-Górecki and Simon Gaiser, to be released of her obligation to sign canaries, and she has reaffirmed that she destroyed all copies of the Qubes Master Signing Key in her possession when she transferred the project lead position to Marek. The Qubes security team has agreed to her request. Therefore, this will be the last Qubes canary signed by Joanna. Note that this canary is being published one day ahead of schedule because this is the last day Joanna is available to sign. In addition to the usual detached signatures from all three aforementioned individuals, this canary is also accompanied by letters (with their own detached signatures), all of which can be found in the canary directory in the qubes-secpack . Disclaimers and notes ---------------------- We would like to remind you that Qubes OS has been designed under the assumption that all relevant infrastructure is permanently compromised. This means that we assume NO trust in any of the servers or services which host or provide any Qubes-related data, in particular, software updates, source code repositories, and Qubes ISO downloads. This canary scheme is not infallible. Although signing the declaration makes it very difficult for a third party to produce arbitrary declarations, it does not prevent them from using force or other means, like blackmail or compromising the signers' laptops, to coerce us to produce false declarations. The proof of freshness provided below serves to demonstrate that this canary could not have been created prior to the date stated. It shows that a series of canaries was not created in advance. This declaration is merely a best effort and is provided without any guarantee or warranty. It is not legally binding in any way to anybody. None of the signers should be ever held legally responsible for any of the statements made here. Proof of freshness ------------------- Tue, 31 Aug 2021 00:03:05 +0000 Source: DER SPIEGEL - International (https://www.spiegel.de/international/index.rss) Afghan Vice President in Letter to DER SPIEGEL: "A Deal for Surrender Won't Happen" Afghanistan Disaster: Debacle in Kabul Could Overshadow Biden's Presidency The End of the German Airlift: What Will Become of the Afghans Left Behind? Terror Expert on Afghanistan: "The Real Threat Is Islamic State, not Al-Qaida" Redistributing Mafia Assets: The Palaces and Ruins of the Drug Bosses Source: NYT > World News (https://rss.nytimes.com/services/xml/rss/nyt/World.xml) Afghanistan Live Updates: The U.S. Occupation Is Over, Ending America’s Longest War U.S. Conducts Drone Strike in Kabul and Winds Down Airlift as Deadline Nears Colombia’s Troubles Put a President’s Legacy on the Line North Korea Restarted Plutonium-Producing Reactor, U.N. Agency Warns How 2 Afghan Paralympians Defied the Odds to Get From Kabul to Tokyo Source: BBC News - World (https://feeds.bbci.co.uk/news/world/rss.xml) Afghanistan: US investigates civilian deaths in Kabul strike Hurricane Ida: One million people in Louisiana without power Covid: EU recommends new travel restrictions for US as cases rise Brazil bank robbers tie hostages to getaway cars in Araçatuba China cuts children's online gaming to one hour Source: Blockchain.info 000000000000000000059580872127a33754c4f4fb4e251ace298fea01ee73ca Footnotes ----------  This file should be signed in two ways: (1) via detached PGP signatures by each of the signers, distributed together with this canary in the qubes-secpack.git repo, and (2) via digital signatures on the corresponding qubes-secpack.git repo tags.   Don't just trust the contents of this file blindly! Verify the digital signatures!  https://github.com/QubesOS/qubes-secpack/tree/master/canaries
Letter from Joanna Rutkowska
The original letter and its detached signature file are available here:
2021-08-31 Hello again, Qubes community! I hope you've all been well. As many of you know, I've continued to sign Qubes canaries  ever since I left the project . At the time, I thought I could just continue to sign them forever, but I didn't consider that this would effectively make my secure Qubes laptop like a ball-and-chain that I'd have to bring with me wherever I go. :) At this point in my life, I'd really like to do much more traveling while being able to pack light and feel free of too many physical possessions. Since I am not willing to compromise the security of the Qubes OS Project or the security of the Qubes laptop I've been using to sign canaries in any way just to make my own personal life easier, I've decided it would be best to request that I be removed from the list of canary signers. Otherwise, there would be canaries that I wouldn't be able to sign on-time, which would create headaches for Marek and Simon, as well as confusion for users looking for my signature and not finding it. So, I've requested that the current Qubes security team remove me from the Qubes canary signing process. And, FWIW, I confirm that I -- according to the best of my knowledge -- destroyed all copies of the Qubes Master Signing Key which were in my possession when I passed project lead to Marek, and no one has approached me in an attempt to subvert the Qubes OS Project in any way. This request is solely for my own personal reasons, as explained above. Canary 028  should contain a description of this event under the "Special announcements" section, and that canary should be accompanied by my signature as well as those of the current Qubes security team, Marek Marczykowski-Górecki and Simon Gaiser. Canary 028 is the final canary I will sign. I wish the Qubes OS Project continued success! Sincerely, Joanna  https://www.qubes-os.org/security/canary/  https://www.qubes-os.org/news/2018/10/25/the-next-chapter/  https://github.com/QubesOS/qubes-secpack/blob/master/canaries/canary-028-2021.txt
Letter from the Qubes security team
The original letter and its detached signature files are available here:
2021-08-31 Dear Qubes community, As you can see in Qubes Canary 028 , Joanna has requested that she be removed from the list of canary signers , and we have agreed to this request. A careful reader might recall that, when Joanna left the Qubes security team in 2018, we wrote : | However, due to the nature of PGP keys, there is no way to | guarantee that Joanna will not retain a copy of the QMSK after | transferring ownership to Marek. Since anyone in possession of the | QMSK is a potential attack vector against the project, Joanna will | continue to sign Qubes Canaries in perpetuity. So, why this change now? It's still true that we (except Joanna herself, of course) can't guarantee that Joanna did not really retain any copies of the private portion of the Qubes Master Signing Key. Continuing to have her sign the canaries on time every few months seemed like a harmless commitment back then but turned out to require quite a lot of effort now that Joanna is no longer involved in the project's day-to-day business. Therefore, we reevaluated whether this is worth the effort and decided against it. If Joanna were lying about deleting all her copies of the private portion of the Qubes Master Signing Key, it is equally possible that she could lie when signing a canary. Therefore, we do not believe that her ceasing to sign canaries constitutes a security problem. This is a good reminder that canaries help only in a very specific scenario, namely if someone (1) wants to act honestly, (2) is prevented from stating that a compromise has occurred, and (3) is not forced to state that no compromise has occurred. For example, this canary scheme is designed to help if we were ever served with a government warrant with an attached gag order that prohibited us from discussing the warrant (the second condition) but that did not compel us to continue signing and publishing canaries against our will (the third condition). However, this will not work if the adversary is willing to coerce us into signing and publishing statements or if signers are willing to lie by signing statements they know to be false. Hence, this canary scheme is limited and fallible, which is why we have always included a statement to this effect in every canary. Regards, The Qubes security team https://www.qubes-os.org/security/  https://github.com/QubesOS/qubes-secpack/blob/master/canaries/canary-028-2021.txt  https://github.com/QubesOS/qubes-secpack/blob/master/canaries/canary-028-2021-letter-joanna.txt  https://www.qubes-os.org/news/2018/11/05/qubes-security-team-update/