Several security problem things to be aware of when picking distros:
* Lack of a bootstrapped download verification method (a https website),
if you are starting from square one the download page simply providing a
key ID isn't going to cut it - who is to say that you aren't being
MITM'ed and the key ID has replaced with another one?
* Installing a service package in most common distros (debian, opensuse,
etc) will result in it being started with the default configuration and
being network accessible if you don't have your firewall enabled.
* Lack of a secure update download method, packages are almost always
being fetched by a root process via http with not even a
selinux/apparmor policies.
* Very outdated package versions that don't support the latest security
features.
Smaller distros like alpine seem attractive at first (and it doesn't
have SystemD - yay) but I assume they lack the resources for proper
security including secure build servers and (like it has been said)
chain of custody and verification for code.
--
You received this message because you are subscribed to the Google Groups
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-devel/87e7d2d6-7f2b-0c0f-4bbc-f096a6b40c98%40gmx.com.
For more options, visit https://groups.google.com/d/optout.
