On 07/01/2016 01:46 PM, Duncan Guthrie wrote: > > I understand what Marek is saying. I'm saying that ideally we > shouldn't let any proprietary software by loaded by dom0, because we > simply have no idea what it does. For example, someone could > pressure the people who write the firmware to put something nasty in > it designed to attack Qubes and TAILS users, to exploit Xen and break > out of the hypervisor. It is a distinct possibility, considering we > are living in the age of Orwell. What I am proposing (nonfree > repository turned off by default) means that we can have hardware > support while ideally avoiding the proprietary software as much as > possible. If it works for Debian and Ubuntu, then I am sure it would > work for Qubes. For instance, this might be easier if dom0 was based > on Debian, as I am aware this was discussed. What you say is not wrong, but also not new, and that's exactly the reason behind netvm and the planned (but harder, hence not yet ready) guiVM. If everything goes according to the plan, with GuiVM there will be no need for opaque binary blobs in dom0, and any distribution may well be used - dom0 still does not have any networking, so apart from not-yet-found malicious code in the FOSS in dom0 there should be no security problem.
The fact that it might be easier if dom0 was debian based is wrong: it would be exactly the same. As long as someone needs support for nvidia and chooses to install the official nvidia drivers, they will have opaque binary blobs in dom0. With fedora it's exactly the same: by default there are the foss nouveau drivers, but if someone feels inclined, they may well install the official (opaque) nvidia blobs. If that same person is happy with nouveau, they may use it both in debian or in fedora. If you find any other unneeded suspicious package, you may just remove it with the package manager; please report back what you find, so that dom0 may be "purged" if these packages are actually unneeded in every case. > I am also still confused about how I might install Linux-libre in > dom0 and replace all the proprietary stuff with the packages from > freed-ora repositories (or my own). I think a guide in the > documentation for this would be good. Does anyone have any ideas? > > Thanks for your reply, D. The problem with a custom dom0 is that it has to support being a Xen hypervisor administration domain. If this pre-requisite is met, then you may try to port the qubes tools to work in your dom0. I still don't see your point in doing that, anyway, apart from the video card opaque blob (explained above). As an example, I do not have any NVidia card as of now, so I don't have any opaque binary blob in my dom0. Could you please list what other non-just-removable "proprietary stuff" you found in your dom0 and explain what would you replace it with? -- Alex -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/84807200-3a9d-821a-aadb-764c3ea83ac4%40gmx.com. For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: OpenPGP digital signature
