>> Now, about 4.7. Note that the page for only lists individual names, >> does >> not list any company affiliations or employers at all. An odd >> change/omission? > > could there be a simpler explanation?
Certainly. Maybe some intern generating the stats page was too lazy to summarize it by company. Maybe they stopped tracking company affiliation. Maybe it's just an oversight. Given the state of computer/network/software security these days and the NSA's reputation, I thought it was worth pointing out. :) >> Xen is a much bigger and faster-moving target than I ever expected for a >> hypervisor. > > indeed, same here. Wiki on Microkernels is consistent with my understanding: > In terms of the source code size, as a general rule microkernels tend to be smaller than monolithic kernels, usually sizing at under 10,000 lines of code. Xen's Wiki page states: > Xen Project is a hypervisor using a microkernel design It's a bit disingenuous to call Xen a Microkernel, at 150,000+ lines of code. I hope to dig through the sources a bit tonight, and see how much of that is truly the core kernel/security bits, and how much of that is qemu drivers and stuff. Maybe there is a lean, well-reviewed core that we can all trust, with a lot of supporting drivers and such. Although the fact that those acknowledgement pages are careful to point out "Microkernel core" vs. auxiliary stuff. >> Is it possible to have a secure environment, where you don't fully trust >> the hardware/software? > > no, especially assuming s#fully## ;-p Not with existing hardware/software/operating systems, but can we get there? Is there even a path forward? :) Sadly, there doesn't seem to be any viable Xen alternatives. (I guess one could always create alternatives from forks of Xen or the various other hypervisors/kernels out there; although securing/improving/auditing Xen is probably less work.) >> And unless you've designed the hardware and >> software yourself (or they're both open and heavily and transparently >> reviewed), and your never let either out of your sight and protection, >> how >> can you ever fully trust hardware/software? > > you can't. > > and yeah, that's sad. luckily the real world is mostly not *that* black > and white. True, security isn't an on/off binary thing, it's more of a probability to be combined with your risk profile. Qubes certainly increases your odds at having some security by a fair bit. Probably minor in comparison to all the holes, bugs, bad design choices, and vulnerabilities in PC hardware (and software bugs/backdoors), but every little bit helps. > long story short: I'd argue that *noone* should fully trust computers. > however, this doesn't make them completly useless ;-) Very good point. I've overly-trusted computers, and have been hacked so badly in the past few years that computers have basically become useless to me. But I'm also a pretty low-valued target, lol, so I'm trying to rebuild my confidence in my setup for work (and personal) sanity and dignity. It's awfully hard not to rely upon computers on a daily basis for work, personal, communications, media purposes. Stumbled across this, rather interesting: https://en.wikipedia.org/wiki/Exokernel JJ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/31ab8b2a2629b9c5dfb22e8b0eaa4824.webmail%40localhost. For more options, visit https://groups.google.com/d/optout.
