On Wednesday, January 4, 2017 at 7:37:42 PM UTC-5, raah...@gmail.com wrote:
> On Sunday, January 1, 2017 at 12:08:54 PM UTC-5, Jeremy Rand wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA512
> > 
> > pixel fairy:
> > > On Tuesday, October 1, 2013 at 6:32:41 PM UTC-7, ears...@gmail.com
> > > wrote:
> > >> We all know Fedora is a big name, but is it a good choice for a
> > >> Security Driven OS like QubeOS to be based around? What do others
> > >> here think?
> > > 
> > > There are a lot of packages creating a bigger attack surface. but,
> > > bigger distros like fedora have companies behind them like red hat.
> > > red hat has been pretty good about actively looking for
> > > vulnerabilities in those packages. distros that automatically
> > > upgrade to the latest version (gentoo etc) can also burn you. they
> > > would make better template vms where your more likely to want newer
> > > software and new issues can be better contained.
> > > 
> > > for dom0, newer distros are better at hardware compatibility with
> > > those fancy new processors, graphics cards and storage controllers
> > > in laptops.
> > > 
> > > just personal opinion, but wayland is a better fit than x11 for
> > > qubes in the long run. fedora is the only distro with a dedicated
> > > security staff actively supporting it.
> > > 
> > > anytime you abstract a layer, your diluting your resources.
> > > maintaining a dom0 isnt much more work than a domu template, but if
> > > you want to add slackware, arch, and gentoo, youve now more than
> > > doubled the developers distro maintanance work when they could be
> > > working on stability and features.
> > 
> > Potentially worth noting here that in Ed Snowden's keynote at
> > Libreplanet 2016, he criticized the free software community's tendency
> > to use stable, outdated software.  Snowden said that the attackers
> > move and adapt quickly, and it's dangerous to continue using outdated
> > software that doesn't have the latest security fixes/features just
> > because it's more stable or more backward-compatible.  Snowden did not
> > explicitly mention any distros that he was talking about, but I got
> > the distinct impression that he was (at least in part) talking about
> > Debian.
> > 
> > Of course, "appeal to authority" is a classic fallacy, so we shouldn't
> > do what Snowden says without questioning it, but I think it's at least
> > worth considering his argument seriously.
> > 
> > Cheers,
> > - -Jeremy
> > -----BEGIN PGP SIGNATURE-----
> > 
> > iQIcBAEBCgAGBQJYaTeQAAoJELPy0WV4bWVwbNgP+QG3jY+xlwsTnViOS+IFEHMP
> > Nyt+d9Cuq7iEnCsr1fuXbzjSNB8RDM0y2BY6rciELmo4kvyfsGoPYZod7nOlQPeV
> > xjgjubrlA3udMxSCsc5lc2DbP4IszehJECYGbZw4gaFabScs6ugt0P9gxKaiTIWR
> > pa9bAaSzJffZsJg9/efUJuo134Mdd8QBssKEC6idWCiEuM8YWHZI9xKfvhTjRrqj
> > g233nSNbvctg0yoUQbf2XHZ6gyGZ2p0Y1ab8o0o0MFVsuQIuPCKlWgr/WhjgdWDY
> > Ye4TCYZhonuLHRCiOt+ZuS2w8nj24O0qFvXra+asXAaW2mFzQa/Aq3CdLBE87nXE
> > z3dgNp2Z08dWi28ncbCwvn8mpw0w07yl1n6+2JlBC4pDTF2/r6BMgsp4DIS9sFDB
> > h+mFWCnqh80P/39SQeOoOcHATruMfHp8CUDVtOMVBRV4VpoA7YaKxiiiUXFnD21M
> > S6XP7QqxPkbPW0E77UeR53igB61QQ1t3Fb4QQRLZY1bhncKn3kM/OmUDnHzepLQn
> > 0/FLW/aJMBofOHeb6xqrfipeayGrdHLNuav9Nu1QRuX2lY6E0Sl40VZBwRERxfaW
> > t+Ck3n4Qw2Gru13zXPhHuE8OpTV3/RgkMzNMnADxfArhSIW2zwoYQvNCn8U/LNaq
> > P2HMZA0yehx6CZnBmdb/
> > =RC2L
> > -----END PGP SIGNATURE-----
> 
> I disagree with Snowden on this,  if it aint broke don't fix it.  What 
> usually happens in reality is the newer software introduces even more bugs 
> then were originally there imo for the sake of new shiny things.  Many 
> experts say we are actually less safe nowadays cause systems are already too 
> complex.    And if new exploits found in old software are patched with 
> security updates then I think the freesoftware communities have it right when 
> it comes to security.
> 
> If he means old software thats no longer maintained and abandoned then he has 
> a good point.  There is plenty of that in every linux distro, some more then 
> others.
> 
> But saying attackers adapt quick,  means to me adapting to something new,  
> adapting to a new exploit, not a secret one they've already known about.

I use to believe that always updating software would remove exploits currently 
in them.  But usually in reality if not specifically addressed,  since new 
software is still built upon the same old software,  the old bugs still exist 
while new ones are now introduced as well.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e9374a34-a97f-41bd-b46c-d0aabf4ba8cd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to