Chris Laprise: > On 03/08/2017 08:50 AM, taii...@gmx.com wrote: > >> "The Linux kernel, I believe, is clean. > > You lost me right there. I don't believe in hero worship, and if anyone > thinks Linus is fallible it is the people on this list.
Thanks for addressing this, Chris. Privilege escalation, uninitialized pointers, race conditions, you name it, vulns are found in the kernel at what's in my opinion a somewhat alarming rate. I seem to think a developer loudly brought up this growing problem at linux.conf or a another event a year or two ago, but the details aren't coming to me. I don't even follow kernel development and I hear about security problems way more often than I'd like to for ring0 code. For some insight into why the Linux kernel is not as secure as you think, in both rant style and by-example, regularly posted referring to over a decade's worth of incidents and poor decisions, all you have to do is visit https://www.grsecurity.net/ I'm not saying that Linux is a bad thing or the developers don't care or that another OS is better, but to say the kernel "is clean" is just plain wrong. taii...@gmx.com: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761658 > I am tired of the "virtualization will protect you!" excuse, it only > goes so far and some systemD issues such as using google DNS by default > are simply inexcusable from a qubes perspective (designed to be a secure > OS, but phoning home like that without asking isn't secure at all) It's easy enough to override the defaults at compile-time, and most distros do in fact. You can also of course set your own at run-time, but most users won't do this and I agree Qubes should make an attempt to protect users from that. systemd-timesyncd has a similar problem with timeservers. Actually, do these settings even matter in Qubes' default state? My systemd-networkd.service is disabled and not running in my sys-net, which is the way it was installed. Further, /etc/resolv.conf is > # Generated by NetworkManager > nameserver 192.168.1.1 Which is the DNS server configured by DHCP. Where does systemd-resolved come into play? ------------------------------------------------- ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands! $24.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9676f5aa-ec5a-b5fa-0653-8a3292a15e73%40vfemail.net. For more options, visit https://groups.google.com/d/optout.