> -------- Original Message -------- > Subject: [qubes-users] Qubes silently ditches Librem > Local Time: July 8, 2017 8:24 AM > UTC Time: July 8, 2017 7:24 AM > From: bald...@tutanota.com > To: qubes-users@googlegroups.com > For those of us who followed Qubes hardware recommendations and then bought > or ordered shiny new Librem 13 laptops, you'll maybe not have noticed that > qubes has silently and sneakily withdrawn the recommendation leaving us all > in the lurch. > Originally qubes was sold to as all as a reasonably secure OS - that security > they said was built around the trusted ZEN platform. We now know that Zen has > numerous security vulnerabilities > How can we trust Qubes judgement anymore? I certainly don't.
Okay, I'll bite because I have an interest in being involved with the documentation project and because I'm interested in getting a new Qubes laptop myself. Disclaimer that I don't read every post on the lists. I think certification here has been confused with recommendation, taking a quick look at history on github that seems to be the case. "-Some users may wish to consider [Qubes-certified laptops]. -However, it is important to note that such laptops are certified only for *compatibility* with Qubes OS. -In particular, the [Purism Librem 13] is certified only for compatibility with Qubes R3.x, and it is not likely to be certified for compatibility with Qubes R4.x. -Aside from compatibility, we do not believe that it should be considered any safer than other laptops." The original press release is more positive https://www.qubes-os.org/news/2015/12/09/purism-partnership/ but doesn't to me make any claims for the product beyond compatibility. This said, a reference to the previous arrangement (and what happened to it, it may just be that the contract for the cut for the developers from each sale expired) would be good to display on the page for the avoidance of this exact discussion. Purism have made their own statement here https://puri.sm/posts/2017-07-shipping-update-for-qubes-orders/ and it looks like they aren't producing the certified laptop anymore and don't want to pay for the new certification procedure. This is fine and their right best as I can see. I do find it odd that before this though they state they do not have an automated OEM image at present...I'd be curious to know if they've ever had one of those. >From a business / customer service point of view, I'm curious to know how you >feel left in the lurch, has a specific Qubes update bugged out on your >machine, or do you worry that ITL are aware of a more fundamental issue with >these laptops they're keeping close to their chests? (I'd think that unlikely, >as shit of that kind always floats to the surface given enough time). The new >requirements seem fairly pragmatic (i.e. coreboot and allowing some vendor >blobs) https://www.qubes-os.org/news/2016/07/21/new-hw-certification-for-q4/ I'd be interested to know what the charge purism refer to is, though I guess it's the time of ITLs week in poking the laptop to their satisfaction. On the "zen" point, I wonder if it's possible to interpret "reasonable secure" in two different ways. At one point on these lists a slogan for Qubes of "be your own bitch" was bandied about which I always felt much more appropriate, and the two always remind me of the definition of an optimist and a pessimist (i.e. "we're safe forever" vs "we're due"). Again, I don't think the developers have done anything underhanded here, yes they plumped for Xen as hypervisor in which serious vulnerabilities have been found but they both publish a record of the impact of these vulnerabilities https://www.qubes-os.org/security/xsa/and have provided a better backup recovery method https://www.qubes-os.org/news/2017/04/26/qubes-compromise-recovery/ for those who wish to proceed as if they have indeed been compromised after every such vulnerability comes to light. They've also been quite critical of the Xen project in the proceeding years and are changing the type of virtualisation used in Qubes 4.0, this leads me to believe that should they ever completely lose patience with Xen, they would move Qubes to a different Hypervisor (if a better one was available) and indeed the underlying framework allows this. Again, the question I'd be interested to ask if how this brings judgment into question? One of the criticisms I believe ITL / Qubes has made of Xen is that it is too focused on adding new features required by commercial users at the expense of security, but a different hypervisor would still need to be "better" enough to justify the work in moving to it... -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/k-yKhqeiNDDbGB22pD-E9wHvcGBLWnIKV2t0OlUY7YO8q7yRS0QNqARKLY_jGgXyOQatEmos1x5zF-tWbYuq0ui1xhfxdUDGJ7Y6GhKLV_s%3D%40protonmail.com. For more options, visit https://groups.google.com/d/optout.
