On Sat, Feb 03, 2018 at 11:38:28AM -0800, Yuraeitha wrote:
> On Saturday, February 3, 2018 at 9:11:31 AM UTC+1, Foppe de Haan wrote:
> > On Saturday, February 3, 2018 at 3:56:05 AM UTC+1, Yuraeitha wrote:
> > > On Thursday, February 1, 2018 at 12:56:29 AM UTC+1, Unman wrote:
> > > > I'm just pushing up some PRs to remove zesty and institute build support
> > > > for artful (17.10).
> > > > If you cant wait there's a ready built 3.2 template you can try at:
> > > > http://qubes.3isec.org/Templates
> > > > 
> > > > unman
> > > 
> > > This looks really nice unman. I do have a question though, which in the 
> > > end might just be my lack of understanding.
> > > 
> > > Essentially, how is the build process executed in terms of security and 
> > > also reliability?
> > > 
> > > I know you're one of the 13 contributors to the Qubes OS, but it'd be 
> > > nice knowing if this is done securely and reliable like the official 
> > > Qubes templates (like how Joanna explains the weak links in OS builds, 
> > > i.e. in one of her presentations on youtube).
> > > 
> > > Also how come it's not released in the secondary templates community 
> > > repository? Is this due to license issues?
> > > 
> > > I apologize for these questions, it's not out of lack of respect, but 
> > > rather probably my lack of understanding.
> > 
> > per https://www.qubes-os.org/doc/templates/ubuntu/ :
> > "These templates are currently not available in ready to use binary 
> > packages, because Canonical does not allow redistribution of a modified 
> > Ubuntu. The redistribution is not allowed by their Intellectual property 
> > rights policy."
> 
> @Foppe 
> hmm, that is an unfortunate hard stand on license.. Canonical seems a bit too 
> needlessly strict here. It feels like an overkill lawyer lock-down on a 
> contract, to cover all ends needlessly, just to be sure nothing is 
> overlooked. I'm a bit sad about such mindless over-protection. Perhaps the 
> license wasn't even written with Ubuntu in mind, but just an overall general 
> protection... well I wouldn't know, but it seems like it might be.
> 
> Perhaps they can make an exception for cases like Qubes though, it seems like 
> it would make good sense for them to do so, especially now when Qubes 4 is 
> gaining a lot of increased attention and traction. I don't personally use 
> Ubuntu, but it would be a nice addition to Qubes if Canonical gave their 
> acceptance for this use-case.
> 
> I'm curious now after reading your post though. Since because there are other 
> distributions of Ubuntu out there, I might dig into the licenses on these 
> after half a month has passed, when I get the time for it. There must be a 
> reason why Ubuntu offsprings like; Kubuntu, xubuntu, Edubuntu, Ubuntustudio, 
> and so on, are allowed in the license. 
> 

These are really good questions: in reverse order -

Canonical has a strict license policy. The offspring you mention are
all licensed by Canonical and permitted to use the Ubuntu name or
variants thereof.
Canonical have not yet allowed Qubes a license to use Ubuntu, and the
Qubes project therefore cannot distribute Ubuntu templates. Ubuntu
templates are integrated in to the build system, which is designed to
be as simple as possible, and almost anyone should be able to build a
template for themselves.
It may be possible in the future to persuade Canonical to extend
licensing to Qubes. At the moment there are certain requirements on
their part which makes this difficult/impossible, but I hope that we
can change this at some point.

So for these reasons Qubes will not release Ubuntu templates, and they
are not included in the community repositories, as is clear on the page
Foppe cited.

When I post in these mailing lists I don't speak for Qubes: I'm posting
as a Qubes user. I think there may be some people who aren't confident
enough, or don't have time, to build Ubuntu templates for themselves, so
I build example Templates and make them available. I also host repos to
serve deb packages for Ubuntu.
I use a dedicated machine for building, a caching proxy to save
downloads, and run through Tor. Is that secure and reliable?

That said, I STRONGLY recommend that you build these templates for
yourself.
If you look at my posting history and contributions you may choose
to trust me and by extension the packages I put up. That's your decision.
For what it's worth, no one has reported anything untoward about any of the
packages I've posted, or the live images.
(Of course, if I were a malicious actor this is EXACTLY the approach I
would take.)

Hmm, security IS difficult, isn't it?

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180205010128.wdivu6kz7fpuiwiv%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Reply via email to