On 1/20/20 6:02 AM, fiftyfourthparal...@gmail.com wrote:
If I were looking to maximize security, which would you say is
better--Debian, Fedora, or some other distro, like Gentoo or Arch? If
you've changed your sys-net, sys-usb, or other templates to something
other than Fedora, why? And to what?
IMO, Debian is the best choice for secure templates. Its security focus
is at least "normal" while Fedora's philosophy is haphazard "test the
new stuff quick". Essentially all the worst systemd bugs will show up in
a current Fedora release, for example. OTOH, my experience with systemd
in Debian has been much smoother.
Fedora is also the only major distro that doesn't cryptographically sign
its top-level repo metadata, allowing a MITM attacker to selectively
prevent individual packages from updating. I interpret this as a
decision forced on Fedora project from Redhat's marketing dept. so they
can easily scare mission-critical Fedora users into purchasing RHEL
licenses. There is no other possible explanation, IMO, as even CentOS
fully signs their repos.
Debian is also more flexible: There are many more packages, and for the
very latest stuff Debian lets you grab from the testing, unstable and
experimental repos. And you get to choose whether you want shorter or
longer upgrade cycles; with Fedora its always short which is a cause of
disruption.
Finally, Debian templates are produced via Qubes official channels. That
means something at least in terms of the level of oversight for
building, distributing and updating the templates. OTOH, if this isn't
so important to you, then Ubuntu and CentOS templates are alternatives
to consider.
I've read that Debian is generally considered more secure than Fedora
because of, among other things, AppArmor and tighter oversight of
packages. This makes me wonder why it is that Fedora is the default
template for basically everything while Debian has its default AppArmor
disabled. Are there any downsides to basically removing Fedora from my
Qubes?
IIRC, the choice of Fedora was sort of an accident; it was what the
Qubes core developer was most familiar with at the time.
There is an open issue about moving away from Fedora to another distro
like Debian.
Note: Debian does come with the Qubes install media (and Whonix
templates are based on Debian as well) so at least its easy to choose.
I've also considered that the nature of Qubes makes this discussion seem
moot to some, but my stance is that I should increase security where
feasible.--
There is one thing I don't use Debian for: The Update VM (which may be
sys-net or sys-firewall, but you can assign it to a separate VM). The
reason is that dom0 uses rpm/dnf and Fedora template is needed to handle
it properly.
Also, Fedora template is currently required for building Qubes itself
and Qubes templates.
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1345411579539750%40sas1-30406100349c.qloud-c.yandex.net.
