FWIW it looks as though Debian tends to support their OSes for longer before EOL. I'm tending toward Debian regardless just for familiarity, but this fact makes it an easier choice. Supposing "security concerns" include the time it takes to maintain your system (as it does for me), I see this as another point for Debian.
On Mon, Jan 20, 2020 at 12:02 PM tortuga verde <[email protected]> wrote: > > > 20.01.2020, 16:27, "Chris Laprise" <[email protected]>: > > On 1/20/20 6:02 AM, [email protected] wrote: > > If I were looking to maximize security, which would you say is > better--Debian, Fedora, or some other distro, like Gentoo or Arch? If > you've changed your sys-net, sys-usb, or other templates to something > other than Fedora, why? And to what? > > > IMO, Debian is the best choice for secure templates. Its security focus > is at least "normal" while Fedora's philosophy is haphazard "test the > new stuff quick". Essentially all the worst systemd bugs will show up in > a current Fedora release, for example. OTOH, my experience with systemd > in Debian has been much smoother. > > Fedora is also the only major distro that doesn't cryptographically sign > its top-level repo metadata, allowing a MITM attacker to selectively > prevent individual packages from updating. I interpret this as a > decision forced on Fedora project from Redhat's marketing dept. so they > can easily scare mission-critical Fedora users into purchasing RHEL > licenses. There is no other possible explanation, IMO, as even CentOS > fully signs their repos. > > Debian is also more flexible: There are many more packages, and for the > very latest stuff Debian lets you grab from the testing, unstable and > experimental repos. And you get to choose whether you want shorter or > longer upgrade cycles; with Fedora its always short which is a cause of > disruption. > > Finally, Debian templates are produced via Qubes official channels. That > means something at least in terms of the level of oversight for > building, distributing and updating the templates. OTOH, if this isn't > so important to you, then Ubuntu and CentOS templates are alternatives > to consider. > > > > I've read that Debian is generally considered more secure than Fedora > because of, among other things, AppArmor and tighter oversight of > packages. This makes me wonder why it is that Fedora is the default > template for basically everything while Debian has its default AppArmor > disabled. Are there any downsides to basically removing Fedora from my > Qubes? > > > IIRC, the choice of Fedora was sort of an accident; it was what the > Qubes core developer was most familiar with at the time. > > There is an open issue about moving away from Fedora to another distro > like Debian. > > Note: Debian does come with the Qubes install media (and Whonix > templates are based on Debian as well) so at least its easy to choose. > > > > I've also considered that the nature of Qubes makes this discussion seem > moot to some, but my stance is that I should increase security where > feasible. > > > There is one thing I don't use Debian for: The Update VM (which may be > sys-net or sys-firewall, but you can assign it to a separate VM). The > reason is that dom0 uses rpm/dnf and Fedora template is needed to handle > it properly. > > Also, Fedora template is currently required for building Qubes itself > and Qubes templates. > > -- > > > Chris Laprise, [email protected] > https://github.com/tasket > https://twitter.com/ttaskett > PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 > > I have considered changing from fedora templates to debian templates, but > this is what holds me back: > > https://www.qubes-os.org/doc/templates/debian/#starting-services > > I'm not a linux expert, so I don't know what/if services are starting, and > if after an update new services are introduced or begin starting. It just > seems like it would be an ongoing concern that doesn't exist on fedora. Is > it easily remedied? > > I'm a basic user, I'm not running any servers. However, I certainly would > like to have templates that are more secure by default. I would use the > debian minimal template for all sys and vpn VMs. I would clone it and > expand it to include libreoffice, rhythmbox and all the other things for a > more full-featured template, that is still smaller than the default > template. Any insight/feedback would be appreciated. > > -- > You received this message because you are subscribed to the Google Groups > "qubes-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/qubes-users/1345411579539750%40sas1-30406100349c.qloud-c.yandex.net > <https://groups.google.com/d/msgid/qubes-users/1345411579539750%40sas1-30406100349c.qloud-c.yandex.net?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAAWRcS_RBagZJm0D-rNarcYuoGMYZs8SL2XwwaoiU7vLwQGJMw%40mail.gmail.com.
