On Thu, Jan 23, 2020 at 02:30:52PM +0000, 'awokd' via qubes-users wrote:
tetrahedra via qubes-users:
A few times people have observed that Fedora's package signing leaves a
few things to be desired. While Qubes' security model doesn't depend on
Fedora entirely, a compromised template compromises the machine -- and
package repos are a good way to compromise a template.
Why does Qubes still seem to use Fedora as the "primary" choice and
Debian as the "secondary" one?
Start here https://github.com/QubesOS/qubes-issues/issues/1919 and work
your way backwards. :)
My question was intentionally phrased not to be about dom0 :p
There has been some discussion on this list about alternative sys-* VMs
but it still seems to me that Qubes views Fedora as the "primary" choice
-- perhaps because dom0 is Fedora.
Of course a compromise in the package signing would also potentially
compromise dom0, so it's still an issue.
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/20200125044204.GB1051%40danwin1210.me.
