On Fri, Aug 14, 2020 at 07:00:02AM -0700, acharya.sagar.sag...@gmail.com wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > But one can't trust Intel right? How can one be sure that tests and > warnings generating code is not malware. Open code is the 1st requirement > for security right?! I don't think hidden security enhancing code is really > enhancing security.
I dont think you understand. If a user *does* have an Intel processor then they are stuck with known vulnerabilities. They trust Intel already, so trust the microcode supplied. The tests and warnings are in the Linux kernel. Libre kernels remove them so that users wont be tempted to use non free microcode, although they are *already* using non free microcode. i think this is incoherent, and haven't seen any persuasive arguments. In my opinion users should be given all the information they need to make an informed choice. Open code is not the 1st requirement for security. It isn't even one of the requirements, although it may be desirable. There are many examples of free software where the bugs and security flaws remain open for years. Sometimes people talk as if they think that closed source programs dont get any review. This simply isn't true,(although sometimes with Microsoft in the past, one might think differently.) I've worked with development teams where the code is crawled over in depth by professional auditors, but the product is closed source. > > Qubes is an extremely secure OS and with RISCV processors coming, Qubes > should go towards removing trust from hardware. Atleast it should have > option (another ISO, say qubes-libre.iso) for fully free software going > ahead. Trusting Intel would be optional going ahead due to RISC-V cores or > other open processors. And if not, Qubes should make their life difficult > as much as possible by choosing linux-libre by default. Parabola is a > perfectly usable OS, and so is hyperbola(it has few packages though). I use > it on a flash drive. Except WiFi rest of the things work. "Except WiFi rest of the things work." Exactly. I think that makes my point. > > I strongly think there is no unreadable code for security. There is only > unreadable code or security. While the whole concept of qubes lies on > protecting against malware by trusting it less, with free hardware ahead, > having an option for no hidden code and actively preventing user from > installing hidden code in most doms is impressive. This is just a false opposition. To make things clear, I'm an advocate for free software, but that has nothing to do with security. In some cases, the advocates for free software and linux libre have no regard for the security of end users. That's wrong. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200814153804.GA15765%40thirdeyesecurity.org.
