Re: [qubes-users] Qubes, Fedora, and package signing
On Thu, Jan 23, 2020 at 02:30:52PM +, 'awokd' via qubes-users wrote: tetrahedra via qubes-users: A few times people have observed that Fedora's package signing leaves a few things to be desired. While Qubes' security model doesn't depend on Fedora entirely, a compromised template compromises the machine -- and package repos are a good way to compromise a template. Why does Qubes still seem to use Fedora as the "primary" choice and Debian as the "secondary" one? Start here https://github.com/QubesOS/qubes-issues/issues/1919 and work your way backwards. :) My question was intentionally phrased not to be about dom0 :p There has been some discussion on this list about alternative sys-* VMs but it still seems to me that Qubes views Fedora as the "primary" choice -- perhaps because dom0 is Fedora. Of course a compromise in the package signing would also potentially compromise dom0, so it's still an issue. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200125044204.GB1051%40danwin1210.me.
Re: [qubes-users] Qubes, Fedora, and package signing
tetrahedra via qubes-users: > A few times people have observed that Fedora's package signing leaves a > few things to be desired. While Qubes' security model doesn't depend on > Fedora entirely, a compromised template compromises the machine -- and > package repos are a good way to compromise a template. > > Why does Qubes still seem to use Fedora as the "primary" choice and > Debian as the "secondary" one? > Start here https://github.com/QubesOS/qubes-issues/issues/1919 and work your way backwards. :) -- - don't top post Mailing list etiquette: - trim quoted reply to only relevant portions - when possible, copy and paste text instead of screenshots -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e0c02c60-de54-3f72-7720-809caf188bda%40danwin1210.me.
[qubes-users] Qubes, Fedora, and package signing
A few times people have observed that Fedora's package signing leaves a few things to be desired. While Qubes' security model doesn't depend on Fedora entirely, a compromised template compromises the machine -- and package repos are a good way to compromise a template. Why does Qubes still seem to use Fedora as the "primary" choice and Debian as the "secondary" one? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200121102630.GA1045%40danwin1210.me.