[qubes-users] Re: Is Fedora Really A Good Choice For QubeOS?
On Tuesday, 10 January 2017 10:47:58 UTC+11, Connor Page wrote:
> Sorry Drew, you asked what needs to be installed to make another dom0, not
> the bare minimum that is required.
I'm sorry that I was not more specific when I said "needs". It can be taken
multiple ways, I should have been more precise.
>Every Qubes specific package provides a list of prerequisites and version
>conflicts.
That is true, but that's why I'm curious about it to know.
>For instance,
> Name: qubes-core-dom0
> Version: %{version}
> Release: 1%{dist}
> Summary: The Qubes core files (Dom0-side)
>
> Group:Qubes
> Vendor: Invisible Things Lab
> License: GPL
> URL: http://www.qubes-os.org
> BuildRequires: ImageMagick
> BuildRequires:systemd-units
> # FIXME: Enable this and disable debug_package
> #BuildArch: noarch
> Requires(post): systemd-units
> Requires(preun): systemd-units
> Requires(postun): systemd-units
> Requires: python, pciutils, python-inotify, python-daemon
> Requires: qubes-core-dom0-linux >= 3.1.8
> Requires: qubes-core-dom0-doc
> Requires: qubes-db-dom0
> Requires: python-lxml
> Requires: python-psutil
> # TODO: R: qubes-gui-dom0 >= 2.1.11
> Conflicts: qubes-gui-dom0 < 1.1.13
> Requires: libvirt-python
> %if x%{?backend_vmm} == xxen
> Requires: xen-runtime
> Requires: xen-hvm
> Requires: libvirt-daemon-xen >= 1.2.20-6
> %endif
> Requires: createrepo
> Requires: gnome-packagekit
> Requires: cronie
> Requires: bsdtar
> # for qubes-hcl-report
> Requires: dmidecode
> Requires: PyQt4
>
> Dom0 is created by installing qubes tools that pull in their dependencies and
> so on. Yum Extender in dom0 can give you all the prerequisites. Of course
> here we rely on developers being precise when defining them.
That is true.
Thing is, I'd be building it from code, which is why I need to know. Because
not everything is as simple as using an RPM or other package like that. And
there are no SRPMs so that's another thing that makes it not work well for what
I need to do to get the packages installed to create a new Dom0.
But that's just the way things go unfortunately.
I can but try.
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/e3512337-8c6d-482b-9951-3fa1bfc8969b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Is Fedora Really A Good Choice For QubeOS?
Sorry Drew, you asked what needs to be installed to make another dom0, not the
bare minimum that is required. Every Qubes specific package provides a list of
prerequisites and version conflicts. For instance,
Name: qubes-core-dom0
Version:%{version}
Release:1%{dist}
Summary:The Qubes core files (Dom0-side)
Group: Qubes
Vendor: Invisible Things Lab
License:GPL
URL:http://www.qubes-os.org
BuildRequires: ImageMagick
BuildRequires: systemd-units
# FIXME: Enable this and disable debug_package
#BuildArch: noarch
Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
Requires: python, pciutils, python-inotify, python-daemon
Requires: qubes-core-dom0-linux >= 3.1.8
Requires: qubes-core-dom0-doc
Requires: qubes-db-dom0
Requires: python-lxml
Requires: python-psutil
# TODO: R: qubes-gui-dom0 >= 2.1.11
Conflicts: qubes-gui-dom0 < 1.1.13
Requires: libvirt-python
%if x%{?backend_vmm} == xxen
Requires: xen-runtime
Requires: xen-hvm
Requires: libvirt-daemon-xen >= 1.2.20-6
%endif
Requires: createrepo
Requires: gnome-packagekit
Requires: cronie
Requires: bsdtar
# for qubes-hcl-report
Requires: dmidecode
Requires: PyQt4
Dom0 is created by installing qubes tools that pull in their dependencies and
so on. Yum Extender in dom0 can give you all the prerequisites. Of course here
we rely on developers being precise when defining them.
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/7df0a801-2325-4a52-b144-27f266ed1506%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Is Fedora Really A Good Choice For QubeOS?
On Friday, 6 January 2017 19:59:43 UTC+11, Connor Page wrote: > why wouldn't you consult the list of actually installed packages? > https://github.com/QubesOS/qubes-installer-qubes-os/blob/master/conf/comps-qubes.xml Can you, from that, tell me what are REQUIRED for Qubes-OS to be fully functional? If you can, then you must be able to see something that I am not able to. While that may have a list of a lot of packages, it doesn't say what versions are required. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c2e27788-d7d2-4944-9064-4bad294c6e0c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Is Fedora Really A Good Choice For QubeOS?
why wouldn't you consult the list of actually installed packages? https://github.com/QubesOS/qubes-installer-qubes-os/blob/master/conf/comps-qubes.xml -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ddaf1b18-3b91-475d-b998-9c1a9597f534%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Is Fedora Really A Good Choice For QubeOS?
The real question here I think is.. What needs to be installed in an O/S to create a new Dom0? I've asked this before, and none answers the question. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/952b0d84-6ac4-4d88-bbcb-a32cdf642210%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Is Fedora Really A Good Choice For QubeOS?
The LUKS issue was all about getting a root shell as opposed to being able to defeat LUKS or get the keys or decrypt the data. I know this was a bit misreported in the press. A bigger issue is if /boot is not encrypted. And with modern GRUB there is no need for it not to be. Someone could then use this shell to put a keylogger in /boot process then they could use this vulnerability to do some damage. But the same is true from booting from removable custom media to access the encrypted partitions. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ad049ceb-dacf-93d5-cc0c-daffb69e2a3c%40gmsl.co.uk. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Is Fedora Really A Good Choice For QubeOS?
I have seen much more systemd hates than proper arguments against systemd. But if systemd is really wrong, this kind of debate does not contribute for rejecting it. >From security perspective in context of dom0, systemd is a process that >interacts with local processes and maybe with few other local things. If >systemd is really wrong for security (I am not convinced so), I would expect >it to allow local privilege escalation, which is not much a threat in context >of Qubes. Did you mean something else? If there is a proper argument against systemd for dom0, I hope Qubes developers will hear it. But they will hardly move to Slackware (or another non-systemd distro) just for sake of getting rid of systemd. I guess that without a good argument for it*, there will be always something more important giving better improvement, requiring less effort and indroducing less risks. Regards, Vít Šesták 'v6ak' *) I am not stating there is not any reasonable argument. There might be one I haven't realized. But if there is any, it should be mentioned in a proper way. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/bf23e910-11d1-443b-b6f4-b9e89ac24674%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Is Fedora Really A Good Choice For QubeOS?
When you don't update, you will eventually have software full of known security bugs. Known security bugs (if they aren't properly managed, like analyzing their impact and mitigating them) are arguably worse than unknown security bugs (ceteris paribus), because they are much cheaper to exploit. The same does not apply to non-security bugs. The key difference is that security bugs are triggered on purpose, while other bugs are triggered accidentally. It is questionable if old software with security patches (e.g. Debian stable, Firefox ESR) is better than fresh one or not. I see good arguments on both sides, so maybe it depends. Regards, Vít Šesták 'v6ak' -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/57eb6f16-91f9-497b-921b-d7d39beb93e1%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Is Fedora Really A Good Choice For QubeOS?
On Thursday, 5 January 2017 11:38:52 UTC+11, raah...@gmail.com wrote: > On Wednesday, January 4, 2017 at 7:37:42 PM UTC-5, raah...@gmail.com wrote: > > On Sunday, January 1, 2017 at 12:08:54 PM UTC-5, Jeremy Rand wrote: > > > -BEGIN PGP SIGNED MESSAGE- > > > Hash: SHA512 > > > > > > pixel fairy: > > > > On Tuesday, October 1, 2013 at 6:32:41 PM UTC-7, ears...@gmail.com > > > > wrote: > > > >> We all know Fedora is a big name, but is it a good choice for a > > > >> Security Driven OS like QubeOS to be based around? What do others > > > >> here think? > > > > > > > > There are a lot of packages creating a bigger attack surface. but, > > > > bigger distros like fedora have companies behind them like red hat. > > > > red hat has been pretty good about actively looking for > > > > vulnerabilities in those packages. distros that automatically > > > > upgrade to the latest version (gentoo etc) can also burn you. they > > > > would make better template vms where your more likely to want newer > > > > software and new issues can be better contained. > > > > > > > > for dom0, newer distros are better at hardware compatibility with > > > > those fancy new processors, graphics cards and storage controllers > > > > in laptops. > > > > > > > > just personal opinion, but wayland is a better fit than x11 for > > > > qubes in the long run. fedora is the only distro with a dedicated > > > > security staff actively supporting it. > > > > > > > > anytime you abstract a layer, your diluting your resources. > > > > maintaining a dom0 isnt much more work than a domu template, but if > > > > you want to add slackware, arch, and gentoo, youve now more than > > > > doubled the developers distro maintanance work when they could be > > > > working on stability and features. > > > > > > Potentially worth noting here that in Ed Snowden's keynote at > > > Libreplanet 2016, he criticized the free software community's tendency > > > to use stable, outdated software. Snowden said that the attackers > > > move and adapt quickly, and it's dangerous to continue using outdated > > > software that doesn't have the latest security fixes/features just > > > because it's more stable or more backward-compatible. Snowden did not > > > explicitly mention any distros that he was talking about, but I got > > > the distinct impression that he was (at least in part) talking about > > > Debian. > > > > > > Of course, "appeal to authority" is a classic fallacy, so we shouldn't > > > do what Snowden says without questioning it, but I think it's at least > > > worth considering his argument seriously. > > > > > > Cheers, > > > - -Jeremy > > > -BEGIN PGP SIGNATURE- > > > > > > iQIcBAEBCgAGBQJYaTeQAAoJELPy0WV4bWVwbNgP+QG3jY+xlwsTnViOS+IFEHMP > > > Nyt+d9Cuq7iEnCsr1fuXbzjSNB8RDM0y2BY6rciELmo4kvyfsGoPYZod7nOlQPeV > > > xjgjubrlA3udMxSCsc5lc2DbP4IszehJECYGbZw4gaFabScs6ugt0P9gxKaiTIWR > > > pa9bAaSzJffZsJg9/efUJuo134Mdd8QBssKEC6idWCiEuM8YWHZI9xKfvhTjRrqj > > > g233nSNbvctg0yoUQbf2XHZ6gyGZ2p0Y1ab8o0o0MFVsuQIuPCKlWgr/WhjgdWDY > > > Ye4TCYZhonuLHRCiOt+ZuS2w8nj24O0qFvXra+asXAaW2mFzQa/Aq3CdLBE87nXE > > > z3dgNp2Z08dWi28ncbCwvn8mpw0w07yl1n6+2JlBC4pDTF2/r6BMgsp4DIS9sFDB > > > h+mFWCnqh80P/39SQeOoOcHATruMfHp8CUDVtOMVBRV4VpoA7YaKxiiiUXFnD21M > > > S6XP7QqxPkbPW0E77UeR53igB61QQ1t3Fb4QQRLZY1bhncKn3kM/OmUDnHzepLQn > > > 0/FLW/aJMBofOHeb6xqrfipeayGrdHLNuav9Nu1QRuX2lY6E0Sl40VZBwRERxfaW > > > t+Ck3n4Qw2Gru13zXPhHuE8OpTV3/RgkMzNMnADxfArhSIW2zwoYQvNCn8U/LNaq > > > P2HMZA0yehx6CZnBmdb/ > > > =RC2L > > > -END PGP SIGNATURE- > > > > I disagree with Snowden on this, if it aint broke don't fix it. What > > usually happens in reality is the newer software introduces even more bugs > > then were originally there imo for the sake of new shiny things. Many > > experts say we are actually less safe nowadays cause systems are already > > too complex.And if new exploits found in old software are patched with > > security updates then I think the freesoftware communities have it right > > when it comes to security. > > > > If he means old software thats no longer maintained and abandoned then he > > has a good point. There is plenty of that in every linux distro, some more > > then others. > > > > But saying attackers adapt quick, means to me adapting to something new, > > adapting to a new exploit, not a secret one they've already known about. > > I use to believe that always updating software would remove exploits > currently in them. But usually in reality if not specifically addressed, > since new software is still built upon the same old software, the old bugs > still exist while new ones are now introduced as well. If you have a secure system in the first place, the exploits can't get a grip easily. If you manage your system you won't get hit easily. If you lock the machine down, you won't get hit easily. I limit SUDO activity to what I want to let things use. I don't let sudo change passwords.. I don't let sudo do
Re: [qubes-users] Re: Is Fedora Really A Good Choice For QubeOS?
On Wednesday, January 4, 2017 at 7:37:42 PM UTC-5, raah...@gmail.com wrote: > On Sunday, January 1, 2017 at 12:08:54 PM UTC-5, Jeremy Rand wrote: > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA512 > > > > pixel fairy: > > > On Tuesday, October 1, 2013 at 6:32:41 PM UTC-7, ears...@gmail.com > > > wrote: > > >> We all know Fedora is a big name, but is it a good choice for a > > >> Security Driven OS like QubeOS to be based around? What do others > > >> here think? > > > > > > There are a lot of packages creating a bigger attack surface. but, > > > bigger distros like fedora have companies behind them like red hat. > > > red hat has been pretty good about actively looking for > > > vulnerabilities in those packages. distros that automatically > > > upgrade to the latest version (gentoo etc) can also burn you. they > > > would make better template vms where your more likely to want newer > > > software and new issues can be better contained. > > > > > > for dom0, newer distros are better at hardware compatibility with > > > those fancy new processors, graphics cards and storage controllers > > > in laptops. > > > > > > just personal opinion, but wayland is a better fit than x11 for > > > qubes in the long run. fedora is the only distro with a dedicated > > > security staff actively supporting it. > > > > > > anytime you abstract a layer, your diluting your resources. > > > maintaining a dom0 isnt much more work than a domu template, but if > > > you want to add slackware, arch, and gentoo, youve now more than > > > doubled the developers distro maintanance work when they could be > > > working on stability and features. > > > > Potentially worth noting here that in Ed Snowden's keynote at > > Libreplanet 2016, he criticized the free software community's tendency > > to use stable, outdated software. Snowden said that the attackers > > move and adapt quickly, and it's dangerous to continue using outdated > > software that doesn't have the latest security fixes/features just > > because it's more stable or more backward-compatible. Snowden did not > > explicitly mention any distros that he was talking about, but I got > > the distinct impression that he was (at least in part) talking about > > Debian. > > > > Of course, "appeal to authority" is a classic fallacy, so we shouldn't > > do what Snowden says without questioning it, but I think it's at least > > worth considering his argument seriously. > > > > Cheers, > > - -Jeremy > > -BEGIN PGP SIGNATURE- > > > > iQIcBAEBCgAGBQJYaTeQAAoJELPy0WV4bWVwbNgP+QG3jY+xlwsTnViOS+IFEHMP > > Nyt+d9Cuq7iEnCsr1fuXbzjSNB8RDM0y2BY6rciELmo4kvyfsGoPYZod7nOlQPeV > > xjgjubrlA3udMxSCsc5lc2DbP4IszehJECYGbZw4gaFabScs6ugt0P9gxKaiTIWR > > pa9bAaSzJffZsJg9/efUJuo134Mdd8QBssKEC6idWCiEuM8YWHZI9xKfvhTjRrqj > > g233nSNbvctg0yoUQbf2XHZ6gyGZ2p0Y1ab8o0o0MFVsuQIuPCKlWgr/WhjgdWDY > > Ye4TCYZhonuLHRCiOt+ZuS2w8nj24O0qFvXra+asXAaW2mFzQa/Aq3CdLBE87nXE > > z3dgNp2Z08dWi28ncbCwvn8mpw0w07yl1n6+2JlBC4pDTF2/r6BMgsp4DIS9sFDB > > h+mFWCnqh80P/39SQeOoOcHATruMfHp8CUDVtOMVBRV4VpoA7YaKxiiiUXFnD21M > > S6XP7QqxPkbPW0E77UeR53igB61QQ1t3Fb4QQRLZY1bhncKn3kM/OmUDnHzepLQn > > 0/FLW/aJMBofOHeb6xqrfipeayGrdHLNuav9Nu1QRuX2lY6E0Sl40VZBwRERxfaW > > t+Ck3n4Qw2Gru13zXPhHuE8OpTV3/RgkMzNMnADxfArhSIW2zwoYQvNCn8U/LNaq > > P2HMZA0yehx6CZnBmdb/ > > =RC2L > > -END PGP SIGNATURE- > > I disagree with Snowden on this, if it aint broke don't fix it. What > usually happens in reality is the newer software introduces even more bugs > then were originally there imo for the sake of new shiny things. Many > experts say we are actually less safe nowadays cause systems are already too > complex.And if new exploits found in old software are patched with > security updates then I think the freesoftware communities have it right when > it comes to security. > > If he means old software thats no longer maintained and abandoned then he has > a good point. There is plenty of that in every linux distro, some more then > others. > > But saying attackers adapt quick, means to me adapting to something new, > adapting to a new exploit, not a secret one they've already known about. I use to believe that always updating software would remove exploits currently in them. But usually in reality if not specifically addressed, since new software is still built upon the same old software, the old bugs still exist while new ones are now introduced as well. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e9374a34-a97f-41bd-b46c-d0aabf4ba8cd%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Is Fedora Really A Good Choice For QubeOS?
On Sunday, January 1, 2017 at 12:08:54 PM UTC-5, Jeremy Rand wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > pixel fairy: > > On Tuesday, October 1, 2013 at 6:32:41 PM UTC-7, ears...@gmail.com > > wrote: > >> We all know Fedora is a big name, but is it a good choice for a > >> Security Driven OS like QubeOS to be based around? What do others > >> here think? > > > > There are a lot of packages creating a bigger attack surface. but, > > bigger distros like fedora have companies behind them like red hat. > > red hat has been pretty good about actively looking for > > vulnerabilities in those packages. distros that automatically > > upgrade to the latest version (gentoo etc) can also burn you. they > > would make better template vms where your more likely to want newer > > software and new issues can be better contained. > > > > for dom0, newer distros are better at hardware compatibility with > > those fancy new processors, graphics cards and storage controllers > > in laptops. > > > > just personal opinion, but wayland is a better fit than x11 for > > qubes in the long run. fedora is the only distro with a dedicated > > security staff actively supporting it. > > > > anytime you abstract a layer, your diluting your resources. > > maintaining a dom0 isnt much more work than a domu template, but if > > you want to add slackware, arch, and gentoo, youve now more than > > doubled the developers distro maintanance work when they could be > > working on stability and features. > > Potentially worth noting here that in Ed Snowden's keynote at > Libreplanet 2016, he criticized the free software community's tendency > to use stable, outdated software. Snowden said that the attackers > move and adapt quickly, and it's dangerous to continue using outdated > software that doesn't have the latest security fixes/features just > because it's more stable or more backward-compatible. Snowden did not > explicitly mention any distros that he was talking about, but I got > the distinct impression that he was (at least in part) talking about > Debian. > > Of course, "appeal to authority" is a classic fallacy, so we shouldn't > do what Snowden says without questioning it, but I think it's at least > worth considering his argument seriously. > > Cheers, > - -Jeremy > -BEGIN PGP SIGNATURE- > > iQIcBAEBCgAGBQJYaTeQAAoJELPy0WV4bWVwbNgP+QG3jY+xlwsTnViOS+IFEHMP > Nyt+d9Cuq7iEnCsr1fuXbzjSNB8RDM0y2BY6rciELmo4kvyfsGoPYZod7nOlQPeV > xjgjubrlA3udMxSCsc5lc2DbP4IszehJECYGbZw4gaFabScs6ugt0P9gxKaiTIWR > pa9bAaSzJffZsJg9/efUJuo134Mdd8QBssKEC6idWCiEuM8YWHZI9xKfvhTjRrqj > g233nSNbvctg0yoUQbf2XHZ6gyGZ2p0Y1ab8o0o0MFVsuQIuPCKlWgr/WhjgdWDY > Ye4TCYZhonuLHRCiOt+ZuS2w8nj24O0qFvXra+asXAaW2mFzQa/Aq3CdLBE87nXE > z3dgNp2Z08dWi28ncbCwvn8mpw0w07yl1n6+2JlBC4pDTF2/r6BMgsp4DIS9sFDB > h+mFWCnqh80P/39SQeOoOcHATruMfHp8CUDVtOMVBRV4VpoA7YaKxiiiUXFnD21M > S6XP7QqxPkbPW0E77UeR53igB61QQ1t3Fb4QQRLZY1bhncKn3kM/OmUDnHzepLQn > 0/FLW/aJMBofOHeb6xqrfipeayGrdHLNuav9Nu1QRuX2lY6E0Sl40VZBwRERxfaW > t+Ck3n4Qw2Gru13zXPhHuE8OpTV3/RgkMzNMnADxfArhSIW2zwoYQvNCn8U/LNaq > P2HMZA0yehx6CZnBmdb/ > =RC2L > -END PGP SIGNATURE- I disagree with Snowden on this, if it aint broke don't fix it. What usually happens in reality is the newer software introduces even more bugs then were originally there imo for the sake of new shiny things. Many experts say we are actually less safe nowadays cause systems are already too complex.And if new exploits found in old software are patched with security updates then I think the freesoftware communities have it right when it comes to security. If he means old software thats no longer maintained and abandoned then he has a good point. There is plenty of that in every linux distro, some more then others. But saying attackers adapt quick, means to me adapting to something new, adapting to a new exploit, not a secret one they've already known about. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/faa57a13-6bae-4007-b311-5c89d7989718%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Is Fedora Really A Good Choice For QubeOS?
On Wednesday, December 28, 2016 at 12:01:57 AM UTC-5, Vít Šesták wrote: > While I agree Debian is a fair choice in terms of security, I disagree with > your reasoning. The “encryption bypass” is rather a minor vulnerability (i.e. > if attacker has all prerequisities to abuse it, she probably could also > perform another attacks) and I don't believe that this is statistically > significant. On the other hand, there are also some Debian-specific > vulnerabilities. For example, recent APT vulnerability or not-so-recent > vulnerable SSH keys due to some Debian-specific tuning. This does not suggest > that Debian is less secure, this suggests it is not so clear. > > Regards, > Vít Šesták 'v6ak' There are alot of reasons why I feel Fedora and Debian are the two most secure mainstream linux distros. But thats not saying much at all, its why we use Qubes. Linux sucks imo and is no better then windows. Especially when using popular distros. These are just my personal opinions I might be living in a bubble. Yes, I was also trying to point out the choice of security between the two is not so clear.. But when it comes to the things that puts fedora up there like a default firewall or selinux , They don't matter for a Qubes dom0. But I think if hardware support is priority, fedora always optimized for a newer kernel and newer driver support and having newer software would be more ideal. If stability, then debian. Things like holding enter button down to bypass luks, or holding backspace down to bypass grub, or using siri and hitting pad a couple times to bypass ios phone lock(ion every single version). whether needing physical access or not, sure does make me wonder if they are not there on purpose. Like for police purposes. I've always felt the people behind ubuntu or fedora are not as trustworthy when it comes to privacy if not security then a distro like debian. I'm sure everyone knows all the common reasons why, so no need to list them all, but things like NSA, Search redirections, corporate greed, unknown network connections, services phoning home, etc always come up... When using a baremetal system I prefer debian system because I feel by default it gives more protection from itself then fedora will protect you from fedora. That includes both backdoors and stability. And if you want a conspiracy theory I think Russia has been undermining fedora especially starting with fedora 20. I have also felt every hardened fedora box I have ever owned has been hacked or maliciously destroyed. Every single one. Its never happened with a hardened debian, or even with a hardened windows 7. But again in this case for a Qubes dom0 I don't think it really matters. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/876ac1cb-9f9e-4aaa-b746-d0a464d3f280%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Is Fedora Really A Good Choice For QubeOS?
On Wednesday, 4 January 2017 02:19:20 UTC+11, Ronald Duncan wrote: > This thread just sprung to life again. > > I had a quick look at > > https://www.qubes-os.org/doc/templates/ > > And along with Debian which is installed by default both > > Arch and > Ubuntu > > Are available... But not for Dom0... that is the main issue for me. Need a Slackware build. At least then there will be no SystemD crap. > My personal preference in Ubuntu because it generally just works, and Arch > because it has the latest version of everything when every you have the > problem that xyz does not work because it needs the latest version. That the > distribution maintainer has not yet made available in your favourite distro. > I have not yet tried these templates. > > Since I am a xfce fan I love qubes UI along with all the other parts. I am an xFCE fan as well. It's a simple interface and just works smoothly, unlike KDE and Gnome which are so bloated. > Only gripe is no Win10 template ( and the various issues getting Windows to > work - no password ). I have found no issues getting windows to work with no password. I just set the auto Login, and done. There are no tools for Win10, so until then, all good. But if you want to use the tools, stick to version 3.2.1.3 until they fix them, because the tools got broken in version 3.2.2.3, and I have not seen a version that is fixed yet. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/42d41a16--4cb7-b106-b815841d5d38%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Is Fedora Really A Good Choice For QubeOS?
This thread just sprung to life again. I had a quick look at https://www.qubes-os.org/doc/templates/ And along with Debian which is installed by default both Arch and Ubuntu Are available... My personal preference in Ubuntu because it generally just works, and Arch because it has the latest version of everything when every you have the problem that xyz does not work because it needs the latest version. That the distribution maintainer has not yet made available in your favourite distro. I have not yet tried these templates. Since I am a xfce fan I love qubes UI along with all the other parts. Only gripe is no Win10 template ( and the various issues getting Windows to work - no password ). Regards Ronald -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/99bf19f6-e364-4c03-917a-fc15ced62787%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Is Fedora Really A Good Choice For QubeOS?
Jeremy: That's all well and good (though without being specific, the criticism doesn't really impress me, unless the unstated assumption is that 'stable' software doesn't get security fixes), but (esp. in the case of Tor) you can just as easily turn that around: precisely because of the constant updating of firefox (tracked by the tor browser), and because features are constantly being added, it's not the most logical choice of browser. (Not that Chrome is any better on that front.) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/80f70898-50a1-40ef-8e24-a727d025b810%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Is Fedora Really A Good Choice For QubeOS?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 pixel fairy: > On Tuesday, October 1, 2013 at 6:32:41 PM UTC-7, ears...@gmail.com > wrote: >> We all know Fedora is a big name, but is it a good choice for a >> Security Driven OS like QubeOS to be based around? What do others >> here think? > > There are a lot of packages creating a bigger attack surface. but, > bigger distros like fedora have companies behind them like red hat. > red hat has been pretty good about actively looking for > vulnerabilities in those packages. distros that automatically > upgrade to the latest version (gentoo etc) can also burn you. they > would make better template vms where your more likely to want newer > software and new issues can be better contained. > > for dom0, newer distros are better at hardware compatibility with > those fancy new processors, graphics cards and storage controllers > in laptops. > > just personal opinion, but wayland is a better fit than x11 for > qubes in the long run. fedora is the only distro with a dedicated > security staff actively supporting it. > > anytime you abstract a layer, your diluting your resources. > maintaining a dom0 isnt much more work than a domu template, but if > you want to add slackware, arch, and gentoo, youve now more than > doubled the developers distro maintanance work when they could be > working on stability and features. Potentially worth noting here that in Ed Snowden's keynote at Libreplanet 2016, he criticized the free software community's tendency to use stable, outdated software. Snowden said that the attackers move and adapt quickly, and it's dangerous to continue using outdated software that doesn't have the latest security fixes/features just because it's more stable or more backward-compatible. Snowden did not explicitly mention any distros that he was talking about, but I got the distinct impression that he was (at least in part) talking about Debian. Of course, "appeal to authority" is a classic fallacy, so we shouldn't do what Snowden says without questioning it, but I think it's at least worth considering his argument seriously. Cheers, - -Jeremy -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJYaTeQAAoJELPy0WV4bWVwbNgP+QG3jY+xlwsTnViOS+IFEHMP Nyt+d9Cuq7iEnCsr1fuXbzjSNB8RDM0y2BY6rciELmo4kvyfsGoPYZod7nOlQPeV xjgjubrlA3udMxSCsc5lc2DbP4IszehJECYGbZw4gaFabScs6ugt0P9gxKaiTIWR pa9bAaSzJffZsJg9/efUJuo134Mdd8QBssKEC6idWCiEuM8YWHZI9xKfvhTjRrqj g233nSNbvctg0yoUQbf2XHZ6gyGZ2p0Y1ab8o0o0MFVsuQIuPCKlWgr/WhjgdWDY Ye4TCYZhonuLHRCiOt+ZuS2w8nj24O0qFvXra+asXAaW2mFzQa/Aq3CdLBE87nXE z3dgNp2Z08dWi28ncbCwvn8mpw0w07yl1n6+2JlBC4pDTF2/r6BMgsp4DIS9sFDB h+mFWCnqh80P/39SQeOoOcHATruMfHp8CUDVtOMVBRV4VpoA7YaKxiiiUXFnD21M S6XP7QqxPkbPW0E77UeR53igB61QQ1t3Fb4QQRLZY1bhncKn3kM/OmUDnHzepLQn 0/FLW/aJMBofOHeb6xqrfipeayGrdHLNuav9Nu1QRuX2lY6E0Sl40VZBwRERxfaW t+Ck3n4Qw2Gru13zXPhHuE8OpTV3/RgkMzNMnADxfArhSIW2zwoYQvNCn8U/LNaq P2HMZA0yehx6CZnBmdb/ =RC2L -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/52d5d96c-c021-9673-27c5-1999e8541961%40airmail.cc. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Is Fedora Really A Good Choice For QubeOS?
I agree, redhat seems to always be finding the most crucial vulnerabilities in linux. Also imo, fedora is the most secure big linux distro by default. (a firewall on by default, selinux etc https://fedoraproject.org/wiki/Security_Features?rd=Security/Features) So we know they take security seriously, when most distros dont' give it a look. In fact I can't think of any major distro that does besides debian stable. Something like gentoo or arch might not have as much hardware support. Qubes is aimed at home desktop users I believe, so they want something easy to manage, and they also want broad hardware support. That being said there are things like the latest drive by downloads affecting fedora and google chrome, but that would affect appvms not dom0. But should be noted, fedora and ubuntu were affected with the latest encryption bypass. (holding enter key down) debian was not. So if not fedora my vote is for debian. But those are the only two i would nominate. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f5826f94-762d-40b3-af63-70e1da3cdce9%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Is Fedora Really A Good Choice For QubeOS?
On Tuesday, October 1, 2013 at 6:32:41 PM UTC-7, ears...@gmail.com wrote: > We all know Fedora is a big name, but is it a good choice for a Security > Driven OS like QubeOS to be based around? > What do others here think? There are a lot of packages creating a bigger attack surface. but, bigger distros like fedora have companies behind them like red hat. red hat has been pretty good about actively looking for vulnerabilities in those packages. distros that automatically upgrade to the latest version (gentoo etc) can also burn you. they would make better template vms where your more likely to want newer software and new issues can be better contained. for dom0, newer distros are better at hardware compatibility with those fancy new processors, graphics cards and storage controllers in laptops. just personal opinion, but wayland is a better fit than x11 for qubes in the long run. fedora is the only distro with a dedicated security staff actively supporting it. anytime you abstract a layer, your diluting your resources. maintaining a dom0 isnt much more work than a domu template, but if you want to add slackware, arch, and gentoo, youve now more than doubled the developers distro maintanance work when they could be working on stability and features. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e58b3b5b-96f8-429d-85ad-38a325721642%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Is Fedora Really A Good Choice For QubeOS?
On 12/26/2016 08:30 PM, Drew White wrote: On Thursday, 3 October 2013 08:52:22 UTC+10, Mailbe User wrote: I think the hardest problem here is people putting aside their distro war differences. Here I see Joanna mention this; 'it should have the latest Desktop Environment and Xorg drivers to make the GUI look slick'. No offense intended for you Joanna but I hope that was meant as a joke. Just because you have the latest DE and up to date system does not mean it works good at all. People seem to be FORGET one simple thing > STABILITY! Without Stability none of it matters if your always running into performance issues and things breaking all the time, and that is something I constantly see with most distros. All distros have their Pros & Cons, but the truth is because Slackware is one of the simplest distros you hardly run into issues like most distros. So let's put our personal differences aside and talk facts. The fact is Slackware is the most stable and least troublesome of all distros and it's the oldest too for one good reason, it's built on a simple principle of STABILITY over bells & whistles, and if you need some of the latest goodies then you can certainly go out there and grab it and compile it yourself. Making slackware packages and adding in dependencies for them is not that complicated once you've done it. Let me make this clear I like all Linux distros, they all have something different they bring to the table, and any Linux in my book is better than Windows! But the FACT is, again, no one can touch Slackware for it's STABILITY! So we want a SECURE OS, what good is it, if it's always having problems, things breaking, crashes, etc...? And if you're going to build this OS around Fedora, then be prepared for A LOT of breakage in the future. Security does not always needed the LATEST UNLESS there is a SECURITY ISSUE that needs fixing, Security should be more CONCERNED with STABILITY! :) NOW with all the distros out there does everyone run into issues all the time? NO, but then again, bugs are called bugs for a reason, not everyone gets them. But when you compare all the distro problems of other distros, compare to Slackware, Slackware has the least amount, and it's not just because of more experienced users, because Patrick Volkerding builds a distro that's stable and has always been the most stable of any distro out there. Cheers :) - Mail.be, WebMail and Virtual Office http://www.mail.be If you can get a Slackware version working, for Dom0 as well as Guests, I know many people that would switch over to Qubes. There are many people that hate SystemD. Also, having a stable platform, one that isn't releasing a new version every 10 seconds like Fedora, and only just updates to the system to ensure security would be of great advantage. If you can get it done with Qubes 3.2, that would be perfect, since Qubes 4.0 will not work on much hardware that people use these days (according to the requirements). Yeah I really hate using systemd and being forced in to whatever redhat/poettering is doing at the moment. Instead of dropping support for non IOMMU systems there should simply be a security rating slide with different levels and colors to indicate security status when you start the installer (test for HVM, IOMMU, IOMMU-Interrupt Remapping, SLAT, presence of ME/PSP or other DRM, firmware security such as prop bios > coreboot > blob free coreboot as the most secure, etc) Qubes should be geared to power users, not the average idiot that doesn't want to put in the slightest bit of effort to understand security. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1cbd8147-6acb-bbd4-67ae-48bbb520f98d%40gmx.com. For more options, visit https://groups.google.com/d/optout.
