[qubes-users] Re: Is Fedora Really A Good Choice For QubeOS?

2017-01-09 Thread Drew White
On Tuesday, 10 January 2017 10:47:58 UTC+11, Connor Page  wrote:
> Sorry Drew, you asked what needs to be installed to make another dom0, not 
> the bare minimum that is required.

I'm sorry that I was not more specific when I said "needs". It can be taken 
multiple ways, I should have been more precise.


>Every Qubes specific package provides a list of prerequisites and version 
>conflicts.
That is true, but that's why I'm curious about it to know.

>For instance,
> Name: qubes-core-dom0
> Version:  %{version}
> Release:  1%{dist}
> Summary:  The Qubes core files (Dom0-side)
> 
> Group:Qubes
> Vendor:   Invisible Things Lab
> License:  GPL
> URL:  http://www.qubes-os.org
> BuildRequires:  ImageMagick
> BuildRequires:systemd-units
> # FIXME: Enable this and disable debug_package
> #BuildArch: noarch
> Requires(post): systemd-units
> Requires(preun): systemd-units
> Requires(postun): systemd-units
> Requires: python, pciutils, python-inotify, python-daemon
> Requires:   qubes-core-dom0-linux >= 3.1.8
> Requires:   qubes-core-dom0-doc
> Requires:   qubes-db-dom0
> Requires:   python-lxml
> Requires:   python-psutil
> # TODO: R: qubes-gui-dom0 >= 2.1.11
> Conflicts:  qubes-gui-dom0 < 1.1.13
> Requires:   libvirt-python
> %if x%{?backend_vmm} == xxen
> Requires:   xen-runtime
> Requires:   xen-hvm
> Requires:   libvirt-daemon-xen >= 1.2.20-6
> %endif
> Requires:   createrepo
> Requires:   gnome-packagekit
> Requires:   cronie
> Requires:   bsdtar
> # for qubes-hcl-report
> Requires:   dmidecode
> Requires:   PyQt4
> 
> Dom0 is created by installing qubes tools that pull in their dependencies and 
> so on. Yum Extender in dom0 can give you all the prerequisites. Of course 
> here we rely on developers being precise when defining them.

That is true. 

Thing is, I'd be building it from code, which is why I need to know. Because 
not everything is as simple as using an RPM or other package like that. And 
there are no SRPMs so that's another thing that makes it not work well for what 
I need to do to get the packages installed to create a new Dom0.

But that's just the way things go unfortunately.

I can but try.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e3512337-8c6d-482b-9951-3fa1bfc8969b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Is Fedora Really A Good Choice For QubeOS?

2017-01-09 Thread Connor Page
Sorry Drew, you asked what needs to be installed to make another dom0, not the 
bare minimum that is required. Every Qubes specific package provides a list of 
prerequisites and version conflicts. For instance,
Name:   qubes-core-dom0
Version:%{version}
Release:1%{dist}
Summary:The Qubes core files (Dom0-side)

Group:  Qubes
Vendor: Invisible Things Lab
License:GPL
URL:http://www.qubes-os.org
BuildRequires:  ImageMagick
BuildRequires:  systemd-units
# FIXME: Enable this and disable debug_package
#BuildArch: noarch
Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
Requires:   python, pciutils, python-inotify, python-daemon
Requires:   qubes-core-dom0-linux >= 3.1.8
Requires:   qubes-core-dom0-doc
Requires:   qubes-db-dom0
Requires:   python-lxml
Requires:   python-psutil
# TODO: R: qubes-gui-dom0 >= 2.1.11
Conflicts:  qubes-gui-dom0 < 1.1.13
Requires:   libvirt-python
%if x%{?backend_vmm} == xxen
Requires:   xen-runtime
Requires:   xen-hvm
Requires:   libvirt-daemon-xen >= 1.2.20-6
%endif
Requires:   createrepo
Requires:   gnome-packagekit
Requires:   cronie
Requires:   bsdtar
# for qubes-hcl-report
Requires:   dmidecode
Requires:   PyQt4

Dom0 is created by installing qubes tools that pull in their dependencies and 
so on. Yum Extender in dom0 can give you all the prerequisites. Of course here 
we rely on developers being precise when defining them.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7df0a801-2325-4a52-b144-27f266ed1506%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Is Fedora Really A Good Choice For QubeOS?

2017-01-09 Thread Drew White
On Friday, 6 January 2017 19:59:43 UTC+11, Connor Page  wrote:
> why wouldn't you consult the list of actually installed packages?
> https://github.com/QubesOS/qubes-installer-qubes-os/blob/master/conf/comps-qubes.xml

Can you, from that, tell me what are REQUIRED for Qubes-OS to be fully 
functional?

If you can, then you must be able to see something that I am not able to.

While that may have a list of a lot of packages, it doesn't say what versions 
are required.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c2e27788-d7d2-4944-9064-4bad294c6e0c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Is Fedora Really A Good Choice For QubeOS?

2017-01-06 Thread Connor Page
why wouldn't you consult the list of actually installed packages?
https://github.com/QubesOS/qubes-installer-qubes-os/blob/master/conf/comps-qubes.xml

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ddaf1b18-3b91-475d-b998-9c1a9597f534%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Is Fedora Really A Good Choice For QubeOS?

2017-01-05 Thread Drew White
The real question here I think is..
What needs to be installed in an O/S to create a new Dom0?

I've asked this before, and none answers the question.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/952b0d84-6ac4-4d88-bbcb-a32cdf642210%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Is Fedora Really A Good Choice For QubeOS?

2017-01-05 Thread Fred
The LUKS issue was all about getting a root shell as opposed to being
able to defeat LUKS or get the keys or decrypt the data. I know this was
a bit misreported in the press.

A bigger issue is if /boot is not encrypted. And with modern GRUB there
is no need for it not to be. Someone could then use this shell to put a
keylogger in /boot process then they could use this vulnerability to do
some damage. But the same is true from booting from removable custom
media to access the encrypted partitions.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ad049ceb-dacf-93d5-cc0c-daffb69e2a3c%40gmsl.co.uk.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Is Fedora Really A Good Choice For QubeOS?

2017-01-05 Thread Vít Šesták
I have seen much more systemd hates than proper arguments against systemd. But 
if systemd is really wrong, this kind of debate does not contribute for 
rejecting it.

>From security perspective in context of dom0, systemd is a process that 
>interacts with local processes and maybe with few other local things. If 
>systemd is really wrong for security (I am not convinced so), I would expect 
>it to allow local privilege escalation, which is not much a threat in context 
>of Qubes. Did you mean something else?

If there is a proper argument against systemd for dom0, I hope Qubes developers 
will hear it. But they will hardly move to Slackware (or another non-systemd 
distro) just for sake of getting rid of systemd. I guess that without a good 
argument for it*, there will be always something more important giving better 
improvement, requiring less effort and indroducing less risks.

Regards,
Vít Šesták 'v6ak'


*) I am not stating there is not any reasonable argument. There might be one I 
haven't realized. But if there is any, it should be mentioned in a proper way.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/bf23e910-11d1-443b-b6f4-b9e89ac24674%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Is Fedora Really A Good Choice For QubeOS?

2017-01-04 Thread Vít Šesták
When you don't update, you will eventually have software full of known security 
bugs. Known security bugs (if they aren't properly managed, like analyzing 
their impact and mitigating them) are arguably worse than unknown security bugs 
(ceteris paribus), because they are much cheaper to exploit.

The same does not apply to non-security bugs. The key difference is that 
security bugs are triggered on purpose, while other bugs are triggered 
accidentally.

It is questionable if old software with security patches (e.g. Debian stable, 
Firefox ESR) is better than fresh one or not. I see good arguments on both 
sides, so maybe it depends.

Regards,
Vít Šesták 'v6ak'

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/57eb6f16-91f9-497b-921b-d7d39beb93e1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Is Fedora Really A Good Choice For QubeOS?

2017-01-04 Thread Drew White
On Thursday, 5 January 2017 11:38:52 UTC+11, raah...@gmail.com  wrote:
> On Wednesday, January 4, 2017 at 7:37:42 PM UTC-5, raah...@gmail.com wrote:
> > On Sunday, January 1, 2017 at 12:08:54 PM UTC-5, Jeremy Rand wrote:
> > > -BEGIN PGP SIGNED MESSAGE-
> > > Hash: SHA512
> > > 
> > > pixel fairy:
> > > > On Tuesday, October 1, 2013 at 6:32:41 PM UTC-7, ears...@gmail.com
> > > > wrote:
> > > >> We all know Fedora is a big name, but is it a good choice for a
> > > >> Security Driven OS like QubeOS to be based around? What do others
> > > >> here think?
> > > > 
> > > > There are a lot of packages creating a bigger attack surface. but,
> > > > bigger distros like fedora have companies behind them like red hat.
> > > > red hat has been pretty good about actively looking for
> > > > vulnerabilities in those packages. distros that automatically
> > > > upgrade to the latest version (gentoo etc) can also burn you. they
> > > > would make better template vms where your more likely to want newer
> > > > software and new issues can be better contained.
> > > > 
> > > > for dom0, newer distros are better at hardware compatibility with
> > > > those fancy new processors, graphics cards and storage controllers
> > > > in laptops.
> > > > 
> > > > just personal opinion, but wayland is a better fit than x11 for
> > > > qubes in the long run. fedora is the only distro with a dedicated
> > > > security staff actively supporting it.
> > > > 
> > > > anytime you abstract a layer, your diluting your resources.
> > > > maintaining a dom0 isnt much more work than a domu template, but if
> > > > you want to add slackware, arch, and gentoo, youve now more than
> > > > doubled the developers distro maintanance work when they could be
> > > > working on stability and features.
> > > 
> > > Potentially worth noting here that in Ed Snowden's keynote at
> > > Libreplanet 2016, he criticized the free software community's tendency
> > > to use stable, outdated software.  Snowden said that the attackers
> > > move and adapt quickly, and it's dangerous to continue using outdated
> > > software that doesn't have the latest security fixes/features just
> > > because it's more stable or more backward-compatible.  Snowden did not
> > > explicitly mention any distros that he was talking about, but I got
> > > the distinct impression that he was (at least in part) talking about
> > > Debian.
> > > 
> > > Of course, "appeal to authority" is a classic fallacy, so we shouldn't
> > > do what Snowden says without questioning it, but I think it's at least
> > > worth considering his argument seriously.
> > > 
> > > Cheers,
> > > - -Jeremy
> > > -BEGIN PGP SIGNATURE-
> > > 
> > > iQIcBAEBCgAGBQJYaTeQAAoJELPy0WV4bWVwbNgP+QG3jY+xlwsTnViOS+IFEHMP
> > > Nyt+d9Cuq7iEnCsr1fuXbzjSNB8RDM0y2BY6rciELmo4kvyfsGoPYZod7nOlQPeV
> > > xjgjubrlA3udMxSCsc5lc2DbP4IszehJECYGbZw4gaFabScs6ugt0P9gxKaiTIWR
> > > pa9bAaSzJffZsJg9/efUJuo134Mdd8QBssKEC6idWCiEuM8YWHZI9xKfvhTjRrqj
> > > g233nSNbvctg0yoUQbf2XHZ6gyGZ2p0Y1ab8o0o0MFVsuQIuPCKlWgr/WhjgdWDY
> > > Ye4TCYZhonuLHRCiOt+ZuS2w8nj24O0qFvXra+asXAaW2mFzQa/Aq3CdLBE87nXE
> > > z3dgNp2Z08dWi28ncbCwvn8mpw0w07yl1n6+2JlBC4pDTF2/r6BMgsp4DIS9sFDB
> > > h+mFWCnqh80P/39SQeOoOcHATruMfHp8CUDVtOMVBRV4VpoA7YaKxiiiUXFnD21M
> > > S6XP7QqxPkbPW0E77UeR53igB61QQ1t3Fb4QQRLZY1bhncKn3kM/OmUDnHzepLQn
> > > 0/FLW/aJMBofOHeb6xqrfipeayGrdHLNuav9Nu1QRuX2lY6E0Sl40VZBwRERxfaW
> > > t+Ck3n4Qw2Gru13zXPhHuE8OpTV3/RgkMzNMnADxfArhSIW2zwoYQvNCn8U/LNaq
> > > P2HMZA0yehx6CZnBmdb/
> > > =RC2L
> > > -END PGP SIGNATURE-
> > 
> > I disagree with Snowden on this,  if it aint broke don't fix it.  What 
> > usually happens in reality is the newer software introduces even more bugs 
> > then were originally there imo for the sake of new shiny things.  Many 
> > experts say we are actually less safe nowadays cause systems are already 
> > too complex.And if new exploits found in old software are patched with 
> > security updates then I think the freesoftware communities have it right 
> > when it comes to security.
> > 
> > If he means old software thats no longer maintained and abandoned then he 
> > has a good point.  There is plenty of that in every linux distro, some more 
> > then others.
> > 
> > But saying attackers adapt quick,  means to me adapting to something new,  
> > adapting to a new exploit, not a secret one they've already known about.
> 
> I use to believe that always updating software would remove exploits 
> currently in them.  But usually in reality if not specifically addressed,  
> since new software is still built upon the same old software,  the old bugs 
> still exist while new ones are now introduced as well.

If you have a secure system in the first place, the exploits can't get a grip 
easily.
If you manage your system you won't get hit easily.
If you lock the machine down, you won't get hit easily.

I limit SUDO activity to what I want to let things use.
I don't let sudo change passwords..
I don't let sudo do 

Re: [qubes-users] Re: Is Fedora Really A Good Choice For QubeOS?

2017-01-04 Thread raahelps
On Wednesday, January 4, 2017 at 7:37:42 PM UTC-5, raah...@gmail.com wrote:
> On Sunday, January 1, 2017 at 12:08:54 PM UTC-5, Jeremy Rand wrote:
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA512
> > 
> > pixel fairy:
> > > On Tuesday, October 1, 2013 at 6:32:41 PM UTC-7, ears...@gmail.com
> > > wrote:
> > >> We all know Fedora is a big name, but is it a good choice for a
> > >> Security Driven OS like QubeOS to be based around? What do others
> > >> here think?
> > > 
> > > There are a lot of packages creating a bigger attack surface. but,
> > > bigger distros like fedora have companies behind them like red hat.
> > > red hat has been pretty good about actively looking for
> > > vulnerabilities in those packages. distros that automatically
> > > upgrade to the latest version (gentoo etc) can also burn you. they
> > > would make better template vms where your more likely to want newer
> > > software and new issues can be better contained.
> > > 
> > > for dom0, newer distros are better at hardware compatibility with
> > > those fancy new processors, graphics cards and storage controllers
> > > in laptops.
> > > 
> > > just personal opinion, but wayland is a better fit than x11 for
> > > qubes in the long run. fedora is the only distro with a dedicated
> > > security staff actively supporting it.
> > > 
> > > anytime you abstract a layer, your diluting your resources.
> > > maintaining a dom0 isnt much more work than a domu template, but if
> > > you want to add slackware, arch, and gentoo, youve now more than
> > > doubled the developers distro maintanance work when they could be
> > > working on stability and features.
> > 
> > Potentially worth noting here that in Ed Snowden's keynote at
> > Libreplanet 2016, he criticized the free software community's tendency
> > to use stable, outdated software.  Snowden said that the attackers
> > move and adapt quickly, and it's dangerous to continue using outdated
> > software that doesn't have the latest security fixes/features just
> > because it's more stable or more backward-compatible.  Snowden did not
> > explicitly mention any distros that he was talking about, but I got
> > the distinct impression that he was (at least in part) talking about
> > Debian.
> > 
> > Of course, "appeal to authority" is a classic fallacy, so we shouldn't
> > do what Snowden says without questioning it, but I think it's at least
> > worth considering his argument seriously.
> > 
> > Cheers,
> > - -Jeremy
> > -BEGIN PGP SIGNATURE-
> > 
> > iQIcBAEBCgAGBQJYaTeQAAoJELPy0WV4bWVwbNgP+QG3jY+xlwsTnViOS+IFEHMP
> > Nyt+d9Cuq7iEnCsr1fuXbzjSNB8RDM0y2BY6rciELmo4kvyfsGoPYZod7nOlQPeV
> > xjgjubrlA3udMxSCsc5lc2DbP4IszehJECYGbZw4gaFabScs6ugt0P9gxKaiTIWR
> > pa9bAaSzJffZsJg9/efUJuo134Mdd8QBssKEC6idWCiEuM8YWHZI9xKfvhTjRrqj
> > g233nSNbvctg0yoUQbf2XHZ6gyGZ2p0Y1ab8o0o0MFVsuQIuPCKlWgr/WhjgdWDY
> > Ye4TCYZhonuLHRCiOt+ZuS2w8nj24O0qFvXra+asXAaW2mFzQa/Aq3CdLBE87nXE
> > z3dgNp2Z08dWi28ncbCwvn8mpw0w07yl1n6+2JlBC4pDTF2/r6BMgsp4DIS9sFDB
> > h+mFWCnqh80P/39SQeOoOcHATruMfHp8CUDVtOMVBRV4VpoA7YaKxiiiUXFnD21M
> > S6XP7QqxPkbPW0E77UeR53igB61QQ1t3Fb4QQRLZY1bhncKn3kM/OmUDnHzepLQn
> > 0/FLW/aJMBofOHeb6xqrfipeayGrdHLNuav9Nu1QRuX2lY6E0Sl40VZBwRERxfaW
> > t+Ck3n4Qw2Gru13zXPhHuE8OpTV3/RgkMzNMnADxfArhSIW2zwoYQvNCn8U/LNaq
> > P2HMZA0yehx6CZnBmdb/
> > =RC2L
> > -END PGP SIGNATURE-
> 
> I disagree with Snowden on this,  if it aint broke don't fix it.  What 
> usually happens in reality is the newer software introduces even more bugs 
> then were originally there imo for the sake of new shiny things.  Many 
> experts say we are actually less safe nowadays cause systems are already too 
> complex.And if new exploits found in old software are patched with 
> security updates then I think the freesoftware communities have it right when 
> it comes to security.
> 
> If he means old software thats no longer maintained and abandoned then he has 
> a good point.  There is plenty of that in every linux distro, some more then 
> others.
> 
> But saying attackers adapt quick,  means to me adapting to something new,  
> adapting to a new exploit, not a secret one they've already known about.

I use to believe that always updating software would remove exploits currently 
in them.  But usually in reality if not specifically addressed,  since new 
software is still built upon the same old software,  the old bugs still exist 
while new ones are now introduced as well.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e9374a34-a97f-41bd-b46c-d0aabf4ba8cd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Is Fedora Really A Good Choice For QubeOS?

2017-01-04 Thread raahelps
On Sunday, January 1, 2017 at 12:08:54 PM UTC-5, Jeremy Rand wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
> 
> pixel fairy:
> > On Tuesday, October 1, 2013 at 6:32:41 PM UTC-7, ears...@gmail.com
> > wrote:
> >> We all know Fedora is a big name, but is it a good choice for a
> >> Security Driven OS like QubeOS to be based around? What do others
> >> here think?
> > 
> > There are a lot of packages creating a bigger attack surface. but,
> > bigger distros like fedora have companies behind them like red hat.
> > red hat has been pretty good about actively looking for
> > vulnerabilities in those packages. distros that automatically
> > upgrade to the latest version (gentoo etc) can also burn you. they
> > would make better template vms where your more likely to want newer
> > software and new issues can be better contained.
> > 
> > for dom0, newer distros are better at hardware compatibility with
> > those fancy new processors, graphics cards and storage controllers
> > in laptops.
> > 
> > just personal opinion, but wayland is a better fit than x11 for
> > qubes in the long run. fedora is the only distro with a dedicated
> > security staff actively supporting it.
> > 
> > anytime you abstract a layer, your diluting your resources.
> > maintaining a dom0 isnt much more work than a domu template, but if
> > you want to add slackware, arch, and gentoo, youve now more than
> > doubled the developers distro maintanance work when they could be
> > working on stability and features.
> 
> Potentially worth noting here that in Ed Snowden's keynote at
> Libreplanet 2016, he criticized the free software community's tendency
> to use stable, outdated software.  Snowden said that the attackers
> move and adapt quickly, and it's dangerous to continue using outdated
> software that doesn't have the latest security fixes/features just
> because it's more stable or more backward-compatible.  Snowden did not
> explicitly mention any distros that he was talking about, but I got
> the distinct impression that he was (at least in part) talking about
> Debian.
> 
> Of course, "appeal to authority" is a classic fallacy, so we shouldn't
> do what Snowden says without questioning it, but I think it's at least
> worth considering his argument seriously.
> 
> Cheers,
> - -Jeremy
> -BEGIN PGP SIGNATURE-
> 
> iQIcBAEBCgAGBQJYaTeQAAoJELPy0WV4bWVwbNgP+QG3jY+xlwsTnViOS+IFEHMP
> Nyt+d9Cuq7iEnCsr1fuXbzjSNB8RDM0y2BY6rciELmo4kvyfsGoPYZod7nOlQPeV
> xjgjubrlA3udMxSCsc5lc2DbP4IszehJECYGbZw4gaFabScs6ugt0P9gxKaiTIWR
> pa9bAaSzJffZsJg9/efUJuo134Mdd8QBssKEC6idWCiEuM8YWHZI9xKfvhTjRrqj
> g233nSNbvctg0yoUQbf2XHZ6gyGZ2p0Y1ab8o0o0MFVsuQIuPCKlWgr/WhjgdWDY
> Ye4TCYZhonuLHRCiOt+ZuS2w8nj24O0qFvXra+asXAaW2mFzQa/Aq3CdLBE87nXE
> z3dgNp2Z08dWi28ncbCwvn8mpw0w07yl1n6+2JlBC4pDTF2/r6BMgsp4DIS9sFDB
> h+mFWCnqh80P/39SQeOoOcHATruMfHp8CUDVtOMVBRV4VpoA7YaKxiiiUXFnD21M
> S6XP7QqxPkbPW0E77UeR53igB61QQ1t3Fb4QQRLZY1bhncKn3kM/OmUDnHzepLQn
> 0/FLW/aJMBofOHeb6xqrfipeayGrdHLNuav9Nu1QRuX2lY6E0Sl40VZBwRERxfaW
> t+Ck3n4Qw2Gru13zXPhHuE8OpTV3/RgkMzNMnADxfArhSIW2zwoYQvNCn8U/LNaq
> P2HMZA0yehx6CZnBmdb/
> =RC2L
> -END PGP SIGNATURE-

I disagree with Snowden on this,  if it aint broke don't fix it.  What usually 
happens in reality is the newer software introduces even more bugs then were 
originally there imo for the sake of new shiny things.  Many experts say we are 
actually less safe nowadays cause systems are already too complex.And if 
new exploits found in old software are patched with security updates then I 
think the freesoftware communities have it right when it comes to security.

If he means old software thats no longer maintained and abandoned then he has a 
good point.  There is plenty of that in every linux distro, some more then 
others.

But saying attackers adapt quick,  means to me adapting to something new,  
adapting to a new exploit, not a secret one they've already known about.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/faa57a13-6bae-4007-b311-5c89d7989718%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Is Fedora Really A Good Choice For QubeOS?

2017-01-04 Thread raahelps
On Wednesday, December 28, 2016 at 12:01:57 AM UTC-5, Vít Šesták wrote:
> While I agree Debian is a fair choice in terms of security, I disagree with 
> your reasoning. The “encryption bypass” is rather a minor vulnerability (i.e. 
> if attacker has all prerequisities to abuse it, she probably could also 
> perform another attacks) and I don't believe that this is statistically 
> significant. On the other hand, there are also some Debian-specific 
> vulnerabilities. For example, recent APT vulnerability or not-so-recent 
> vulnerable SSH keys due to some Debian-specific tuning. This does not suggest 
> that Debian is less secure, this suggests it is not so clear.
> 
> Regards,
> Vít Šesták 'v6ak'

There are alot of reasons why I feel Fedora and Debian are the two most secure 
mainstream linux distros. But thats not saying much at all,  its why we use 
Qubes.  Linux sucks imo and is no better then windows.  Especially when using 
popular distros.  These are just my personal opinions I might be living in a 
bubble.

Yes, I was also trying to point out the choice of security between the two is 
not so clear..  But when it comes to the things that puts fedora up there like 
a default firewall or selinux , They don't matter for a Qubes dom0.   But I 
think if hardware support is priority,  fedora always optimized for a newer 
kernel and newer driver support and having newer software would be more ideal.  
 If stability,  then debian.

Things like holding enter button down to bypass luks, or holding backspace down 
to bypass grub, or using siri and hitting pad a couple times to bypass ios 
phone lock(ion every single version).  whether needing physical access or not,  
sure does make me wonder if they are not there on purpose. Like for police 
purposes.   I've always felt the people behind ubuntu or fedora are not as 
trustworthy when it comes to privacy if not security then a distro like debian. 
 I'm sure everyone knows all the common reasons why, so no need to list them 
all,  but things like NSA,  Search redirections, corporate greed, unknown 
network connections, services phoning home,   etc always come up...  When using 
a baremetal system I prefer debian system because I feel by default it gives 
more protection from itself then fedora will protect you from fedora.  That 
includes both backdoors and stability.

And if you want a conspiracy theory I think Russia has been undermining fedora 
especially starting with fedora 20.  I have also felt every hardened fedora box 
I have ever owned has been hacked or maliciously destroyed. Every single one.  
Its never happened with a hardened debian, or even with a hardened windows 7.  
But again in this case for a Qubes dom0 I don't think it really matters.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/876ac1cb-9f9e-4aaa-b746-d0a464d3f280%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Is Fedora Really A Good Choice For QubeOS?

2017-01-03 Thread Drew White
On Wednesday, 4 January 2017 02:19:20 UTC+11, Ronald Duncan  wrote:
> This thread just sprung to life again.
> 
> I had a quick look at
> 
> https://www.qubes-os.org/doc/templates/
> 
> And along with Debian which is installed by default both 
> 
> Arch and
> Ubuntu
> 
> Are available...
 
But not for Dom0... that is the main issue for me.
Need a Slackware build. At least then there will be no SystemD crap.


> My personal preference in Ubuntu because it generally just works, and Arch 
> because it has the latest version of everything when every you have the 
> problem that xyz does not work because it needs the latest version.  That the 
> distribution maintainer has not yet made available in your favourite distro.  
> I have not yet tried these templates.
> 
> Since I am a xfce fan I love qubes UI along with all the other parts.

I am an xFCE fan as well. It's a simple interface and just works smoothly, 
unlike KDE and Gnome which are so bloated.
 
> Only gripe is no Win10 template ( and the various issues getting Windows to 
> work - no password ).

I have found no issues getting windows to work with no password. I just set the 
auto Login, and done.

There are no tools for Win10, so until then, all good. But if you want to use 
the tools, stick to version 3.2.1.3 until they fix them, because the tools got 
broken in version 3.2.2.3, and I have not seen a version that is fixed yet.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/42d41a16--4cb7-b106-b815841d5d38%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Is Fedora Really A Good Choice For QubeOS?

2017-01-03 Thread Ronald Duncan
This thread just sprung to life again.

I had a quick look at

https://www.qubes-os.org/doc/templates/

And along with Debian which is installed by default both 

Arch and
Ubuntu

Are available...

My personal preference in Ubuntu because it generally just works, and Arch 
because it has the latest version of everything when every you have the problem 
that xyz does not work because it needs the latest version.  That the 
distribution maintainer has not yet made available in your favourite distro.  I 
have not yet tried these templates.

Since I am a xfce fan I love qubes UI along with all the other parts.

Only gripe is no Win10 template ( and the various issues getting Windows to 
work - no password ).

Regards
Ronald

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/99bf19f6-e364-4c03-917a-fc15ced62787%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Is Fedora Really A Good Choice For QubeOS?

2017-01-02 Thread Foppe de Haan
Jeremy: That's all well and good (though without being specific, the criticism 
doesn't really impress me, unless the unstated assumption is that 'stable' 
software doesn't get security fixes), but (esp. in the case of Tor) you can 
just as easily turn that around: precisely because of the constant updating of 
firefox (tracked by the tor browser), and because features are constantly being 
added, it's not the most logical choice of browser. (Not that Chrome is any 
better on that front.)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/80f70898-50a1-40ef-8e24-a727d025b810%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Is Fedora Really A Good Choice For QubeOS?

2017-01-01 Thread Jeremy Rand
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

pixel fairy:
> On Tuesday, October 1, 2013 at 6:32:41 PM UTC-7, ears...@gmail.com
> wrote:
>> We all know Fedora is a big name, but is it a good choice for a
>> Security Driven OS like QubeOS to be based around? What do others
>> here think?
> 
> There are a lot of packages creating a bigger attack surface. but,
> bigger distros like fedora have companies behind them like red hat.
> red hat has been pretty good about actively looking for
> vulnerabilities in those packages. distros that automatically
> upgrade to the latest version (gentoo etc) can also burn you. they
> would make better template vms where your more likely to want newer
> software and new issues can be better contained.
> 
> for dom0, newer distros are better at hardware compatibility with
> those fancy new processors, graphics cards and storage controllers
> in laptops.
> 
> just personal opinion, but wayland is a better fit than x11 for
> qubes in the long run. fedora is the only distro with a dedicated
> security staff actively supporting it.
> 
> anytime you abstract a layer, your diluting your resources.
> maintaining a dom0 isnt much more work than a domu template, but if
> you want to add slackware, arch, and gentoo, youve now more than
> doubled the developers distro maintanance work when they could be
> working on stability and features.

Potentially worth noting here that in Ed Snowden's keynote at
Libreplanet 2016, he criticized the free software community's tendency
to use stable, outdated software.  Snowden said that the attackers
move and adapt quickly, and it's dangerous to continue using outdated
software that doesn't have the latest security fixes/features just
because it's more stable or more backward-compatible.  Snowden did not
explicitly mention any distros that he was talking about, but I got
the distinct impression that he was (at least in part) talking about
Debian.

Of course, "appeal to authority" is a classic fallacy, so we shouldn't
do what Snowden says without questioning it, but I think it's at least
worth considering his argument seriously.

Cheers,
- -Jeremy
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYaTeQAAoJELPy0WV4bWVwbNgP+QG3jY+xlwsTnViOS+IFEHMP
Nyt+d9Cuq7iEnCsr1fuXbzjSNB8RDM0y2BY6rciELmo4kvyfsGoPYZod7nOlQPeV
xjgjubrlA3udMxSCsc5lc2DbP4IszehJECYGbZw4gaFabScs6ugt0P9gxKaiTIWR
pa9bAaSzJffZsJg9/efUJuo134Mdd8QBssKEC6idWCiEuM8YWHZI9xKfvhTjRrqj
g233nSNbvctg0yoUQbf2XHZ6gyGZ2p0Y1ab8o0o0MFVsuQIuPCKlWgr/WhjgdWDY
Ye4TCYZhonuLHRCiOt+ZuS2w8nj24O0qFvXra+asXAaW2mFzQa/Aq3CdLBE87nXE
z3dgNp2Z08dWi28ncbCwvn8mpw0w07yl1n6+2JlBC4pDTF2/r6BMgsp4DIS9sFDB
h+mFWCnqh80P/39SQeOoOcHATruMfHp8CUDVtOMVBRV4VpoA7YaKxiiiUXFnD21M
S6XP7QqxPkbPW0E77UeR53igB61QQ1t3Fb4QQRLZY1bhncKn3kM/OmUDnHzepLQn
0/FLW/aJMBofOHeb6xqrfipeayGrdHLNuav9Nu1QRuX2lY6E0Sl40VZBwRERxfaW
t+Ck3n4Qw2Gru13zXPhHuE8OpTV3/RgkMzNMnADxfArhSIW2zwoYQvNCn8U/LNaq
P2HMZA0yehx6CZnBmdb/
=RC2L
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/52d5d96c-c021-9673-27c5-1999e8541961%40airmail.cc.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Is Fedora Really A Good Choice For QubeOS?

2016-12-27 Thread Vít Šesták
While I agree Debian is a fair choice in terms of security, I disagree with 
your reasoning. The “encryption bypass” is rather a minor vulnerability (i.e. 
if attacker has all prerequisities to abuse it, she probably could also perform 
another attacks) and I don't believe that this is statistically significant. On 
the other hand, there are also some Debian-specific vulnerabilities. For 
example, recent APT vulnerability or not-so-recent vulnerable SSH keys due to 
some Debian-specific tuning. This does not suggest that Debian is less secure, 
this suggests it is not so clear.

Regards,
Vít Šesták 'v6ak'

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/63a67ab8-0e3d-445e-b22a-d79b7acf3a97%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Is Fedora Really A Good Choice For QubeOS?

2016-12-27 Thread raahelps
I agree,  redhat seems to always be finding the most crucial vulnerabilities in 
linux.  Also imo,  fedora is the most secure big linux distro by default. (a 
firewall on by default, selinux etc  
https://fedoraproject.org/wiki/Security_Features?rd=Security/Features) So we 
know they take security seriously, when most distros dont' give it a look.  In 
fact I can't think of any major distro that does besides debian stable.   
Something like gentoo or arch might not have as much hardware support.

 Qubes is aimed at home desktop users I believe, so they want something easy to 
manage,  and they also want broad hardware support.

That being said there are things like the latest drive by downloads affecting 
fedora and google chrome, but that would affect appvms not dom0.

But should be noted,  fedora and ubuntu were affected with the latest 
encryption bypass. (holding enter key down)  debian was not.  So if not fedora 
my vote is for debian.  But those are the only two i would nominate.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f5826f94-762d-40b3-af63-70e1da3cdce9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Is Fedora Really A Good Choice For QubeOS?

2016-12-27 Thread pixel fairy
On Tuesday, October 1, 2013 at 6:32:41 PM UTC-7, ears...@gmail.com wrote:
> We all know Fedora is a big name, but is it a good choice for a Security 
> Driven OS like QubeOS to be based around?
> What do others here think?

There are a lot of packages creating a bigger attack surface. but, bigger 
distros like fedora have companies behind them like red hat. red hat has been 
pretty good about actively looking for vulnerabilities in those packages. 
distros that automatically upgrade to the latest version (gentoo etc) can also 
burn you. they would make better template vms where your more likely to want 
newer software and new issues can be better contained. 

for dom0, newer distros are better at hardware compatibility with those fancy 
new processors, graphics cards and storage controllers in laptops.

just personal opinion, but wayland is a better fit than x11 for qubes in the 
long run. fedora is the only distro with a dedicated security staff actively 
supporting it.

anytime you abstract a layer, your diluting your resources. maintaining a dom0 
isnt much more work than a domu template, but if you want to add slackware, 
arch, and gentoo, youve now more than doubled the developers distro maintanance 
work when they could be working on stability and features. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e58b3b5b-96f8-429d-85ad-38a325721642%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Is Fedora Really A Good Choice For QubeOS?

2016-12-27 Thread taii...@gmx.com

On 12/26/2016 08:30 PM, Drew White wrote:


On Thursday, 3 October 2013 08:52:22 UTC+10, Mailbe User  wrote:

I think the hardest problem here is people putting aside their distro war 
differences.

Here I see Joanna mention this; 'it should have the latest Desktop Environment 
and Xorg drivers to make the GUI look slick'.

No offense intended for you Joanna but I hope that was meant as a joke. Just 
because you have the latest DE and up to date system does not mean it works 
good at all.

People seem to be FORGET one simple thing > STABILITY!

Without Stability none of it matters if your always running into performance 
issues and things breaking all the time, and that is something I constantly see 
with most distros.

All distros have their Pros & Cons, but the truth is because Slackware is one 
of the simplest distros you hardly run into issues like most distros.

So let's put our personal differences aside and talk facts. The fact is Slackware 
is the most stable and least troublesome of all distros and it's the oldest too for 
one good reason, it's built on a simple principle of STABILITY over bells & 
whistles, and if you need some of the latest goodies then you can certainly go out 
there and grab it and compile it yourself. Making slackware packages and adding in 
dependencies for them is not that complicated once you've done it.

Let me make this clear I like all Linux distros, they all have something 
different they bring to the table, and any Linux in my book is better than 
Windows! But the FACT is, again, no one can touch Slackware for it's STABILITY!

So we want a SECURE OS, what good is it, if it's always having problems, things 
breaking, crashes, etc...? And if you're going to build this OS around Fedora, 
then be prepared for A LOT of breakage in the future.

Security does not always needed the LATEST UNLESS there is a SECURITY ISSUE 
that needs fixing, Security should be more CONCERNED with STABILITY! :)

NOW with all the distros out there does everyone run into issues all the time? 
NO, but then again, bugs are called bugs for a reason, not everyone gets them. 
But when you compare all the distro problems of other distros, compare to 
Slackware, Slackware has the least amount, and it's not just because of more 
experienced users, because Patrick Volkerding builds a distro that's stable and 
has always been the most stable of any distro out there.


Cheers :)
-
Mail.be, WebMail and Virtual Office
http://www.mail.be

If you can get a Slackware version working, for Dom0 as well as Guests, I know 
many people that would switch over to Qubes.

There are many people that hate SystemD.

Also, having a stable platform, one that isn't releasing a new version every 10 
seconds like Fedora, and only just updates to the system to ensure security 
would be of great advantage.

If you can get it done with Qubes 3.2, that would be perfect, since Qubes 4.0 
will not work on much hardware that people use these days (according to the 
requirements).

Yeah I really hate using systemd and being forced in to whatever 
redhat/poettering is doing at the moment.


Instead of dropping support for non IOMMU systems there should simply be 
a security rating slide with different levels and colors to indicate 
security status when you start the installer (test for HVM, IOMMU, 
IOMMU-Interrupt Remapping, SLAT, presence of ME/PSP or other DRM, 
firmware security such as prop bios > coreboot > blob free coreboot as 
the most secure, etc)


Qubes should be geared to power users, not the average idiot that 
doesn't want to put in the slightest bit of effort to understand security.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1cbd8147-6acb-bbd4-67ae-48bbb520f98d%40gmx.com.
For more options, visit https://groups.google.com/d/optout.