replacing fedora?

[pixel fairy]

This has come up a few times, so heres a thread discuss it.

for whatever reason, supported versions of fedora are not working with qubes. dont know if this is fixable.

debian looked good at first, but its hardware support is too many generations behind. tried switching sys-net to debian, and it couldnt find my intel wifi from 2010. i understand ubuntu has a licencing issue, and thus, can not be used.

would centos work, or is that also too far behind?

arch and alpine have been brought up as alternatives. anyone try those? do they do a good job with hardware compatibility and vulnerability patching?

[WebDawg]

On Oct 28, 2016 5:36 AM, "pixel fairy" <pixel...@gmail.com> wrote:
>
> This has come up a few times, so heres a thread discuss it.
>
> for whatever reason, supported versions of fedora are not working with qubes. dont know if this is fixable.
>
> debian looked good at first, but its hardware support is too many generations behind. tried switching sys-net to debian, and it couldnt find my intel wifi from 2010. i understand ubuntu has a licencing issue, and thus, can not be used.
>

Are you sure you just do not have to look in the non free repos and install the wifi stuff correctly?  Usually, because manufactures choose not to open source drivers there are binary blobs that the source never gets released for and the debian defaults will not use this driver...

Usually they are in repos you have to enable after install. Aka non-free

> would centos work, or is that also too far behind?
>
> arch and alpine have been brought up as alternatives. anyone try those? do they do a good job with hardware compatibility and vulnerability patching?
>

Arch Linux is rolling release, so all software is latest after it gets through community testing.

Even the kernel is latest and just vanilla-linux with a log level change patch.

A lot of hardware compatibility is directly in the kernel or loadable modules so you do have some help here...but since wifi has this blob...it is separate.  Full feature graphics drivers are kind of like this too.  You need to see which upstream has the driver and which distro flows that.

> --
> You received this message because you are subscribed to the Google Groups "qubes-devel" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel...@googlegroups.com.
> To post to this group, send email to qubes...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/144ccb6d-91bb-446a-bc74-853ddd5020cc%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[pixel fairy]

On Friday, October 28, 2016 at 8:17:04 AM UTC-4, Web Dawg wrote:

On Oct 28, 2016 5:36 AM, "pixel fairy" <pixel...@gmail.com> wrote:

> debian looked good at first, but its hardware support is too many generations behind. tried switching sys-net to debian, and it couldnt find my intel wifi from 2010. i understand ubuntu has a licencing issue, and thus, can not be used.
>
Are you sure you just do not have to look in the non free repos and install the wifi stuff correctly?  Usually, because manufactures choose not to open source drivers there are binary blobs that the source never gets released for and the debian defaults will not use this driver...

Usually they are in repos you have to enable after install. Aka non-free

yes. the non-free firmware was installed, but intel blobs were in their own package. tried it and it works. but newer adapters need new kernels and firmware packages. so we would still need a more current distribution for sys-net.

[Eric Shelton]

I am a little confused by your statement that "supported versions of fedora are not working with qubes," since you can upgrade the standard Fedora 23 based template to Fedora 24.  Assuming you have done that, I am guessing you really want or need to run a more recent kernel than the 4.4 series used currently in Qubes (at least for network - it gets messy for video, as you start needing newer userspace drivers too).  If so, forward porting Qubes' patches probably ends up being your lowest effort approach.  Chances are you will have to address that issue no matter which distro you try to use, since you want code from newer kernel releases but you have to make sure the newer kernel is compatible with Qubes and its hypervisor.

As far as distro choice, the "chain of custody" for the software being installed is an important issue.  I think Fedora ended up as the distro of choice because it struck one of the better balances between being up to date and likelihood of having a package's code subverted.  I'm guessing the barrier to entry for an attacker to modify an Arch package is lower than with Fedora.  That said, I think the Qubes-related software has been ported to Arch, so it could be a reasonable candidate.

Eric

[pixel fairy]

On Saturday, October 29, 2016 at 11:16:16 PM UTC-4, Eric Shelton wrote:

I am a little confused by your statement that "supported versions of fedora are not working with qubes," since you can upgrade the

fedora 23 is no longer supported. the developers are having trouble with fedora 24, which is why the default template and dom0 are still fedora 23. theres a long thread called 'fedora 24' discussing this.

As far as distro choice, the "chain of custody" for the software being installed is an important issue.  I think Fedora ended up as the distro of choice because it struck one of the better balances between being up to date and likelihood of having a package's code subverted.  I'm guessing the barrier to entry for an attacker to modify an Arch package is lower than with Fedora.  That said, I think the Qubes-related software has been ported to Arch, so it could be a reasonable candidate.

i was worried about that too. and the resources of the smaller distros in keeping up with vulnerability patching.
 

Eric

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Sun, Oct 30, 2016 at 04:58:17AM -0700, pixel fairy wrote:
> On Saturday, October 29, 2016 at 11:16:16 PM UTC-4, Eric Shelton wrote:
>
> >
> > I am a little confused by your statement that "supported versions of
> > fedora are not working with qubes," since you can upgrade the
> >
>
> fedora 23 is no longer supported.

Where did you found such revelations?

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJYFjqcAAoJENuP0xzK19csaGwH/306n2vLjdIO9hHuBUKMn3iv
vZ2UcQZXfFKvWSJZEpjBYB6BNyiziK3Mz7PXE90OeOditO4dVkWU9pBDl4Js4ShD
z1lP0/aHpZ/SpoyQBEUqy23Khkl/4NRTsfbB3FQO6Ui+nIxX91KFdCiJpidbUHMJ
VZil/wVl6mNXGRXRU7JbbywZi/KQPlXt7GE4RsKD5PmLJCqcq2uRQ+do2aR9g/iX
V+sb0JJx3nYFHC+mhY3SiLRmBkFnTeEdtt1aB5Fcl06CTjlWDqNFN+8c0Tvtvafb
JsVfQoNZ8AHIHX1U5Rf9i4Cr1GvZToRpcplluwKFRukQbAS6S1YK1XdCf9QG/d0=
=8SiM
-----END PGP SIGNATURE-----

[Chris Laprise]

> --


My first choice for considering a new dom0 OS would be a close Ubuntu
derivative like Trisquel. Updates should not be a problem, and much of
what the Qubes project has learned about Debian can be applied to it as
well.

Chris

[Manuel Amador (Rudd-O)]

On 10/28/2016 12:16 PM, WebDawg wrote:
>
> Are you sure you just do not have to look in the non free repos and
> install the wifi stuff correctly? Usually, because manufactures
> choose not to open source drivers there are binary blobs that the
> source never gets released for and the debian defaults will not use
> this driver...
>
> Usually they are in repos you have to enable after install. Aka non-free
>

By which pixel fairy means rpmfusion.org rpmfusion-nonfree.

Tons of good shit there.

--
Rudd-O
http://rudd-o.com/

[Tai...@gmx.com]

Several security problem things to be aware of when picking distros:
* Lack of a bootstrapped download verification method (a https website),
if you are starting from square one the download page simply providing a
key ID isn't going to cut it - who is to say that you aren't being
MITM'ed and the key ID has replaced with another one?

* Installing a service package in most common distros (debian, opensuse,
etc) will result in it being started with the default configuration and
being network accessible if you don't have your firewall enabled.

* Lack of a secure update download method, packages are almost always
being fetched by a root process via http with not even a
selinux/apparmor policies.

* Very outdated package versions that don't support the latest security
features.

Smaller distros like alpine seem attractive at first (and it doesn't
have SystemD - yay) but I assume they lack the resources for proper
security including secure build servers and (like it has been said)
chain of custody and verification for code.

[pixel fairy]

On Sunday, October 30, 2016 at 2:23:30 PM UTC-4, Marek Marczykowski-Górecki wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Sun, Oct 30, 2016 at 04:58:17AM -0700, pixel fairy wrote:
> On Saturday, October 29, 2016 at 11:16:16 PM UTC-4, Eric Shelton wrote:
>
> >
> > I am a little confused by your statement that "supported versions of
> > fedora are not working with qubes," since you can upgrade the
> >
>
> fedora 23 is no longer supported.

Where did you found such revelations?

https://fedoraproject.org/wiki/Fedora_Release_Life_Cycle

i should have said almost end of life. did not know they give you an extra month after the sencond next release. fedora 25 is scheduled for release nov 15th, which gives us till dec 15th. while the upgrade to fedora24 template vm was easy, this still leaves the default template vm, and dom0 if that matters. could a qubes-3.2.1 release could be made with fedora24 before then?
 

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2016-10-31 05:29, pixel fairy wrote:
> On Sunday, October 30, 2016 at 2:23:30 PM UTC-4, Marek Marczykowski-Górecki
> wrote:
>>
> On Sun, Oct 30, 2016 at 04:58:17AM -0700, pixel fairy wrote:
>>>> On Saturday, October 29, 2016 at 11:16:16 PM UTC-4, Eric Shelton wrote:
>>>>
>>>>>
>>>>> I am a little confused by your statement that "supported versions of
>>>>> fedora are not working with qubes," since you can upgrade the
>>>>>
>>>>
>>>> fedora 23 is no longer supported.
>
> Where did you found such revelations?
>
>
>> https://fedoraproject.org/wiki/Fedora_Release_Life_Cycle
>
>> i should have said almost end of life. did not know they give you an extra
>> month after the sencond next release. fedora 25 is scheduled for release
>> nov 15th, which gives us till dec 15th. while the upgrade to fedora24
>> template vm was easy, this still leaves the default template vm, and dom0
>> if that matters. could a qubes-3.2.1 release could be made with fedora24
>> before then?
>

Dom0 doesn't matter (in that sense):

https://www.qubes-os.org/doc/supported-versions/#dom0

See the note under the table. In particular: "For this reason, we consider
it safe to continue using a given base distribution in dom0 even after it
has reached end-of-life."

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJYGAcmAAoJENtN07w5UDAw1LUP/0JEkXFvmKqH97Q0WWEWoa9G
RbcBLqYvpJs+fUoFv/LW3MKUVFu+xudRv3aqOM59/H/K3ma9Vr0cosc6s8uYvSR1
XVYB1VILWQ/1qC4/w/D5UODR8Xuv007qqSXPxndfr6qG9ZS9GY2eBAQyFzr9Fdoc
jB8wZcL4IT/pZsWj5usikljL/L/sSlfqCM2si0zpHNSowEgYJQtS8UuM67maDWlm
tPbEkBtVPb1EI2QCywgZO+gFhStEWiZwXfUniYJ7edrt6dTeBYgLCA9ugspJBGfv
EaMneNoXu1BAAIoqcptOMJLBhKcw5OR7O1Pt4oSQzaB+J0++Q1J9p7IGeDBw5R3Q
g/xcTV6KTdFx8hGN5mV2rGKlDvPMZeNv3/DhSF82N3FrDsm9O31ELYRr5ILxV7lN
pT/HxF5aw0ui4RyWynJEpU2b+oCbYXln5dw2i93PoEcJFUwJu+McA5JGdb8kEqA3
XKE5SOGEEkqxvCZo1iNBq/MaZy5jgJXOBUZdLGF25I6eKIuFQ3zqfZ70pgkXxIAq
xA7iNtQ4mniLGtut0fpnJpn+FIqGyjzgaQ6irU9cYbifP2D4E3V7ASLQe9NzZAvS
vuBIsnrXtGCiXOoV5KYGp7+NLbO1ae+CElOl5WAyxUVHiB7A88yY8SlHBNJbgGOP
zjHPfSr37/esqJEhHUyW
=H9dO
-----END PGP SIGNATURE-----

[pixel fairy]

On Monday, October 31, 2016 at 11:08:35 PM UTC-4, Andrew David Wong wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2016-10-31 05:29, pixel fairy wrote:
> On Sunday, October 30, 2016 at 2:23:30 PM UTC-4, Marek Marczykowski-Górecki
> wrote:
>>
> On Sun, Oct 30, 2016 at 04:58:17AM -0700, pixel fairy wrote:
>>>> On Saturday, October 29, 2016 at 11:16:16 PM UTC-4, Eric Shelton wrote:
>>>>
>>>>>
>>>>> I am a little confused by your statement that "supported versions of
>>>>> fedora are not working with qubes," since you can upgrade the
>>>>>
>>>>
>>>> fedora 23 is no longer supported.
>
> Where did you found such revelations?
>
>
>> https://fedoraproject.org/wiki/Fedora_Release_Life_Cycle
>
>> i should have said almost end of life. did not know they give you an extra
>> month after the sencond next release. fedora 25 is scheduled for release
>> nov 15th, which gives us till dec 15th. while the upgrade to fedora24
>> template vm was easy, this still leaves the default template vm, and dom0
>> if that matters. could a qubes-3.2.1 release could be made with fedora24
>> before then?
>

Dom0 doesn't matter (in that sense):

https://www.qubes-os.org/doc/supported-versions/#dom0

i meant with a fedora24 templatevm, or wait till fedora25 when that comes out. has anyone tried a templatevm of the f25 beta?