Qubes silently ditches Librem

[bal...@tutanota.com]

For those of us who followed Qubes hardware recommendations and then bought or ordered shiny new Librem 13 laptops, you'll maybe not have noticed  that qubes has silently and sneakily withdrawn the recommendation leaving us all in the lurch.
Originally qubes was sold to as all as a reasonably secure OS - that security they said was built around the trusted ZEN platform. We now know that Zen has numerous security vulnerabilities
How can we trust Qubes judgement anymore? I certainly don't.


--
Securely sent with Tutanota. Claim your encrypted mailbox today!
https://tutanota.com

[Vincent Adultman]

-------- Original Message --------

Subject: [qubes-users] Qubes silently ditches Librem

Local Time: July 8, 2017 8:24 AM

UTC Time: July 8, 2017 7:24 AM

From: bal...@tutanota.com

To: qubes...@googlegroups.com

For those of us who followed Qubes hardware recommendations and then bought or ordered shiny new Librem 13 laptops, you'll maybe not have noticed  that qubes has silently and sneakily withdrawn the recommendation leaving us all in the lurch.

Originally qubes was sold to as all as a reasonably secure OS - that security they said was built around the trusted ZEN platform. We now know that Zen has numerous security vulnerabilities

How can we trust Qubes judgement anymore? I certainly don't.

Okay, I'll bite because I have an interest in being involved with the documentation project and because I'm interested in getting a new Qubes laptop myself. Disclaimer that I don't read every post on the lists.

I think certification here has been confused with recommendation, taking a quick look at history on github that seems to be the case.

"-Some users may wish to consider [Qubes-certified laptops].

-However, it is important to note that such laptops are certified only for *compatibility* with Qubes OS.

-In particular, the [Purism Librem 13] is certified only for compatibility with Qubes R3.x, and it is not likely to be certified for compatibility with Qubes R4.x.

-Aside from compatibility, we do not believe that it should be considered any safer than other laptops."

The original press release is more positive https://www.qubes-os.org/news/2015/12/09/purism-partnership/ but doesn't to me make any claims for the product beyond compatibility.

This said, a reference to the previous arrangement (and what happened to it, it may just be that the contract for the cut for the developers from each sale expired) would be good to display on the page for the avoidance of this exact discussion.

Purism have made their own statement here https://puri.sm/posts/2017-07-shipping-update-for-qubes-orders/

and it looks like they aren't producing the certified laptop anymore and don't want to pay for the new certification procedure. This is fine and their right best as I can see. I do find it odd that before this though they state they do not have an automated OEM image at present...I'd be curious to know if they've ever had one of those.

From a business / customer service point of view, I'm curious to know how you feel left in the lurch, has a specific Qubes update bugged out on your machine, or do you worry that ITL are aware of a more fundamental issue with these laptops they're keeping close to their chests? (I'd think that unlikely, as shit of that kind always floats to the surface given enough time). The new requirements seem fairly pragmatic (i.e. coreboot and allowing some vendor blobs) https://www.qubes-os.org/news/2016/07/21/new-hw-certification-for-q4/

I'd be interested to know what the charge purism refer to is, though I guess it's the time of ITLs week in poking the laptop to their satisfaction.

On the "zen" point, I wonder if it's possible to interpret "reasonable secure" in two different ways. At one point on these lists a slogan for Qubes of "be your own bitch" was bandied about which I always felt much more appropriate, and the two always remind me of the definition of an optimist and a pessimist (i.e. "we're safe forever" vs "we're due").

Again, I don't think the developers have done anything underhanded here, yes they plumped for Xen as hypervisor in which serious vulnerabilities have been found but they both publish a record of the impact of these vulnerabilities https://www.qubes-os.org/security/xsa/ and have provided a better backup recovery method https://www.qubes-os.org/news/2017/04/26/qubes-compromise-recovery/ for those who wish to proceed as if they have indeed been compromised after every such vulnerability comes to light. They've also been quite critical of the Xen project in the proceeding years and are changing the type of virtualisation used in Qubes 4.0, this leads me to believe that should they ever completely lose patience with Xen, they would move Qubes to a different Hypervisor (if a better one was available) and indeed the underlying framework allows this.

Again, the question I'd be interested to ask if how this brings judgment into question? One of the criticisms I believe ITL / Qubes has made of Xen is that it is too focused on adding new features required by commercial users at the expense of security, but a different hypervisor would still need to be "better" enough to justify the work in moving to it...

[qub...@tutanota.com]

bal...@tutanota.com:

[qub...@tutanota.com]

bal...@tutanota.com:

Despite the "spin" put out earlier today by Qubes's Andy Wong, the real
reason Qubes ditched Librem 13, is because the Librem 13 v2 BIOS
firmware is from Coreboot. Regretably, Qubes 4 will not yet boot
properly from Coreboot [see github] - hence Librem 13 v2 is useless.

[Unman]

This simply isn't true - it's clear from the Purism statement that Librem
13v2 has not been entered for certification.

Since Qubes 4 is still at an early stage of development (not even RC1),
there is little prospect of ANY machine being certified for it at this
stage.
The fact that there are issues with Coreboot now is irrelevant - there
are issues with all sorts of things in 4 as it stands. But it was stated
that Qubes certified hardware should run on open source boot firmware,
and I dont think that has changed.

I dont think that Librem users have been "left in the lurch". It was
made clear that the Librem13 was not likely to be certified for Qubes 4.
This doesnt mean that the machine wont work with 4 - if you look at the
requirements page for 4, minimal are VT-x,VT-d SLAT.
A quick look at the HCL and the purism site confirms that the 13 has
CoreI5 6200U, and that CPU does have VT-x, VT-d and SLAT.
So in what sense does OP have grounds for feeling "left in the lurch"?

unman

[Chris Laprise]

On 07/10/2017 10:56 AM, Unman wrote:
> This simply isn't true - it's clear from the Purism statement that Librem
> 13v2 has not been entered for certification.
>
> Since Qubes 4 is still at an early stage of development (not even RC1),
> there is little prospect of ANY machine being certified for it at this
> stage.
> The fact that there are issues with Coreboot now is irrelevant - there
> are issues with all sorts of things in 4 as it stands. But it was stated
> that Qubes certified hardware should run on open source boot firmware,
> and I dont think that has changed.
>
> I dont think that Librem users have been "left in the lurch". It was
> made clear that the Librem13 was not likely to be certified for Qubes 4.
> This doesnt mean that the machine wont work with 4 - if you look at the
> requirements page for 4, minimal are VT-x,VT-d SLAT.
> A quick look at the HCL and the purism site confirms that the 13 has
> CoreI5 6200U, and that CPU does have VT-x, VT-d and SLAT.
> So in what sense does OP have grounds for feeling "left in the lurch"?
>
> unman
>

And I think its worth re-stating that Qubes wants a formal certification
process (which Purism chose not to continue).

Qubes should be lauded for creating this process and standing by it; It
guards against the erroneous perceptions people have about "PC hardware"
being a uniform blank canvas for creating an OS.

--

Chris Laprise, tas...@openmailbox.org
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886

[bal...@tutanota.com]

Chris Laprise:

Sorry guys, I realise you are a couple of die-hard Qubesmen and are
desperately trying to defend Qubes reputation, but you need to remove
the blinkers and examine the facts.

Fact 1/ in my original post I stated "For those of us who followed Qubes

hardware recommendations and then bought or ordered shiny new Librem 13
laptops, you'll maybe not have noticed that qubes has silently and

sneakily withdrawn the recommendation...". Six months after Purism
began taking orders for the version 2 of the Librem 13 and 12 hours
after I posted, Andy Wong published an announcement acknowledging that
Librem 13v2 was no longer certified by qubes. Now if that doesn't leave
people who ordered a version2 Librem13 and just recently had it
delivered, in the lurch - I don't know what does.

Fact 2/ In December 15 Qubes trumpeted via its News pages
https://www.qubes-os.org/news/2015/12/09/purism-partnership/.Entitled;
Partnering with Purism and the first Qubes-certified laptop.
Within the document is this statement; "This begins with the
certification of the Librem 13" - the words Librem 13 provides a link to
https://puri.sm/librem-13. Contrary to the arguments you've posted,
you'll notice that nowhere within the document does it specify that the
certification covers Version 1 of Librem13 only. To the contrary,
clicking the link takes you to Version2 of the Librem 13.

To summarise.
Many months after Purism started taking orders for Version 2 of the
Librem 13, Qubes formally withdrew its certification leaving users in
the lurch. In the meantime Qubes pocketed $100 per order in commission.
This is unforgivable, indefensible behavior.

[bal...@tutanota.com]

Chris Laprise:

Sorry guys, I realise you are a couple of die-hard Qubesmen and are
desperately trying to defend Qubes reputation, but you need to remove
the blinkers and examine the facts.

Fact 1/ in my original post I stated "For those of us who followed Qubes

hardware recommendations and then bought or ordered shiny new Librem 13
laptops, you'll maybe not have noticed that qubes has silently and

[Unman]

"die-hard Qubesman"? I'll take that as a compliment, it's quite catchy.

If I understand your complaint it's that Purism have sold you a laptop
which you thought was certified by Qubes, but isnt. It isnt certified
because Purism changed the specs and decided that they wouldnt submit
this model for certification.

I have no idea what the terms of the agreement were between Purism
and Qubes, nor what monies(if any) changed hands. I doubt that you do,
but perhaps you do.
I dont suppose that anyone considered what would happen if Purism
produced a new laptop with different specs but bearing the same name as
the certified one. At best it seems naive on their part.

If you told Purism you wanted the laptop because its Qubes certified,
you have a claim against them and can get a refund. If you can otherwise
show you were misled your claim is against Purism. I dont know what
jurisdiction you are under but it seems to me a claim of passing off
would succeed.

In any case, you still havent explained in what way you have been left
in the lurch. You have a laptop that seems to be compatible with Qubes
3. It looks as if it will be compatible with 4, but there was never
any guarantee of that.

Anyway, I have no interest in "defending Qubes reputation"; nor any
interest in Purism. If you have specific problems with using Qubes on
your shiny new Librem 13, I'll try to help.

cheers

unman

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

The announcement didn't actually say (nor would it be accurate to say)
that the Librem 13v2 was "no longer certified," since it was never
certified to begin with (see below).

> Fact 2/ In December 15 Qubes trumpeted via its News pages
> https://www.qubes-os.org/news/2015/12/09/purism-partnership/.Entitled;
> Partnering with Purism and the first Qubes-certified laptop.
> Within the document is this statement; "This begins with the
> certification of the Librem 13" - the words Librem 13 provides a link to
> https://puri.sm/librem-13. Contrary to the arguments you've posted,
> you'll notice that nowhere within the document does it specify that the
> certification covers Version 1 of Librem13 only. To the contrary,
> clicking the link takes you to Version2 of the Librem 13.
>

At the time of that post, there was no such thing as "v1" or "v2" of the
Librem 13. It was just "the Librem 13." Only subsequently was a new
configuration introduced called "Librem 13v2." When the new version was
introduced, the original configuration was retroactively renamed "Librem
13v1," presumably to disambiguate it from the new version.

There's no way we could have known, at the time of that original 2015
post, that there would end up being two versions of the Librem 13, or
that the same URL on the Purism website would be used as the product
page for both versions. Our certification process targets a _specific
laptop configuration_. Change the configuration, and it's no longer the
same laptop, at least as far as our certification process is concerned.
Why? Because what we're certifying is the fact that we've rigorously
tested that a certain version of Qubes OS is compatible with a certain
piece of hardware. If you change that piece of hardware or replace it
with a different one, we can't guarantee that the new piece of hardware
will be compatible unless we test it.

> To summarise.
> Many months after Purism started taking orders for Version 2 of the
> Librem 13, Qubes formally withdrew its certification leaving users in
> the lurch. In the meantime Qubes pocketed $100 per order in commission.
> This is unforgivable, indefensible behavior.
>

It's worth noting that the commissions the project received were never
enough to cover the cost of our developers' time and labor in performing
the testing and certification process, but we knew this would be the case
going in. This was never about the money; it was about trying to make it
easier for Qubes users to find compatible hardware.

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJZZYxgAAoJENtN07w5UDAw9PMQAK8k+wKSY7rzYxi4i6Pld0nt
2sY6Aj6vYYj54dNFGTkiZ12DT591O6NgobzBa2ZGv83hya0YUKwBz1CLbEVBLxFX
3jqtGyCJR7+U1/CC2vP/1gzw7xASO3WlR11X6vvKSRDtM1DjfbibOxARhwBxqwQf
SjSPPBp0ND8Fpq0WKFpuuXMKR9mLA2ehYimL9Bqdxao15cDcPolD2jbjFuTVuvQC
KNgwMaIZ5IR1kD509DT8RIm0fqiDgszqlsMdrqK5WfBYT3Mjz7BRpz3H2VzXXplS
iNgm1QRnm2EBefNWNANjJyWxUOUUyY8DS7RHGp7wXZq9/kjsYLhP1iAQnuY3PR6U
RB/qp25JDgmVbJnsh8pxIK+Rsbf/jndaj9VvqyTyqTju1Ia5MjWRubc4p+LjB9am
7MQvcvh4PgCw5HZD2FAIAq+CmgpnlFnLUDmY0f/L0jAfYkbJRhXAyeerScfIW7L8
GYZ7Xv1scw2UTIaKgsSxojfsMl23muFf4lsmfGk8TLOuOF5yzAuRnHqV0InjynCs
R3poPuUa1YZezIxHOsj8cOOGmgC0W8/o7BHVWOKIgNuW1rekLlnYtZ/G3LFERML5
EqfolIR5q3qx7Xn1FBtbYPro+5RwLuLDjey9MfnXyHU5wgLFOkvNatyDU+nBzWG8
A0oYvLtgdkpTylSqbz/d
=4uIM
-----END PGP SIGNATURE-----

[bal...@tutanota.com]

That's easy to say Andy, but have you any proof? Qubes is an Open Source project so why not open up the qubes accounts and let the users see some factual information. Surely, there can't be anything to hide?

--
Securely sent with Tutanota. Claim your encrypted mailbox today!
https://tutanota.com

12. Jul 2017 02:41 by a...@qubes-os.org:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2017-07-11 14:36, baldric-q7wo9g+UVklWk0Htik3J/w...@public.gmane.org wrote:

The announcement didn't actually say (nor would it be accurate to say)
that the Librem 13v2 was "no longer certified," since it was never
certified to begin with (see below).

Fact 2/ In December 15 Qubes trumpeted via its News pages

https://www.qubes-os.org/news/2015/12/09/purism-partnership/.Entitled;
Partnering with Purism and the first Qubes-certified laptop.
Within the document is this statement; "This begins with the
certification of the Librem 13" - the words Librem 13 provides a link to
https://puri.sm/librem-13. Contrary to the arguments you've posted,
you'll notice that nowhere within the document does it specify that the
certification covers Version 1 of Librem13 only. To the contrary,
clicking the link takes you to Version2 of the Librem 13.

At the time of that post, there was no such thing as "v1" or "v2" of the
Librem 13. It was just "the Librem 13." Only subsequently was a new
configuration introduced called "Librem 13v2." When the new version was
introduced, the original configuration was retroactively renamed "Librem
13v1," presumably to disambiguate it from the new version.

There's no way we could have known, at the time of that original 2015
post, that there would end up being two versions of the Librem 13, or
that the same URL on the Purism website would be used as the product
page for both versions. Our certification process targets a _specific
laptop configuration_. Change the configuration, and it's no longer the
same laptop, at least as far as our certification process is concerned.
Why? Because what we're certifying is the fact that we've rigorously
tested that a certain version of Qubes OS is compatible with a certain
piece of hardware. If you change that piece of hardware or replace it
with a different one, we can't guarantee that the new piece of hardware
will be compatible unless we test it.

To summarise.

Many months after Purism started taking orders for Version 2 of the
Librem 13, Qubes formally withdrew its certification leaving users in
the lurch. In the meantime Qubes pocketed $100 per order in commission.
This is unforgivable, indefensible behavior.

It's worth noting that the commissions the project received were never
enough to cover the cost of our developers' time and labor in performing
the testing and certification process, but we knew this would be the case
going in. This was never about the money; it was about trying to make it
easier for Qubes users to find compatible hardware.

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJZZYxgAAoJENtN07w5UDAw9PMQAK8k+wKSY7rzYxi4i6Pld0nt
2sY6Aj6vYYj54dNFGTkiZ12DT591O6NgobzBa2ZGv83hya0YUKwBz1CLbEVBLxFX
3jqtGyCJR7+U1/CC2vP/1gzw7xASO3WlR11X6vvKSRDtM1DjfbibOxARhwBxqwQf
SjSPPBp0ND8Fpq0WKFpuuXMKR9mLA2ehYimL9Bqdxao15cDcPolD2jbjFuTVuvQC
KNgwMaIZ5IR1kD509DT8RIm0fqiDgszqlsMdrqK5WfBYT3Mjz7BRpz3H2VzXXplS
iNgm1QRnm2EBefNWNANjJyWxUOUUyY8DS7RHGp7wXZq9/kjsYLhP1iAQnuY3PR6U
RB/qp25JDgmVbJnsh8pxIK+Rsbf/jndaj9VvqyTyqTju1Ia5MjWRubc4p+LjB9am
7MQvcvh4PgCw5HZD2FAIAq+CmgpnlFnLUDmY0f/L0jAfYkbJRhXAyeerScfIW7L8
GYZ7Xv1scw2UTIaKgsSxojfsMl23muFf4lsmfGk8TLOuOF5yzAuRnHqV0InjynCs
R3poPuUa1YZezIxHOsj8cOOGmgC0W8/o7BHVWOKIgNuW1rekLlnYtZ/G3LFERML5
EqfolIR5q3qx7Xn1FBtbYPro+5RwLuLDjey9MfnXyHU5wgLFOkvNatyDU+nBzWG8
A0oYvLtgdkpTylSqbz/d
=4uIM
-----END PGP SIGNATURE-----

--
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.
To post to this group, send email to qubes...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ace89d3b-373a-d5e4-d749-c6b0bf07735d%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

[Michael Carbone]

>>>> To summarise. Many months after Purism started taking orders
>>>> for Version 2 of the Librem 13, Qubes formally withdrew its
>>>> certification leaving users in the lurch. In the meantime Qubes
>>>> pocketed $100 per order in commission. This is unforgivable,
>>>> indefensible behavior.
>>
>> It's worth noting that the commissions the project received were
>> never enough to cover the cost of our developers' time and labor in
>> performing the testing and certification process, but we knew this
>> would be the case going in. This was never about the money; it was
>> about trying to make it easier for Qubes users to find compatible
>> hardware.
>

> That's easy to say Andy, but have you any proof? Qubes is
> an Open Source project so why not open up the qubes accounts and let
> the users see some factual information. Surely, there can't be
> anything to hide?

Purism doesn't publicly publish the number of laptops it sells?

If you convince them to do so, then multiple the number of
Librem 13 (rev1) that were chosen by the user to have Qubes OS
pre-installed by $100 to get the amount the Qubes project received from
them.

The "lurch" is that new users can no longer order laptops with Qubes
pre-installed and the Qubes project no longer receives a commission for
these laptops. These seem like not good things for the Qubes project --
why would we want this outcome?

Your Librem 13 rev2 will probably work fine with Qubes, feel free to
make a HCL report and share it with the rest of the community, I'm sure
others would appreciate it:

https://www.qubes-os.org/doc/hcl/

--
Michael Carbone

Qubes OS | https://www.qubes-os.org
@QubesOS <https://www.twitter.com/QubesOS>

PGP fingerprint: D3D8 BEBF ECE8 91AC 46A7 30DE 63FC 4D26 84A7 33B4

[Noor Christensen]

On Thu, Jul 13, 2017 at 01:44:24PM +0200, bal...@tutanota.com wrote:
>
> That's easy to say Andy, but have you any proof? Qubes is an Open
> Source project so why not open up the qubes accounts and let the users
> see some factual information. Surely, there can't be anything to hide?

What would be the point of opening up "the qubes accounts"?

Let's return to your initial questions regarding Librem 13 not getting
certified. Andrew addressed your concerns and explained what happened
with the collaboration process between Librem and Qubes, and why.

Do you have any reason to believe anyone is lying?

It looks to me that neither Qubes or Librem made any promises to anyone,
and that you might have read the *partnership announcement* post as if
the certification was a fact.

They decided to not proceed with the certification, end of story.

-- noor

|_|O|_|
|_|_|O| Noor Christensen
|O|O|O| no...@fripost.org ~ 0x401DA1E0