Fedora 20 support end: effect on f20 based dom0 in Qubes R2?

[R F]

Hi,

I am currently running Qubes R2. R2 is based on Fedora 20. Support for f20 ends in a month. No more security updates for dom0 available after that.

"Normally, there should be few reasons for updating software in dom0. This is because there is no networking in dom0, which means that even if some bugs are discovered e.g. in the dom0 Desktop Manager, this really is not a problem for Qubes, because none of the 3rd party software running in dom0 is accessible from VMs or the network in any way. Some exceptions to this include: Qubes GUI daemon & Xen store daemon. Of course, we believe this software is reasonably secure, and we hope it will not need patching."

Is there really no need to update the dom0 OS (f20) if Xen is accessible from the network? Isn't Xen surface area risk if the OS its running isn't updated?

In other words, is it really safe to never update dom0 even after the OS its based (f20) on has passed its end of support life cycle?

If anyone could give me an explanation it will help me gain more understanding in the way Qubes works.

Greatly appreciated!

Thanks.

R

[Franz]

Much more critical than isolated dom0 are template VMs. Have you been able to update templates to fedora 21?

Best

 

Greatly appreciated!

Thanks.

R

--
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.
To post to this group, send email to qubes...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/40dfeed2-3f1f-4ab0-8518-9944c10b3d6f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, May 30, 2015 at 06:03:29AM -0700, R F wrote:
> Hi,
>
> I am currently running Qubes R2. R2 is based on Fedora 20. Support for f20
> ends in a month. No more security updates for dom0 available after that.
>

> *"Normally, there should be few reasons for updating software in dom0. This

> is because there is no networking in dom0, which means that even if some
> bugs are discovered e.g. in the dom0 Desktop Manager, this really is not a
> problem for Qubes, because none of the 3rd party software running in dom0
> is accessible from VMs or the network in any way. Some exceptions to this
> include: Qubes GUI daemon & Xen store daemon. Of course, we believe this

> software is reasonably secure, and we hope it will not need patching."*

>
> Is there really no need to update the dom0 OS (f20) if Xen is accessible
> from the network? Isn't Xen surface area risk if the OS its running isn't
> updated?
>
> In other words, is it really safe to never update dom0 even after the OS
> its based (f20) on has passed its end of support life cycle?

Generally yes. Dom0 is isolated from VMs. VMs can access only a few
interfaces, which includes:
- - Xen
- - device backends (some in dom0 kernel, some in other VMs - like netvm)
- - our tools (gui-daemon, qrexec-daemon etc)
Those components are security critical. For all of them we provide
updates (when needed), even when base distribution (Fedora 20 here) is
EOL.

Somehow more complete list is here:
https://www.qubes-os.org/doc/SecurityCriticalCode/

BTW R3.0 is also based on Fedora 20 and because of above it isn't a
problem. We plan to update dom0 for newer distribution in R3.1/R3.2 though.

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJVadN7AAoJENuP0xzK19cs/yYH/iQ+udpYWOrCchKMnnRtdqPh
+mxKO9wtcxtBgAzY3jrgWSVNQ18Qqv+WozoKowubYrqtLF8yEU4CSCfTMJcnOlKv
7fuqK1m4Vgkcws1w850yShQKtbl63KNuKZYwKnR+jc+wYoMa5bS1QQAWc2DpwOUz
QymrlJ/IMoyU+M8SLSO37PjbKQ+pCllSAXbmgn3JS+mRKlq41X5MTT03XS+hPY4K
IZiDLlTk3g6SwJvrzl6C8n+yJaTWHPH6tXilqCbObtPmlV1tESww/NmMXy+eXhLD
BV3sfdUPvr9jb2eIB1g5QdCWCua6pwrNtXgrUyRlCT8OonFWVf7dmFGjbqmMxsI=
=PcIe
-----END PGP SIGNATURE-----

[R F]

Thanks for the clarification Marek!

That fully answered my question.
The necessary updates for accessible dom0 interfaces come through Qubes, not Fedora.
Understood.

One more question purely out of curiosity. Why is Qubes based on Fedora instead of CentOS (with longer EOL cycles for enterprise purposes).

Wouldn't it save you guys programming time to stick to one Centos version for several years, instead of upgrading Fedora more regularly e.g. for Q3.1-2 as you mentioned?

Keep up the good work. You guys rock!

Thanks

R

[Vít Šesták]

I hope that fedora repositories will not be shut down before the upgrade. While this would not have security implications for most users, it would be hard to customize dom0 somehow…

One more question purely out of curiosity. Why is Qubes based on Fedora instead of CentOS (with longer EOL cycles for enterprise purposes).

Wouldn't it save you guys programming time to stick to one Centos version for several years, instead of upgrading Fedora more regularly e.g. for Q3.1-2 as you mentioned?

This seems to be a good idea for me.

Regards,
Vít Šesták 'v6ak'

[R F]

So, what are all these updates dom0 requested through update feature then? See screenshot. The update is +400mb size. Seems a general OS update, not only Xen, device backends, tools (gui-daemon, qrexec-daemon etc).

[Vít Šesták]

Huh, I got just update for man-pages.

I have R3.0-RC1, but both are based on Fedora 20 in dom0.

Regards,
Vít Šesták 'v6ak'

On Friday, June 12, 2015 at 11:50:17 AM UTC+2, R F wrote:

[cprise]

On 06/12/15 05:49, R F wrote:
> So, what are all these updates dom0 requested through update feature
> then? See screenshot. The update is +400mb size. Seems a general OS
> update, not only Xen, device backends, tools (gui-daemon, qrexec-daemon
> etc).
>

> --

F20 EOL is June 23. Today is June 12.