Is Fedora Really A Good Choice For QubeOS?
ears...@gmail.com
I found it interesting reading that it was mentioned about the Surface Attack on some things related to QubeOS because it was small in size, like the code, not containing much, therefore limiting the Surface Attack.
Ok, GREAT point, but what about the IDEA that if you use a BIG DISTRO like Fedora and the MASSIVE SIZE of the repos and the software contained in it, this sounds like a BIG SURFACE ATTACK area, instead of going with a smaller distro with a smaller surface attack area, considering it on the level of the package/repo size and the smaller amount of people involved, I personally think this is a smarter choice to go with.
Look at Slackware as an example, I believe on the level of package security it has a smaller surface attack area when compare to Fedora by the limited amount it contains in it's repo and the smaller amount of people involved with the code.
I believe you limit the amount of hands dealing with code you also limit the amount of bugs being introduced by all the mistakes all these hands can make and introduce, of course a lot more hands sometimes is good to fix things, but I hope you can see the point here.
Like I heard it mentioned before; 'Less hands in the cookie mix makes for less of a cooking mess' and I think this can also apply to code.
I personally think that if QubeOS needs to be based off of another distro because of the limited skills needed to make it from scratch, or limited resources, I think there are much better choices to go with from a security stand point instead of Fedora.
What do others here think?
Zrubecz Laszlo
Joanna likes fedora - that is the reason ;)
I'm also think that this is not the right one for this job.
My only real problem is that fedora is a testing distro with a really
short lifetime...
If I had to choose I would prefer gentoo - (or other 'from scratch' one)
Actually anyone can make a new template based on any distribution...
but do not have time to make any work on it. :( - So just trying to
live with this situation right now :)
--
Zrubi
Marek Marczykowski-Górecki
manual build, but still).
--
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
Joanna Rutkowska
> On 02.10.2013 09:12, Zrubecz Laszlo wrote:
>> On 2 October 2013 03:32, <ears...@gmail.com> wrote:
>>> What do others here think?
>>
>> It was already discussed some time ago on the devel list...
>>
>> Joanna likes fedora - that is the reason ;)
>>
I think the choice of the distro for the AppVMs is of negligible
importance. Most of the desktop functionality (like the desktop
environment) is removed by Qubes anyway. So, it just comes down to the
pkg manager, specifically to the yum/rpm vs. apt/deb religious wars.
The choice of Dom0 distro is of more concern, and ideally we could have
a custom distro here (at least a forked one and maintained by us). But
the problem is that, at least currently, Dom0 also serves as a GUI
domain, and so it should have the latest Desktop Environment and Xorg
drivers to make the GUI look slick ;) (And to support the latest GPUs).
In Qubes R3 we plan to split Dom0 into "the actual Dom0" AKA admin
domain, and the GUI domain. Then we could probably use some minimal,
custom distro for the Dom0/Admin domain, and some
whatever-your-preferences-are distro for the GUI domain. Secure,
reliable GPU passthrough is needed for this, of course.
joanna.
Mailbe User
Here I see Joanna mention this; 'it should have the latest Desktop Environment and Xorg drivers to make the GUI look slick'.
No offense intended for you Joanna but I hope that was meant as a joke. Just because you have the latest DE and up to date system does not mean it works good at all.
People seem to be FORGET one simple thing ----> STABILITY!
Without Stability none of it matters if your always running into performance issues and things breaking all the time, and that is something I constantly see with most distros.
All distros have their Pros & Cons, but the truth is because Slackware is one of the simplest distros you hardly run into issues like most distros.
So let's put our personal differences aside and talk facts. The fact is Slackware is the most stable and least troublesome of all distros and it's the oldest too for one good reason, it's built on a simple principle of STABILITY over bells & whistles, and if you need some of the latest goodies then you can certainly go out there and grab it and compile it yourself. Making slackware packages and adding in dependencies for them is not that complicated once you've done it.
Let me make this clear I like all Linux distros, they all have something different they bring to the table, and any Linux in my book is better than Windows! But the FACT is, again, no one can touch Slackware for it's STABILITY!
So we want a SECURE OS, what good is it, if it's always having problems, things breaking, crashes, etc...? And if you're going to build this OS around Fedora, then be prepared for A LOT of breakage in the future.
Security does not always needed the LATEST UNLESS there is a SECURITY ISSUE that needs fixing, Security should be more CONCERNED with STABILITY! :)
NOW with all the distros out there does everyone run into issues all the time? NO, but then again, bugs are called bugs for a reason, not everyone gets them. But when you compare all the distro problems of other distros, compare to Slackware, Slackware has the least amount, and it's not just because of more experienced users, because Patrick Volkerding builds a distro that's stable and has always been the most stable of any distro out there.
Cheers :)
-----------------------------------------------------
Mail.be, WebMail and Virtual Office
http://www.mail.be
adrelanos
Some food for thought...
Does distro X's package manager defeat the TUF [1] threat model?
What build hardening features [2] does it use?
[1] https://www.updateframework.com/projects/project/wiki/Docs/Security
[2] See to get some names such as ASLR, RELRO, etc. see [3]. (I am not
advocating Ubuntu [4]
[3] https://wiki.ubuntu.com/Security/Features
[4]
https://www.eff.org/deeplinks/2012/10/privacy-ubuntu-1210-amazon-ads-and-data-leaks
Mailbe User
adrelanos
> a very good choice given packagement in Slackware is very minimal and
> simplistic.
implement things. The most simplistic package manager doesn't do
verification, in response, any man-in-the-middle can install malicious
software.
A more sophisticated, still simplistic package manager does
verification, but doesn't detect rolback attacks. In this case, a
man-in-the-middle can ship known vulnerable packages.
Simplicity doesn't work well in all threat models.
It's not about what you think, it's about hard facts you can backup with
references. Otherwise you won't convince anyone.
Abel Luck
distros, and that is the argument regarding corruptibility and the
ability for a community to detect it.
If a malicious change is introduced to a package by a rogue or coerced
developer, it stands to reason that the larger distros are more likely
to detect the change. This is due to the fact they have more eyeballs
and more rigorous QA policies.
~abel
Gáfuð Pað
Slackware is simple with respect to what the word means, but it also means that there isn't a lot of code underlying it, therefore making it also a smaller attack area. This is the simplicity that was being referred to because of a small amount of code and smaller attack area.
Bigger distros also mean there's more ground to cover to keep a look out for problems. In layman's terms, think of a 1 square kilometre area you are trying to find a termite in, then consider looking for that same termite in only a 10 meter area?
It's my understanding that Slackware is in house only for their development, which brings a higher level of code quality, eliminating problems from the beginning. Now their code development and in house detection only needs to cover a 10 meter area against that termite trying to chew the place up, instead of something like Fedora where they have to cover 1 square kilometre of area to find the attacker.
I don't believe bigger is always better and smaller distros that have been around, at the level of the likes of Slackware are a testament to this.
I might be wrong in what others think about this, but personally, out the box I think that Slackware is as close as you get in the Linux world to the BSDs like OpenBSD.
ghostca...@gmail.com
Trying to find or prevent bugs, yes, you will want a simpler framework. On the other hand, trying to prevent an attacker from finding an exploit, a more complex framework is preferred. The devil, as they say, is in the details.
ghostca...@gmail.com
Not sure if this is totally germane but I felt it needed saying. There's lower level discussion happening here I think.
ears...@gmail.com
It's also my understanding that Slackware is a more secure system compared to Fedora, Fedora just offers more goodies to the end-user that want a more complete out the box experience.
adrelanos
> that Slackware better represents this over Fedora.
believe or think. It's about facts, which you can backup with references.
> It's also my understanding that Slackware is a more secure system
> compared to Fedora, Fedora just offers more goodies to the end-user
> that want a more complete out the box experience.
exchange Debian with Fedora.
> It's also my understanding that Slackware is a more secure system
made by many people. I haven't found exact numbers, but many. The out of
the box user experience you may refer here comes from a Live DVD or
default installer DVD.
For example, the software "gnupg" might be securely (by whatever
standards) packaged as "gnupg" package. And in theory, the maintainer of
the "gnupg" package might not agree with with the package selection for
final default installer DVDs or not be interested in that. ("gnupg"
randomly chosen as an example.)
What gets installed by default is the work of a specific person or team
on that topic, sure many others may influence that process. If you read
the question/answers of tasksel (http://joeyh.name/code/tasksel/faq/) it
seems that many don't agree. (taskel is an important piece the installer
defining what set of packages gets easily installed.)
When a distribution installs too much and you prefer a minimal system,
that makes a bad first impression. Sure.
But what does this have to do with the quality of the individual
packages? What does this have to do with the security of its package
manager? What does this have to do with the security of Debian
infrastructure?
Only because Debian has more packages in it's repository than
minimalistic distributions, doesn't follow Debian is less secure.
Packages are maintained by maintainers, teams of maintainers and the
security team (and...).
I am not sure what you think. It's not like 300 Debian Developers all
working on the same packages/things (such as infrastructure, QA,
packaging, installer) and collectively agreeing to make a distribution
installing lots of packages by default. Rather, individual developers or
teams maintain package(s) and/or work on other tasks.
Compartmentalization. Not everyone works on everything and not the final
result of everyone's individual work is a distribution with a Gnome
default desktop.
In big distributions things like "just offers more goodies to the
end-user" or "want a more complete out the box experience" are
additional features. Not the focus of everyone involved or the only
features. Or an indicator, that this distribution isn't a good base for
a minimal derivative distribution.
ghostca...@gmail.com
kerste...@gmail.com
if possible I would appreciate very much, if both "backends" for Qubes would be available: Fedora/Red Hat and Debian.
Thanks and Regards,
Kersten
Drew White
If you can get a Slackware version working, for Dom0 as well as Guests, I know many people that would switch over to Qubes.
There are many people that hate SystemD.
Also, having a stable platform, one that isn't releasing a new version every 10 seconds like Fedora, and only just updates to the system to ensure security would be of great advantage.
If you can get it done with Qubes 3.2, that would be perfect, since Qubes 4.0 will not work on much hardware that people use these days (according to the requirements).
Tai...@gmx.com
redhat/poettering is doing at the moment.
Instead of dropping support for non IOMMU systems there should simply be
a security rating slide with different levels and colors to indicate
security status when you start the installer (test for HVM, IOMMU,
IOMMU-Interrupt Remapping, SLAT, presence of ME/PSP or other DRM,
firmware security such as prop bios > coreboot > blob free coreboot as
the most secure, etc)
Qubes should be geared to power users, not the average idiot that
doesn't want to put in the slightest bit of effort to understand security.
pixel fairy
> We all know Fedora is a big name, but is it a good choice for a Security Driven OS like QubeOS to be based around?
There are a lot of packages creating a bigger attack surface. but, bigger distros like fedora have companies behind them like red hat. red hat has been pretty good about actively looking for vulnerabilities in those packages. distros that automatically upgrade to the latest version (gentoo etc) can also burn you. they would make better template vms where your more likely to want newer software and new issues can be better contained.
for dom0, newer distros are better at hardware compatibility with those fancy new processors, graphics cards and storage controllers in laptops.
just personal opinion, but wayland is a better fit than x11 for qubes in the long run. fedora is the only distro with a dedicated security staff actively supporting it.
anytime you abstract a layer, your diluting your resources. maintaining a dom0 isnt much more work than a domu template, but if you want to add slackware, arch, and gentoo, youve now more than doubled the developers distro maintanance work when they could be working on stability and features.
raah...@gmail.com
Qubes is aimed at home desktop users I believe, so they want something easy to manage, and they also want broad hardware support.
That being said there are things like the latest drive by downloads affecting fedora and google chrome, but that would affect appvms not dom0.
But should be noted, fedora and ubuntu were affected with the latest encryption bypass. (holding enter key down) debian was not. So if not fedora my vote is for debian. But those are the only two i would nominate.
Vít Šesták
Regards,
Vít Šesták 'v6ak'
Jeremy Rand
Hash: SHA512
pixel fairy:
Libreplanet 2016, he criticized the free software community's tendency
to use stable, outdated software. Snowden said that the attackers
move and adapt quickly, and it's dangerous to continue using outdated
software that doesn't have the latest security fixes/features just
because it's more stable or more backward-compatible. Snowden did not
explicitly mention any distros that he was talking about, but I got
the distinct impression that he was (at least in part) talking about
Debian.
Of course, "appeal to authority" is a classic fallacy, so we shouldn't
do what Snowden says without questioning it, but I think it's at least
worth considering his argument seriously.
Cheers,
- -Jeremy
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYaTeQAAoJELPy0WV4bWVwbNgP+QG3jY+xlwsTnViOS+IFEHMP
Nyt+d9Cuq7iEnCsr1fuXbzjSNB8RDM0y2BY6rciELmo4kvyfsGoPYZod7nOlQPeV
xjgjubrlA3udMxSCsc5lc2DbP4IszehJECYGbZw4gaFabScs6ugt0P9gxKaiTIWR
pa9bAaSzJffZsJg9/efUJuo134Mdd8QBssKEC6idWCiEuM8YWHZI9xKfvhTjRrqj
g233nSNbvctg0yoUQbf2XHZ6gyGZ2p0Y1ab8o0o0MFVsuQIuPCKlWgr/WhjgdWDY
Ye4TCYZhonuLHRCiOt+ZuS2w8nj24O0qFvXra+asXAaW2mFzQa/Aq3CdLBE87nXE
z3dgNp2Z08dWi28ncbCwvn8mpw0w07yl1n6+2JlBC4pDTF2/r6BMgsp4DIS9sFDB
h+mFWCnqh80P/39SQeOoOcHATruMfHp8CUDVtOMVBRV4VpoA7YaKxiiiUXFnD21M
S6XP7QqxPkbPW0E77UeR53igB61QQ1t3Fb4QQRLZY1bhncKn3kM/OmUDnHzepLQn
0/FLW/aJMBofOHeb6xqrfipeayGrdHLNuav9Nu1QRuX2lY6E0Sl40VZBwRERxfaW
t+Ck3n4Qw2Gru13zXPhHuE8OpTV3/RgkMzNMnADxfArhSIW2zwoYQvNCn8U/LNaq
P2HMZA0yehx6CZnBmdb/
=RC2L
-----END PGP SIGNATURE-----
Foppe de Haan
Ronald Duncan
I had a quick look at
https://www.qubes-os.org/doc/templates/
And along with Debian which is installed by default both
Arch and
Ubuntu
Are available...
My personal preference in Ubuntu because it generally just works, and Arch because it has the latest version of everything when every you have the problem that xyz does not work because it needs the latest version. That the distribution maintainer has not yet made available in your favourite distro. I have not yet tried these templates.
Since I am a xfce fan I love qubes UI along with all the other parts.
Only gripe is no Win10 template ( and the various issues getting Windows to work - no password ).
Regards
Ronald
Drew White
> This thread just sprung to life again.
>
> I had a quick look at
>
> https://www.qubes-os.org/doc/templates/
>
> And along with Debian which is installed by default both
>
> Arch and
> Ubuntu
>
> Are available...
Need a Slackware build. At least then there will be no SystemD crap.
> My personal preference in Ubuntu because it generally just works, and Arch because it has the latest version of everything when every you have the problem that xyz does not work because it needs the latest version. That the distribution maintainer has not yet made available in your favourite distro. I have not yet tried these templates.
>
> Since I am a xfce fan I love qubes UI along with all the other parts.
I am an xFCE fan as well. It's a simple interface and just works smoothly, unlike KDE and Gnome which are so bloated.
> Only gripe is no Win10 template ( and the various issues getting Windows to work - no password ).
I have found no issues getting windows to work with no password. I just set the auto Login, and done.
There are no tools for Win10, so until then, all good. But if you want to use the tools, stick to version 3.2.1.3 until they fix them, because the tools got broken in version 3.2.2.3, and I have not seen a version that is fixed yet.
raah...@gmail.com
Yes, I was also trying to point out the choice of security between the two is not so clear.. But when it comes to the things that puts fedora up there like a default firewall or selinux , They don't matter for a Qubes dom0. But I think if hardware support is priority, fedora always optimized for a newer kernel and newer driver support and having newer software would be more ideal. If stability, then debian.
Things like holding enter button down to bypass luks, or holding backspace down to bypass grub, or using siri and hitting pad a couple times to bypass ios phone lock(ion every single version). whether needing physical access or not, sure does make me wonder if they are not there on purpose. Like for police purposes. I've always felt the people behind ubuntu or fedora are not as trustworthy when it comes to privacy if not security then a distro like debian. I'm sure everyone knows all the common reasons why, so no need to list them all, but things like NSA, Search redirections, corporate greed, unknown network connections, services phoning home, etc always come up... When using a baremetal system I prefer debian system because I feel by default it gives more protection from itself then fedora will protect you from fedora. That includes both backdoors and stability.
And if you want a conspiracy theory I think Russia has been undermining fedora especially starting with fedora 20. I have also felt every hardened fedora box I have ever owned has been hacked or maliciously destroyed. Every single one. Its never happened with a hardened debian, or even with a hardened windows 7. But again in this case for a Qubes dom0 I don't think it really matters.
raah...@gmail.com
I disagree with Snowden on this, if it aint broke don't fix it. What usually happens in reality is the newer software introduces even more bugs then were originally there imo for the sake of new shiny things. Many experts say we are actually less safe nowadays cause systems are already too complex. And if new exploits found in old software are patched with security updates then I think the freesoftware communities have it right when it comes to security.
If he means old software thats no longer maintained and abandoned then he has a good point. There is plenty of that in every linux distro, some more then others.
But saying attackers adapt quick, means to me adapting to something new, adapting to a new exploit, not a secret one they've already known about.
raah...@gmail.com
I use to believe that always updating software would remove exploits currently in them. But usually in reality if not specifically addressed, since new software is still built upon the same old software, the old bugs still exist while new ones are now introduced as well.
Drew White
If you have a secure system in the first place, the exploits can't get a grip easily.
If you manage your system you won't get hit easily.
If you lock the machine down, you won't get hit easily.
I limit SUDO activity to what I want to let things use.
I don't let sudo change passwords..
I don't let sudo do anything of impact for the system.
I have firewall set up so that I have to permit what I want, and I monitor all traffic.
So updating the system to the latest, will often break things, along with security. So I don't update until I know that the update will actually fix it and not break the security I have in place that fix's what's actually wrong, if that makes sense?
Moving to Slackware, AWAY from SystemD removes one HUGE security flaw that will never be fixed.
it MAY get a few tiny holes/vulnerabilities, but they are easy to protect against, where as SystemD, you can't protect against SystemD.
Vít Šesták
The same does not apply to non-security bugs. The key difference is that security bugs are triggered on purpose, while other bugs are triggered accidentally.
It is questionable if old software with security patches (e.g. Debian stable, Firefox ESR) is better than fresh one or not. I see good arguments on both sides, so maybe it depends.
Regards,
Vít Šesták 'v6ak'
Vít Šesták
From security perspective in context of dom0, systemd is a process that interacts with local processes and maybe with few other local things. If systemd is really wrong for security (I am not convinced so), I would expect it to allow local privilege escalation, which is not much a threat in context of Qubes. Did you mean something else?
If there is a proper argument against systemd for dom0, I hope Qubes developers will hear it. But they will hardly move to Slackware (or another non-systemd distro) just for sake of getting rid of systemd. I guess that without a good argument for it*, there will be always something more important giving better improvement, requiring less effort and indroducing less risks.
Regards,
Vít Šesták 'v6ak'
*) I am not stating there is not any reasonable argument. There might be one I haven't realized. But if there is any, it should be mentioned in a proper way.
Fred
able to defeat LUKS or get the keys or decrypt the data. I know this was
a bit misreported in the press.
A bigger issue is if /boot is not encrypted. And with modern GRUB there
is no need for it not to be. Someone could then use this shell to put a
keylogger in /boot process then they could use this vulnerability to do
some damage. But the same is true from booting from removable custom
media to access the encrypted partitions.
Drew White
What needs to be installed in an O/S to create a new Dom0?
I've asked this before, and none answers the question.
Connor Page
https://github.com/QubesOS/qubes-installer-qubes-os/blob/master/conf/comps-qubes.xml
Drew White
> why wouldn't you consult the list of actually installed packages?
> https://github.com/QubesOS/qubes-installer-qubes-os/blob/master/conf/comps-qubes.xml
Can you, from that, tell me what are REQUIRED for Qubes-OS to be fully functional?
If you can, then you must be able to see something that I am not able to.
While that may have a list of a lot of packages, it doesn't say what versions are required.
Connor Page
Name: qubes-core-dom0
Version: %{version}
Release: 1%{dist}
Summary: The Qubes core files (Dom0-side)
Group: Qubes
Vendor: Invisible Things Lab
License: GPL
URL: http://www.qubes-os.org
BuildRequires: ImageMagick
BuildRequires: systemd-units
# FIXME: Enable this and disable debug_package
#BuildArch: noarch
Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
Requires: python, pciutils, python-inotify, python-daemon
Requires: qubes-core-dom0-linux >= 3.1.8
Requires: qubes-core-dom0-doc
Requires: qubes-db-dom0
Requires: python-lxml
Requires: python-psutil
# TODO: R: qubes-gui-dom0 >= 2.1.11
Conflicts: qubes-gui-dom0 < 1.1.13
Requires: libvirt-python
%if x%{?backend_vmm} == xxen
Requires: xen-runtime
Requires: xen-hvm
Requires: libvirt-daemon-xen >= 1.2.20-6
%endif
Requires: createrepo
Requires: gnome-packagekit
Requires: cronie
Requires: bsdtar
# for qubes-hcl-report
Requires: dmidecode
Requires: PyQt4
Dom0 is created by installing qubes tools that pull in their dependencies and so on. Yum Extender in dom0 can give you all the prerequisites. Of course here we rely on developers being precise when defining them.
Drew White
> Sorry Drew, you asked what needs to be installed to make another dom0, not the bare minimum that is required.
I'm sorry that I was not more specific when I said "needs". It can be taken multiple ways, I should have been more precise.
>Every Qubes specific package provides a list of prerequisites and version conflicts.
That is true, but that's why I'm curious about it to know.
That is true.
Thing is, I'd be building it from code, which is why I need to know. Because not everything is as simple as using an RPM or other package like that. And there are no SRPMs so that's another thing that makes it not work well for what I need to do to get the packages installed to create a new Dom0.
But that's just the way things go unfortunately.
I can but try.