Fwd: Debian derivatives census: Qubes: welcome!
78 views
Skip to first unread message
Patrick Schleizer
Mar 6, 2017, 9:14:09 AM3/6/17
to qubes...@googlegroups.com, debian-de...@lists.debian.org, Unman
Forwarding to qubes...@googlegroups.com.
-------- Forwarded Message --------
Subject: Debian derivatives census: Qubes: welcome!
Resent-Date: Mon, 6 Mar 2017 06:23:25 +0000 (UTC)
Resent-From: debian-de...@lists.debian.org
Date: Mon, 06 Mar 2017 14:22:57 +0800
From: Paul Wise <pa...@debian.org>
Organization: Debian
To: unman <un...@thirdeyesecurity.org>
CC: debian-derivatives <debian-de...@lists.debian.org>
Hi unman,
I would like to welcome yourself and Qubes to the Debian derivatives
census! Would you like to take this opportunity to introduce yourself
and Qubes to us all?
https://wiki.debian.org/Derivatives/Census/Qubes
It would be great if you could join our mailing list and IRC channel:
https://wiki.debian.org/DerivativesFrontDesk
I would encourage you to look at Debian's guidelines for derivatives:
https://wiki.debian.org/Derivatives/Guidelines
You may want to look at our census QA page, some of the mails from
there may apply to Qubes.
https://wiki.debian.org/Derivatives/CensusQA
You don't appear to be subscribed to the Qubes census page,
I've made a few changes to the Qubes census page:
https://wiki.debian.org/Derivatives/Census/Qubes?action=info
I was under the impression that Qubes was based on Fedora.
Are you planning on a transition to being based on Debian?
I see that Qubes does have an apt repository available.
It would be interesting to hear about your plans here.
Some of the Release files in the apt repository for Qubes are missing
the Valid-Until header, which allows clients to find out when active
network attackers are holding back newer Release files. At minimum,
rolling releases and suites containing security updates should have this
header. With reprepro you can use the ValidFor config option.
https://wiki.debian.org/RepositoryFormat#Date.2CValid-Until
The apt repository for Qubes does not contain source packages,
including for packages licensed under the GNU GPL (Xen). This may or
may not be a copyright violation depending on whether or not you
distribute those elsewhere. In any case, please add source packages to
your repository so that Debian can automatically create patches to be
presented to Debian package maintainers.
https://wiki.debian.org/Derivatives/CensusQA#No_source_packages
https://wiki.debian.org/Derivatives/Integration#Patches
https://compliance.guide/
I note that some of the packages in the Qubes apt repository use http
instead of https in their Homepage or Description fields.
The page is missing a dpkg vendor field. It is important that Debian
derivatives set this properly on installed systems and mention the
value of the field in the derivatives census.
https://wiki.debian.org/Derivatives/Guidelines#Vendor
I've added the Qubes blog to Planet Debian derivatives which helps the
Debian community find out the things that are happening in the world of
Debian derivatives. I note that the automatically detected feed URL
does not use TLS because the link in the HTML is http not https.
http://planet.debian.org/deriv/
This year the annual Debian conference is in Montreal, Canada.
It would be great if developers from Qubes could attend DebConf.
The CfP for DebConf17 is currently open, this might be a good
opportunity to talk about the relationship between Qubes and Debian.
If this isn't possible, next year DebConf18 will be in Hsinchu, Taiwan.
https://debconf17.debconf.org/
https://debconf17.debconf.org/cfp/
I would encourage Invisible Things Lab and the other Qubes sponsors to
contribute financially to ensure the continued survival of Debian and
the success of the annual Debian conference.
https://www.debian.org/donations
https://debconf.org/sponsors/
https://debconf17.debconf.org/sponsors/become-a-sponsor/
I would encourage any attendees to volunteer to ensure the continued
the success of the annual Debian conference, here are some examples of
things that need helpers.
https://wiki.debconf.org/wiki/DebConf13/VolunteerCoordination
I note that Qubes is partly based on Debian stable. The Debian release
team recently released a timeline for the freeze for the next Debian
stable release. I would encourage you to review it and prepare your
plans for rebasing on the next Debian release (stretch).
https://lists.debian.org/msgid-search/20170205222956....@powdarrmonkey.net
I note that Qubes is partly based on Debian unstable. A great way to
help ensure that the next Debian release working well is to install and
run the how-can-i-help tool and try to work on any issues that come up.
http://www.lucas-nussbaum.net/blog/?p=837
https://packages.debian.org/unstable/how-can-i-help
https://wiki.debian.org/how-can-i-help
I note that Qubes also has wheezy in the apt repository. The Debian
long-term security team has announced an LTS effort for wheezy.
I would encourage Qubes to help out with this effort financially
and or with developer time.
https://www.debian.org/News/2016/20160425
https://wiki.debian.org/LTS
Is Qubes collaborating with other related distros like Tails, Subgraph etc?
You might want to consider adding DNSSEC to your domains and TLSA
records to your domains. You might also want to reconsider Cloudflare :)
Please feel free to circulate this mail within the Qubes team.
--
bye,
pabs
https://wiki.debian.org/PaulWise
-------- Forwarded Message --------
Subject: Debian derivatives census: Qubes: welcome!
Resent-Date: Mon, 6 Mar 2017 06:23:25 +0000 (UTC)
Resent-From: debian-de...@lists.debian.org
Date: Mon, 06 Mar 2017 14:22:57 +0800
From: Paul Wise <pa...@debian.org>
Organization: Debian
To: unman <un...@thirdeyesecurity.org>
CC: debian-derivatives <debian-de...@lists.debian.org>
Hi unman,
I would like to welcome yourself and Qubes to the Debian derivatives
census! Would you like to take this opportunity to introduce yourself
and Qubes to us all?
https://wiki.debian.org/Derivatives/Census/Qubes
It would be great if you could join our mailing list and IRC channel:
https://wiki.debian.org/DerivativesFrontDesk
I would encourage you to look at Debian's guidelines for derivatives:
https://wiki.debian.org/Derivatives/Guidelines
You may want to look at our census QA page, some of the mails from
there may apply to Qubes.
https://wiki.debian.org/Derivatives/CensusQA
You don't appear to be subscribed to the Qubes census page,
I've made a few changes to the Qubes census page:
https://wiki.debian.org/Derivatives/Census/Qubes?action=info
I was under the impression that Qubes was based on Fedora.
Are you planning on a transition to being based on Debian?
I see that Qubes does have an apt repository available.
It would be interesting to hear about your plans here.
Some of the Release files in the apt repository for Qubes are missing
the Valid-Until header, which allows clients to find out when active
network attackers are holding back newer Release files. At minimum,
rolling releases and suites containing security updates should have this
header. With reprepro you can use the ValidFor config option.
https://wiki.debian.org/RepositoryFormat#Date.2CValid-Until
The apt repository for Qubes does not contain source packages,
including for packages licensed under the GNU GPL (Xen). This may or
may not be a copyright violation depending on whether or not you
distribute those elsewhere. In any case, please add source packages to
your repository so that Debian can automatically create patches to be
presented to Debian package maintainers.
https://wiki.debian.org/Derivatives/CensusQA#No_source_packages
https://wiki.debian.org/Derivatives/Integration#Patches
https://compliance.guide/
I note that some of the packages in the Qubes apt repository use http
instead of https in their Homepage or Description fields.
The page is missing a dpkg vendor field. It is important that Debian
derivatives set this properly on installed systems and mention the
value of the field in the derivatives census.
https://wiki.debian.org/Derivatives/Guidelines#Vendor
I've added the Qubes blog to Planet Debian derivatives which helps the
Debian community find out the things that are happening in the world of
Debian derivatives. I note that the automatically detected feed URL
does not use TLS because the link in the HTML is http not https.
http://planet.debian.org/deriv/
This year the annual Debian conference is in Montreal, Canada.
It would be great if developers from Qubes could attend DebConf.
The CfP for DebConf17 is currently open, this might be a good
opportunity to talk about the relationship between Qubes and Debian.
If this isn't possible, next year DebConf18 will be in Hsinchu, Taiwan.
https://debconf17.debconf.org/
https://debconf17.debconf.org/cfp/
I would encourage Invisible Things Lab and the other Qubes sponsors to
contribute financially to ensure the continued survival of Debian and
the success of the annual Debian conference.
https://www.debian.org/donations
https://debconf.org/sponsors/
https://debconf17.debconf.org/sponsors/become-a-sponsor/
I would encourage any attendees to volunteer to ensure the continued
the success of the annual Debian conference, here are some examples of
things that need helpers.
https://wiki.debconf.org/wiki/DebConf13/VolunteerCoordination
I note that Qubes is partly based on Debian stable. The Debian release
team recently released a timeline for the freeze for the next Debian
stable release. I would encourage you to review it and prepare your
plans for rebasing on the next Debian release (stretch).
https://lists.debian.org/msgid-search/20170205222956....@powdarrmonkey.net
I note that Qubes is partly based on Debian unstable. A great way to
help ensure that the next Debian release working well is to install and
run the how-can-i-help tool and try to work on any issues that come up.
http://www.lucas-nussbaum.net/blog/?p=837
https://packages.debian.org/unstable/how-can-i-help
https://wiki.debian.org/how-can-i-help
I note that Qubes also has wheezy in the apt repository. The Debian
long-term security team has announced an LTS effort for wheezy.
I would encourage Qubes to help out with this effort financially
and or with developer time.
https://www.debian.org/News/2016/20160425
https://wiki.debian.org/LTS
Is Qubes collaborating with other related distros like Tails, Subgraph etc?
You might want to consider adding DNSSEC to your domains and TLSA
records to your domains. You might also want to reconsider Cloudflare :)
Please feel free to circulate this mail within the Qubes team.
--
bye,
pabs
https://wiki.debian.org/PaulWise
Andrew David Wong
Mar 6, 2017, 10:33:38 PM3/6/17
to Patrick Schleizer, qubes...@googlegroups.com, Marek Marczykowski-Górecki, Unman
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 2017-03-06 06:13, Patrick Schleizer wrote:
> Forwarding to qubes...@googlegroups.com.
>
> -------- Forwarded Message --------
> Subject: Debian derivatives census: Qubes: welcome!
> Resent-Date: Mon, 6 Mar 2017 06:23:25 +0000 (UTC)
> Resent-From: debian-de...@lists.debian.org
> Date: Mon, 06 Mar 2017 14:22:57 +0800
> From: Paul Wise <pa...@debian.org>
> Organization: Debian
> To: unman <un...@thirdeyesecurity.org>
> CC: debian-derivatives <debian-de...@lists.debian.org>
>
> [...]
> [...]
* https://www.qubes-os.org/doc/user-faq/#should-i-trust-this-website
* https://www.qubes-os.org/doc/user-faq/#why-does-this-website-use-cloudflare
* https://www.qubes-os.org/doc/user-faq/#why-doesnt-this-website-have-security-feature-x
Marek, we can enable DNSSEC via Cloudflare. However, AFAICT, Cloudflare
doesn't support TLSA records yet.
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYvin0AAoJENtN07w5UDAwUq4P/jUni9QiBZf+t4C5ngH+mM97
wz83XREueHAPYBsSeMmWwwN94p8iXglOF0F5RRShUo/9VH9joirkpJORz6epPFft
5n13NrSW6xoB0COAQEb69mDujq2ZB6ObXNVDAqhT1H1mEqNfFAQW37vB26Lj4H/p
EDc+bEbbD82WxY/4fFeRX4NayMF6RCCFaE4UYO1g9H6dVAVPpyvz0hwuAyxIkyxW
flpmG+RK90LV3WpiY/nOinCHBB8Jy8wgguk+NICvAHFJaBivBss0GtMibHCZIsF+
1AFtDv1nDvNApMaKM85nvYMmgmrST3/CkmQLkOgo1I7KL/N8VO8skI0O5K4jnd6Z
eAtnHJ+7SWW0ERqfXSIjkwQBxz4lR5O8e7VrBmCEaOKoQH4dOulWis6FJA5wBIh1
b/AoxbZKMUsMr5+mFHdpWKWmoNGvBlUtgdI2AN942wtNJi5ghQJFKWK/rQ3Xm+Xu
vy9NnsQZMYeKsYnUq0vQbxNDB3MnBOGdDz5rWmpQdf+LA6oooiwODl9CMaJ4A0ot
z6IfXQyS6picLeeT6+E0a/MsRJAX5uG8yjxX6vkxFI/aJIOrWeLDJ9QIsq3QhXoj
KuBW7V9wqzsTHURtotnbbANK+2Jm4a9dbaLqWe+6CO5VO0wCLBMh6EtjhlSJ29JH
2bIm3ducpeRgWV8LdHNs
=U1mc
-----END PGP SIGNATURE-----
Hash: SHA512
On 2017-03-06 06:13, Patrick Schleizer wrote:
> Forwarding to qubes...@googlegroups.com.
>
> -------- Forwarded Message --------
> Subject: Debian derivatives census: Qubes: welcome!
> Resent-Date: Mon, 6 Mar 2017 06:23:25 +0000 (UTC)
> Resent-From: debian-de...@lists.debian.org
> Date: Mon, 06 Mar 2017 14:22:57 +0800
> From: Paul Wise <pa...@debian.org>
> Organization: Debian
> To: unman <un...@thirdeyesecurity.org>
> CC: debian-derivatives <debian-de...@lists.debian.org>
>
>
> I've added the Qubes blog to Planet Debian derivatives which helps the
> Debian community find out the things that are happening in the world of
> Debian derivatives. I note that the automatically detected feed URL
> does not use TLS because the link in the HTML is http not https.
>
Fixed.
> I've added the Qubes blog to Planet Debian derivatives which helps the
> Debian community find out the things that are happening in the world of
> Debian derivatives. I note that the automatically detected feed URL
> does not use TLS because the link in the HTML is http not https.
>
> [...]
>
> You might want to consider adding DNSSEC to your domains and TLSA
> records to your domains. You might also want to reconsider Cloudflare :)
>
These website issues come up often, so I've created FAQ entries for them:
> You might want to consider adding DNSSEC to your domains and TLSA
> records to your domains. You might also want to reconsider Cloudflare :)
>
* https://www.qubes-os.org/doc/user-faq/#should-i-trust-this-website
* https://www.qubes-os.org/doc/user-faq/#why-does-this-website-use-cloudflare
* https://www.qubes-os.org/doc/user-faq/#why-doesnt-this-website-have-security-feature-x
Marek, we can enable DNSSEC via Cloudflare. However, AFAICT, Cloudflare
doesn't support TLSA records yet.
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYvin0AAoJENtN07w5UDAwUq4P/jUni9QiBZf+t4C5ngH+mM97
wz83XREueHAPYBsSeMmWwwN94p8iXglOF0F5RRShUo/9VH9joirkpJORz6epPFft
5n13NrSW6xoB0COAQEb69mDujq2ZB6ObXNVDAqhT1H1mEqNfFAQW37vB26Lj4H/p
EDc+bEbbD82WxY/4fFeRX4NayMF6RCCFaE4UYO1g9H6dVAVPpyvz0hwuAyxIkyxW
flpmG+RK90LV3WpiY/nOinCHBB8Jy8wgguk+NICvAHFJaBivBss0GtMibHCZIsF+
1AFtDv1nDvNApMaKM85nvYMmgmrST3/CkmQLkOgo1I7KL/N8VO8skI0O5K4jnd6Z
eAtnHJ+7SWW0ERqfXSIjkwQBxz4lR5O8e7VrBmCEaOKoQH4dOulWis6FJA5wBIh1
b/AoxbZKMUsMr5+mFHdpWKWmoNGvBlUtgdI2AN942wtNJi5ghQJFKWK/rQ3Xm+Xu
vy9NnsQZMYeKsYnUq0vQbxNDB3MnBOGdDz5rWmpQdf+LA6oooiwODl9CMaJ4A0ot
z6IfXQyS6picLeeT6+E0a/MsRJAX5uG8yjxX6vkxFI/aJIOrWeLDJ9QIsq3QhXoj
KuBW7V9wqzsTHURtotnbbANK+2Jm4a9dbaLqWe+6CO5VO0wCLBMh6EtjhlSJ29JH
2bIm3ducpeRgWV8LdHNs
=U1mc
-----END PGP SIGNATURE-----
Marek Marczykowski-Górecki
Mar 7, 2017, 8:33:42 AM3/7/17
to Patrick Schleizer, qubes...@googlegroups.com, debian-de...@lists.debian.org, Unman
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Mon, Mar 06, 2017 at 02:13:00PM +0000, Patrick Schleizer wrote:
> Forwarding to qubes...@googlegroups.com.
>
> -------- Forwarded Message --------
> Subject: Debian derivatives census: Qubes: welcome!
> Resent-Date: Mon, 6 Mar 2017 06:23:25 +0000 (UTC)
> Resent-From: debian-de...@lists.debian.org
> Date: Mon, 06 Mar 2017 14:22:57 +0800
> From: Paul Wise <pa...@debian.org>
> Organization: Debian
> To: unman <un...@thirdeyesecurity.org>
> CC: debian-derivatives <debian-de...@lists.debian.org>
(...)
> I was under the impression that Qubes was based on Fedora.
You can use multiple different distributions on Qubes OS. Debian is one
of them:
https://www.qubes-os.org/doc/templates/
> Are you planning on a transition to being based on Debian?
> I see that Qubes does have an apt repository available.
> It would be interesting to hear about your plans here.
The repository there contain Qubes-specific packages for Debian
templates.
> Some of the Release files in the apt repository for Qubes are missing
> the Valid-Until header, which allows clients to find out when active
> network attackers are holding back newer Release files. At minimum,
> rolling releases and suites containing security updates should have this
> header. With reprepro you can use the ValidFor config option.
>
> https://wiki.debian.org/RepositoryFormat#Date.2CValid-Until
In our current setup, we don't have a way to automatically periodically
upload new signed Release file. This means if we don't release new
packages for some period of time (larger than ValidFor setting),
repository will be treated as invalid, even if it isn't the case.
And setting ValidFor to a value large enough to mitigate the problem
(like 6 months) doesn't make much sense...
> The apt repository for Qubes does not contain source packages,
> including for packages licensed under the GNU GPL (Xen). This may or
> may not be a copyright violation depending on whether or not you
> distribute those elsewhere. In any case, please add source packages to
> your repository so that Debian can automatically create patches to be
> presented to Debian package maintainers.
>
> https://wiki.debian.org/Derivatives/CensusQA#No_source_packages
> https://wiki.debian.org/Derivatives/Integration#Patches
> https://compliance.guide/
https://github.com/QubesOS/qubes-issues/issues/1244
> I note that some of the packages in the Qubes apt repository use http
> instead of https in their Homepage or Description fields.
>
> The page is missing a dpkg vendor field. It is important that Debian
> derivatives set this properly on installed systems and mention the
> value of the field in the derivatives census.
>
> https://wiki.debian.org/Derivatives/Guidelines#Vendor
Unman, can you take care of those two?
> I note that Qubes is partly based on Debian stable. The Debian release
> team recently released a timeline for the freeze for the next Debian
> stable release. I would encourage you to review it and prepare your
> plans for rebasing on the next Debian release (stretch).
>
> https://lists.debian.org/msgid-search/20170205222956....@powdarrmonkey.net
We already provide packages for stretch and run tests on it.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJYvrasAAoJENuP0xzK19csi6YIAI9l05UVmJGi5YP+6i5XcDFQ
OB3XMcKEUTPlw7AlJCauthdnPlMFdHcH1SSzaYsxO/LzO8KjisbwVeoI+xZXxYP+
XdDOYFfA3wpOhP1jlWe/EkvdGGWzE8WSkESG3zW2NLIfkunMWbKO/QairceceZGT
Zc0/bzEUrTs/VpMDGxZm9djD+qxj6Vmq9T5/RRUQxQOGuha6Oq7hobbitgrhV/jY
eynVYHC1mzJAoZqKDTCvT6sQXNYXRcJnxvq6A0A1rQgdkGegd4W7d1P6vFjCwIl5
fo4/GyOEQWOhTFfZ2SGQnxbp8o/psXJUnezWmcXW/6HTK1trUQM1MvOq1y6s4P4=
=eAei
-----END PGP SIGNATURE-----
Hash: SHA256
On Mon, Mar 06, 2017 at 02:13:00PM +0000, Patrick Schleizer wrote:
> Forwarding to qubes...@googlegroups.com.
>
> -------- Forwarded Message --------
> Subject: Debian derivatives census: Qubes: welcome!
> Resent-Date: Mon, 6 Mar 2017 06:23:25 +0000 (UTC)
> Resent-From: debian-de...@lists.debian.org
> Date: Mon, 06 Mar 2017 14:22:57 +0800
> From: Paul Wise <pa...@debian.org>
> Organization: Debian
> To: unman <un...@thirdeyesecurity.org>
> CC: debian-derivatives <debian-de...@lists.debian.org>
> I was under the impression that Qubes was based on Fedora.
of them:
https://www.qubes-os.org/doc/templates/
> Are you planning on a transition to being based on Debian?
> I see that Qubes does have an apt repository available.
> It would be interesting to hear about your plans here.
templates.
> Some of the Release files in the apt repository for Qubes are missing
> the Valid-Until header, which allows clients to find out when active
> network attackers are holding back newer Release files. At minimum,
> rolling releases and suites containing security updates should have this
> header. With reprepro you can use the ValidFor config option.
>
> https://wiki.debian.org/RepositoryFormat#Date.2CValid-Until
upload new signed Release file. This means if we don't release new
packages for some period of time (larger than ValidFor setting),
repository will be treated as invalid, even if it isn't the case.
And setting ValidFor to a value large enough to mitigate the problem
(like 6 months) doesn't make much sense...
> The apt repository for Qubes does not contain source packages,
> including for packages licensed under the GNU GPL (Xen). This may or
> may not be a copyright violation depending on whether or not you
> distribute those elsewhere. In any case, please add source packages to
> your repository so that Debian can automatically create patches to be
> presented to Debian package maintainers.
>
> https://wiki.debian.org/Derivatives/CensusQA#No_source_packages
> https://wiki.debian.org/Derivatives/Integration#Patches
> https://compliance.guide/
> I note that some of the packages in the Qubes apt repository use http
> instead of https in their Homepage or Description fields.
>
> The page is missing a dpkg vendor field. It is important that Debian
> derivatives set this properly on installed systems and mention the
> value of the field in the derivatives census.
>
> https://wiki.debian.org/Derivatives/Guidelines#Vendor
> I note that Qubes is partly based on Debian stable. The Debian release
> team recently released a timeline for the freeze for the next Debian
> stable release. I would encourage you to review it and prepare your
> plans for rebasing on the next Debian release (stretch).
>
> https://lists.debian.org/msgid-search/20170205222956....@powdarrmonkey.net
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJYvrasAAoJENuP0xzK19csi6YIAI9l05UVmJGi5YP+6i5XcDFQ
OB3XMcKEUTPlw7AlJCauthdnPlMFdHcH1SSzaYsxO/LzO8KjisbwVeoI+xZXxYP+
XdDOYFfA3wpOhP1jlWe/EkvdGGWzE8WSkESG3zW2NLIfkunMWbKO/QairceceZGT
Zc0/bzEUrTs/VpMDGxZm9djD+qxj6Vmq9T5/RRUQxQOGuha6Oq7hobbitgrhV/jY
eynVYHC1mzJAoZqKDTCvT6sQXNYXRcJnxvq6A0A1rQgdkGegd4W7d1P6vFjCwIl5
fo4/GyOEQWOhTFfZ2SGQnxbp8o/psXJUnezWmcXW/6HTK1trUQM1MvOq1y6s4P4=
=eAei
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages