Debian vs Fedora

[Franz]

Hello

is there some sort of consensus in this ML about which template is better for security: Debian or Fedora?

From my point of view a main concern is the amount of control over the presence of a rouge developer who intentionally introduces a hole into security. Which one has a better system of control/prevention over this.

Another aspect  is that Debian seems to have some better protection over updates. I remember cprise wrote something about that.

Also important is Qubes developers maintenance. Are the two templates going to be maintained in the same way in the future, or not.

Lesser important, but still interesting is specialization. One may choose one template for banking, work and vault and another template for multimedia or whatever.

Certainly there other aspects that I am missing, so am curious.

Best

Fran

[Connor Page]

those concerned about Fedora updates should read https://securityblog.redhat.com/2015/08/19/secure-distribution-of-rpm-packages/

[7v5w7go9ub0o]

One additional one:

- "Hardening". IIRC, Fedora is now/will shortly compile its
distribution with optional, compile-time hardening in effect by default.
This should provide improved protection for network and firewall appvms
which, in my case, may be up and running for days - meaning a compromise
may be in effect for days. Also, as they are appvms (and not dispvms),
any changes (e.g. additions) to the user side will be retained after
shutdown.

My ideal would be hardened microkernels running as dispvms - including
microkernel dispvms replacing network, firewall, whonix/TOR appvms. I'm
presuming that a minimal Fedora template is closer than Debian to this
ideal.


Regarding maintenance:

- IIUC Fedora remains the primary development OS for ITL, and therefore
the safest for newbies like me. The short maintenance period is a pita.

[Franz]

But is that certain? ITL reasonable stress on deterministic builds seems more directed to Debian than to Fedora AFAIU

--
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.
To post to this group, send email to qubes...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/567abb71.93248c0a.77e0e.727c%40mx.google.com.

For more options, visit https://groups.google.com/d/optout.

[Tim W]

IMO a min for all repo comms:  encrypted secure connection, sig/ pub key, hash con.  I am leery of third party mirroring.  If it was secure as listed above and all downloads were hash confirmed back to origin repo by the client etc..

I see lots of debain/fedora back and forth but for me if we are going to be using full distro IMHO gentoo has a lot to offer.  Rolling release and its portage is one of the very best.  To correctly qualify my opinion, I am far far from an expert in the linux field. But I have been working in IT and general security field since the 90s but still I am woefully ignorant to the nuances of ideals for what makes the best choice for Qubes here.   On the surface gentoo seems to be a very good fit for qubes.

The issue of course with any change is, so much has been invested into Fedora and from what I can see the undertaking for a Dom0 switch would be very significant.  Further, the way I look at it in the end is, "armchair idea" posters, such as I am at the present, are a dime a dozen.   If everyone that made suggestions could and would do coding work it would be a very different landscape indeed.

[Chris Laprise]

On 12/23/2015 07:57 AM, Connor Page wrote:
> those concerned about Fedora updates should read https://securityblog.redhat.com/2015/08/19/secure-distribution-of-rpm-packages/
>

This is interesting... Fedora devs think their security problem is
solved by switching to https/PKI? It raises the bar somewhat but is
still vulnerable.

I get the sense they are trying to steer their security-minded users to
paid RHEL subscriptions in order to get that last critical xml file
signed. (There are other possible interpretations that are less kind.)

Fedora is still a tinkering/testbed distro.

OTOH, I don't think there are any downsides to using Debian templates
for whatever. I use them for everything. Debian won't push updates from
upstream unless its security related or other major bug fix, while
Fedora doesn't seem to differentiate security updates from the rest, and
pushes updates from upstream with high frequency... so I think Debian is
less chaotic and less risky overall (and large LibreOfiice updates are
not downloaded twice a week).

[Franz]

Interesting thanks.  After upgrading to R3.1 I have to decide which template to use and am deciding to move to Debian. It seems more security concerned, it is smaller and it works better. For examplet after upgrading to Fedora 23 nfs and smb do not work anymore, but it is enough to change the template to Debian and everything works again out of the box.