Perplexed, why do so many here seem to prefer Fedora instead of ?

[gorked]

I thought Fedora was the free publicly available version of the test bed for Red Hat Linux?  That is Fedora being the version that will become Red Hat? 

I though CentOS and Oracle Linux were free publicly available versions of the current stable versions of Red Hat? 

And that basically Red Hat is from only free software sources?  Excepting some folks might add non-free Firmware drivers if they chose? 

Seems like the stable version of Red Hat, renamed something else to make the Linux OS available for free, would be more secure.  

One of the big differences being that if one buys Red Hat, versus the free version, that one is paying for support, also some of the development costs.  

What gives?

[Chris Laprise]

On 1/5/20 12:09 PM, gorked wrote:
> I thought Fedora was the free publicly available version of the test bed
> for Red Hat Linux?  That is Fedora being the version that will become
> Red Hat?

The way I remember Marek explaining it (and correct me if I'm wrong,
Marek) is that choosing Fedora was mostly chance bc that's what he was
used to at the time.

You are right that Fedora is a test bed for Red Hat, and it has some
pretty serious downsides as a result. Foremost is that TPTB don't allow
Fedora to cryptographically sign their top level repository manifests.
This means that any MITM attacker can pick which packages don't receive
updates, even though the overall update proceeds in an apparently normal
manner.

Virtually all other distros that are half-way popular sign their repo
metadata so that any MITM attempts can be prevented.

More downsides are that less quality testing occurs, packages of all
types (and sizes) get 'dumped' into the update stream much more
frequently, and the more flagrant mistakes with Red Hat's in-house tech
like Systemd land right in users' laps (I've found that Debian's Systemd
releases are less bug-ridden than Fedora's).

>
> I though CentOS and Oracle Linux were free publicly available versions
> of the current stable versions of Red Hat?

Those are two distros came much later on, and they weren't under control
of Red Hat (although RH did take over CentOS a few years back).

>
> And that basically Red Hat is from only free software sources?
> Excepting some folks might add non-free Firmware drivers if they chose?
>
> Seems like the stable version of Red Hat, renamed something else to make
> the Linux OS available for free, would be more secure.

The problem with both RHEL and CentOS is that they're the opposite of
Fedora: Very staid, and non-security updates come slowly. That's a
problem for Qubes since it spent 5+ years charting new territory in the
hardware features + Linux/Xen compatibility matrix.

I actually think a better overall distro for Qubes is Debian, which is
available as a Qubes template (but not for dom0). The reason is that its
'serious' and well tested/supported, but also has layers that allow you
to install and try newer more experimental versions of software. Due to
it popularity, Debian also has more software to choose from in its
repositories. (An example of this in action:
https://groups.google.com/d/msgid/qubes-users/e050ed1e-181a-45b4-89be-b8250c1924fc%40googlegroups.com
).

--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886

[gorked]

Thanks for replying.   I will keep what you say in mind in using Debian when I get into a position to try out QUBES.  Apparently I made a mistake in that, I thought I read on the CentOS Forum that if I did updates, it would receive the same security updates as Red Hat.   Perhaps Red Hat is not always the most secure?  Or maybe it is that what they really market is support, since that is what a business requires to use Linux?

To Morph this post a bit, being a lot of intrusions are now coming in with the Web Browser, which Web Browser is now the recommended one for Security?   I have been using Firefox, with a lot of Addons, but I had to turn off the Java Script to buy items online.  

Is there a movement to create a standard about what a Web Page should never be allowed to do, to facilitate security on the internet?

   Surveillance Capitalism now rules.   

[Claudia]

January 6, 2020 2:20 PM, "gorked" <ggg...@gmail.com> wrote:

> To Morph this post a bit, being a lot of intrusions are now coming in with the Web Browser, which
> Web Browser is now the recommended one for Security? I have been using Firefox, with a lot of
> Addons, but I had to turn off the Java Script to buy items online.

I would definitely not say Firefox is the most secure (though it is among the best for privacy). But the good news is that, that doesn't really matter in Qubes. Qubes always assumes the browser is compromised. As long as you use Qubes correctly (use different VMs for different tasks/identities, use DispVMs where possible, etc), you can mostly rely on the hypervisor instead of the browser for security. For example, use a different VM for buying things online with JS enabled, than for your regular browsing. Arguably there should be security/hardening at all levels and not just the hypervisor, but the Qubes core principle is security by isolation.

> Is there a movement to create a standard about what a Web Page should never be allowed to do, to
> facilitate security on the internet?

Not sure what you mean. In terms of JS functions and permissions and things like that? The w3c is who decides the standards for what web pages should be allowed to do and access, and even that is not totally standard: ultimately each browser, and each user, makes their own decisions. I don't think there will ever be a universal list of rules that suits all users and all websites. This is more a matter of privacy than security. I.e. no rules or standards are going to prevent a heap overflow vulnerability or something like that.

> Surveillance Capitalism now rules.

[Chris Laprise]

On 1/6/20 9:20 AM, gorked wrote:
> Thanks for replying.   I will keep what you say in mind in using Debian
> when I get into a position to try out QUBES.  Apparently I made a
> mistake in that, I thought I read on the CentOS Forum that if I did
> updates, it would receive the same security updates as Red Hat.
> Perhaps Red Hat is not always the most secure?  Or maybe it is that what
> they really market is support, since that is what a business requires to
> use Linux?

I wouldn't say CentOS security updates were any poorer than RHEL. RH
does them bc they reluctantly had to save CentOS from disbanding, even
though it is counter to their stated business model. This is one of
those "complicated history" issues.

BTW, there is a community-maintained CentOS template for Qubes.

>
> To Morph this post a bit, being a lot of intrusions are now coming in
> with the Web Browser, which Web Browser is now the recommended one for
> Security?   I have been using Firefox, with a lot of Addons, but I had
> to turn off the Java Script to buy items online.

This is not such a worry on Qubes if you keep things in separate VMs.
But if you must worry about app-level security, I would stick with
Firefox on Debian 10 and enable AppArmor (Debian 10 normally has AA
enabled, but the Qubes configuration has an unfortunate side-effect
where the default is disabled).

To enable AppArmor on Debian VMs, you can change the 'kernelopts' VM
pref for the template to add two parameters to the default 'nopat':

[dom0]$ qvm-prefs debian-10 kernelopts 'nopat apparmor=1 security=apparmor'

This will automatically carry over to all VMs based on that template
that do not have their own customized kernelopts setting. (If a VM has a
custom kernelopts setting, you'll have to add the AA params to it manually.)

Also, Firefox is not the only program that benefits from AppArmor. IMO
its easy to do and a win-win. Philosophically, I think Qubes users and
devs should hold the point of view that while guest VM code shouldn't be
relied-on as primary defense, it is best to let the guest OS use all of
its own defenses as long as they are default or easy to enable + use.

Another thing that can improve security inside a VM is my
Qubes-VM-hardening project, which restores user-auth security in VMs
(but with yes/no prompts, not passwords) and prevents malware from
hijacking the VM startup environment...

https://github.com/tasket/Qubes-VM-hardening

A note about Whonix templates: The developer for Whonix is already
making efforts to include this kind of defense (and more). But for
AppArmor, the last time I checked you still had to turn it on yourself.
Since Whonix is based on Debian, the procedure is the same as above (use
'kernelopts' setting).

>
> Is there a movement to create a standard about what a Web Page should
> never be allowed to do, to facilitate security on the internet?

Yes, there is a movement and tech project headed by Tim Berners-Lee:

https://betanews.com/2018/09/29/tim-berners-lee-solid/

https://www.theguardian.com/technology/2019/nov/24/tim-berners-lee-unveils-global-plan-to-save-the-internet

I should also mention the I2P project, which over time has developed a
different yet comparable approach to security and privacy. Tor (and by
extension, Whonix) is also evolving into this approach but Tor's
outproxy default is a snag.

>
>    Surveillance Capitalism now rules.

[fiftyfour...@gmail.com]

>Enabling AppArmor in Debian + Qubes hardening

Glad I came across this post. Thanks for this and the hardening tool, Chris.