On 1/20/20 6:02 AM, fiftyfourthparal...@gmail.com wrote:
If I were looking to maximize security, which would you say is better--Debian, Fedora, or some other distro, like Gentoo or Arch? If you've changed your sys-net, sys-usb, or other templates to something other than Fedora, why? And to what?
IMO, Debian is the best choice for secure templates. Its security focus is at least "normal" while Fedora's philosophy is haphazard "test the new stuff quick". Essentially all the worst systemd bugs will show up in a current Fedora release, for example. OTOH, my experience with systemd in Debian has been much smoother.
Fedora is also the only major distro that doesn't cryptographically sign its top-level repo metadata, allowing a MITM attacker to selectively prevent individual packages from updating. I interpret this as a decision forced on Fedora project from Redhat's marketing dept. so they can easily scare mission-critical Fedora users into purchasing RHEL licenses. There is no other possible explanation, IMO, as even CentOS fully signs their repos.
Debian is also more flexible: There are many more packages, and for the very latest stuff Debian lets you grab from the testing, unstable and experimental repos. And you get to choose whether you want shorter or longer upgrade cycles; with Fedora its always short which is a cause of disruption.
Finally, Debian templates are produced via Qubes official channels. That means something at least in terms of the level of oversight for building, distributing and updating the templates. OTOH, if this isn't so important to you, then Ubuntu and CentOS templates are alternatives to consider.
I've read that Debian is generally considered more secure than Fedora because of, among other things, AppArmor and tighter oversight of packages. This makes me wonder why it is that Fedora is the default template for basically everything while Debian has its default AppArmor disabled. Are there any downsides to basically removing Fedora from my Qubes?
IIRC, the choice of Fedora was sort of an accident; it was what the Qubes core developer was most familiar with at the time.
There is an open issue about moving away from Fedora to another distro like Debian.
Note: Debian does come with the Qubes install media (and Whonix templates are based on Debian as well) so at least its easy to choose.
I've also considered that the nature of Qubes makes this discussion seem moot to some, but my stance is that I should increase security where feasible.
There is one thing I don't use Debian for: The Update VM (which may be sys-net or sys-firewall, but you can assign it to a separate VM). The reason is that dom0 uses rpm/dnf and Fedora template is needed to handle it properly.
Also, Fedora template is currently required for building Qubes itself and Qubes templates.
-- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5af0bdfe-3679-44cc-c4c8-4f896c996d4d%40posteo.net.
