The Qubes OS official documentation explicitly recommends using coreboot or similar open-source firmware, and provides a link to the coreboot website. At the same time, I can’t find any way to verify any coreboot downloads or payloads from the QMSK (for example, by having the developer’s key’s fingerprints/hashes of source code and images available somewhere in the Qubes documentation). Considering the amount of effort this project puts into distrusting the infrastructure, it seems complacent to me to tell users to download and install firmware from a different website with no way to verify its authenticity. Is there anything I am missing here or is this just the way things are?
1 Like
I don’t think it’s reasonable to expect the Qubes developers to be the root of trust for the entire FOSS security ecosystem, encompassing many other independent open-source projects, many of which are bigger and better-funded than the Qubes OS Project. Why should the Qubes developers be responsible for handling the security between other FOSS projects and their respective users? Why can’t other FOSS projects (especially the ones who claim to care about security) take responsibility for the secure distribution of their own downloads? If they fail to do so, that’s them being complacent. It’s backwards to call the Qubes devs complacent for failing to swoop in to rescue unrelated devs on other projects from their own complacency. The Qubes devs never signed up to police other FOSS projects’ security. If merely suggesting other FOSS projects on the Qubes website somehow incurs such a responsibility, then better to scrub all mentions of other FOSS projects from the website so that the Qubes devs can focus on Qubes.
3 Likes