I think there are a lot of misunderstandings in this topic and it doesn’t seem productive to me, but since I’ve been referenced, I’ll just try to clarify my prior post by stating that there is a distinction to be made between what would be ideal (all packages being fully trustworthy due to some kind of comprehensive, objective audit) and what is actually the case (some packages are trusted, but most non-kernel code is not; the installation of all regular distro packages is, however, trusted - trusted is not the same as trustworthy).
So, having had another look at the docs:
Because we chose to use Fedora as a vendor for the Qubes OS foundation (e.g. for dom0 packages and for app qube packages). We also chose to trust several other vendors, such as Xen.org, kernel.org, and a few others whose software we use in dom0. We had to trust somebody as we are unable to write all the software from scratch ourselves. But there is a big difference in trusting all Fedora packages to be non-malicious (in terms of installation scripts) vs. trusting all those packages are non-buggy and non-exploitable. We certainly do not assume the latter.
Only install packages from trusted sources – e.g. from the pre-configured Fedora repositories. All those packages are signed by Fedora, and we expect that at least the package’s installation scripts are not malicious.
I interpret this as follows:
- all packages that are actively used for the standard functionality of QubesOS and the templates are trusted (which excludes most code of regular packages in total)
- all regular distro packages’ installation scripts are also trusted
- “trusted” doesn’t necessarily imply trustworthiness
- since “trustworthy” is what we want, there needs to be an explanation: it is simply a) the lack of resources regarding point 1. and b) an expectation that Fedora’s installation scripts are not crafted to be malicious regarding point 2 (so for b) it seems there is actually more trustworthiness assumed by the QubesOS team).
There indeed doesn’t seem to be a specific argument explaining why Fedora rather than e.g. Debian was chosen for dom0; some arguments for it have been provided here and elsewhere, but there is no complete, fully articulated position presented.