Do the Qubes repos allow nonfree software? Does it allow for microcode or other software
with binary blobs?
Does Xen use non-free software
Yes.
So if non-free software is a privacy and security risk; how can you call Qubes a privacy and security distro?
I don’t think anyone is calling Qubes a distro, or privacy focused, it’s a security focused OS.
You are going to need microcode mitigation if you want security, and that type of firmware is close source.
Qubes isn’t libre it’s shipped with closed source firmware, for the same reasons Debian recently changed the SC, it’s just not user-friendly not to include the firmware.
Debian is not considered fully libre by the FSF. You’re saying this is because of closed cpu microcode firmware?
You can google the answer, but yes, close source firmware not just the microcode is a big part of the reason why.
So it’s not just CPU microcode
It’s tiring going over the same arguments over and over again, and I can
only suppose at this stage that you are trolling.
Here we are talking about microcode and firmware: Qubes includes both.
If there were free packages available Qubes would include them by
preference.
Your argument is flawed because the first premise is faulty.
There is no evidence that including non-free microcode is a privacy and security
risk per se.
There is ample evidence that not including non-free microcode is a privacy and security
risk per se.
Just because Qubes is a security distro it will include microcode
updates.
Because Qubes wants to make installation easier for many users
it includes some non-free firmware. (Debian has recently endorse this
approach.)
That’s all.
If you prefer a distro that does not include microcode updates and hides
from the user the fact that they are then open to well known attacks,
use an FSF endorsed distro.
You’ll be less secure but that’s not your main concern.
When I comment in the Forum or in the mailing lists I speak for myself.
That’s an assumption indeed!
It’s better to use reliable non-free software rather than rely on security by obscurity like many little known Linux distros do. In fact, it has been said somewhere that Windows is much more secure than Linux thanks to its popularity and quick reactions to attacks.
It would still be better if Qubes OS got so popular it would be installed on every personal computer. We rely on strong foundations rather than obscurity and philosophy, that everything that is non=free shouldn’t exist.
Also, I think that Rutkowska correctly understood the security problems of proprietary firmware long ago, which led to the idea of the stateless laptop. A quote:
for years we have been, similarly, assuming the underlying hardware, together with all the firmware that runs on it, such as the BIOS/UEFI and the SMM, GPU/NIC/SATA/HDD/EC firmware, etc., is all. . . trusted.
But isn’t that a rational assumption, after all?
Well, not quite: today we know it is rather unwise to assume all hardware and
firmware is trusted. Various research from the last ten years, as discussed below,
has provided enough evidence for that, in the author’s opinion. We should thus
revisit this assumption. And given what’s at stake, the sooner we do this, the
better.
My not-against-proprietary-software friend once told me that I’m constantly buying and eating food for which percentage of ingredients on the label is never 100%, yet I’m still eating it and never raised a movement against it, and it’s more (potentially) dangerous for my security.
Since then, I have stopped publicly defining myself on the matter.
Can someone explain this whole firmware thing to me? Last I heard firmwares were inside hardware chips, but now Qubes has its own firmwares too?
We discussed it here:
Just to be clear, this isn’t Qubes firmware. It is firmware provided
by the device manufacturer that is included in templates to make it easy
for users who have those devices to use them.
Everyone chooses their own battles, according to their own preferences, not necessarily according to the degree of danger (which is debatable, too!). Choosing “more serious” problems is not required, more important is to do something useful.
Yes.
That is no evidence.
It’s trivial to point to major bugs and security holes in libre
software: that means nothing.
When I comment in the Forum or in the mailing lists I speak for myself.