[qubes-users] Is Fedora Really A Good Choice For QubeOS?

We all know Fedora is a big name, but is it a good choice for a Security Driven OS like QubeOS to be based around?

I found it interesting reading that it was mentioned about the Surface Attack on some things related to QubeOS because it was small in size, like the code, not containing much, therefore limiting the Surface Attack.

Ok, GREAT point, but what about the IDEA that if you use a BIG DISTRO like Fedora and the MASSIVE SIZE of the repos and the software contained in it, this sounds like a BIG SURFACE ATTACK area, instead of going with a smaller distro with a smaller surface attack area, considering it on the level of the package/repo size and the smaller amount of people involved, I personally think this is a smarter choice to go with.

Look at Slackware as an example, I believe on the level of package security it has a smaller surface attack area when compare to Fedora by the limited amount it contains in it's repo and the smaller amount of people involved with the code.

I believe you limit the amount of hands dealing with code you also limit the amount of bugs being introduced by all the mistakes all these hands can make and introduce, of course a lot more hands sometimes is good to fix things, but I hope you can see the point here.

Like I heard it mentioned before; 'Less hands in the cookie mix makes for less of a cooking mess' and I think this can also apply to code.

I personally think that if QubeOS needs to be based off of another distro because of the limited skills needed to make it from scratch, or limited resources, I think there are much better choices to go with from a security stand point instead of Fedora.

What do others here think?

It was already discussed some time ago on the devel list...

Joanna likes fedora - that is the reason :wink:

I'm also think that this is not the right one for this job.
My only real problem is that fedora is a testing distro with a really
short lifetime...

If I had to choose I would prefer gentoo - (or other 'from scratch' one)

Actually anyone can make a new template based on any distribution...
but do not have time to make any work on it. :frowning: - So just trying to
live with this situation right now :slight_smile:

Also thanks to Olivier work, there is also Archlinux template available (for
manual build, but still).

Actually it was Rafał who liked it! :slight_smile:

I think the choice of the distro for the AppVMs is of negligible
importance. Most of the desktop functionality (like the desktop
environment) is removed by Qubes anyway. So, it just comes down to the
pkg manager, specifically to the yum/rpm vs. apt/deb religious wars.

The choice of Dom0 distro is of more concern, and ideally we could have
a custom distro here (at least a forked one and maintained by us). But
the problem is that, at least currently, Dom0 also serves as a GUI
domain, and so it should have the latest Desktop Environment and Xorg
drivers to make the GUI look slick :wink: (And to support the latest GPUs).

In Qubes R3 we plan to split Dom0 into "the actual Dom0" AKA admin
domain, and the GUI domain. Then we could probably use some minimal,
custom distro for the Dom0/Admin domain, and some
whatever-your-preferences-are distro for the GUI domain. Secure,
reliable GPU passthrough is needed for this, of course.

joanna.

I think the hardest problem here is people putting aside their distro war differences.

Here I see Joanna mention this; 'it should have the latest Desktop Environment and Xorg drivers to make the GUI look slick'.

No offense intended for you Joanna but I hope that was meant as a joke. Just because you have the latest DE and up to date system does not mean it works good at all.

People seem to be FORGET one simple thing ----> STABILITY!

Without Stability none of it matters if your always running into performance issues and things breaking all the time, and that is something I constantly see with most distros.

All distros have their Pros & Cons, but the truth is because Slackware is one of the simplest distros you hardly run into issues like most distros.

So let's put our personal differences aside and talk facts. The fact is Slackware is the most stable and least troublesome of all distros and it's the oldest too for one good reason, it's built on a simple principle of STABILITY over bells & whistles, and if you need some of the latest goodies then you can certainly go out there and grab it and compile it yourself. Making slackware packages and adding in dependencies for them is not that complicated once you've done it.

Let me make this clear I like all Linux distros, they all have something different they bring to the table, and any Linux in my book is better than Windows! But the FACT is, again, no one can touch Slackware for it's STABILITY!

So we want a SECURE OS, what good is it, if it's always having problems, things breaking, crashes, etc...? And if you're going to build this OS around Fedora, then be prepared for A LOT of breakage in the future.

Security does not always needed the LATEST UNLESS there is a SECURITY ISSUE that needs fixing, Security should be more CONCERNED with STABILITY! :slight_smile:

NOW with all the distros out there does everyone run into issues all the time? NO, but then again, bugs are called bugs for a reason, not everyone gets them. But when you compare all the distro problems of other distros, compare to Slackware, Slackware has the least amount, and it's not just because of more experienced users, because Patrick Volkerding builds a distro that's stable and has always been the most stable of any distro out there.

Cheers :slight_smile:

When being a fan of a distro and thinking their security is good...

Some food for thought...

Does distro X's package manager defeat the TUF [1] threat model?

What build hardening features [2] does it use?

[1] https://www.updateframework.com/projects/project/wiki/Docs/Security
[2] See to get some names such as ASLR, RELRO, etc. see [3]. (I am not
advocating Ubuntu [4]
[3] https://wiki.ubuntu.com/Security/Features
[4]
https://www.eff.org/deeplinks/2012/10/privacy-ubuntu-1210-amazon-ads-and-data-leaks

Mailbe User:

With Threat Model being mentioned, I think that also makes Slackware
a very good choice given packagement in Slackware is very minimal and
simplistic.

I am not convinced, that simplicity is everything one needs to safely
implement things. The most simplistic package manager doesn't do
verification, in response, any man-in-the-middle can install malicious
software.

A more sophisticated, still simplistic package manager does
verification, but doesn't detect rolback attacks. In this case, a
man-in-the-middle can ship known vulnerable packages.

Simplicity doesn't work well in all threat models.

It's not about what you think, it's about hard facts you can backup with
references. Otherwise you won't convince anyone.

With Threat Model being mentioned, I think that also makes Slackware a very good choice given packagement in Slackware is very minimal and simplistic.

adrelanos:

Mailbe User:

With Threat Model being mentioned, I think that also makes Slackware
a very good choice given packagement in Slackware is very minimal and
simplistic.

I am not convinced, that simplicity is everything one needs to safely
implement things. The most simplistic package manager doesn't do
verification, in response, any man-in-the-middle can install malicious
software.

A more sophisticated, still simplistic package manager does
verification, but doesn't detect rolback attacks. In this case, a
man-in-the-middle can ship known vulnerable packages.

Simplicity doesn't work well in all threat models.

It's not about what you think, it's about hard facts you can backup with
references. Otherwise you won't convince anyone.

Moreover, I think there might be an argument for larger, more popular
distros, and that is the argument regarding corruptibility and the
ability for a community to detect it.

If a malicious change is introduced to a package by a rogue or coerced
developer, it stands to reason that the larger distros are more likely
to detect the change. This is due to the fact they have more eyeballs
and more rigorous QA policies.

~abel

Slackware is simple with respect to what the word means, but it also means that there isn't a lot of code underlying it, therefore making it also a smaller attack area. This is the simplicity that was being referred to because of a small amount of code and smaller attack area.

Bigger distros also mean there's more ground to cover to keep a look out for problems. In layman's terms, think of a 1 square kilometre area you are trying to find a termite in, then consider looking for that same termite in only a 10 meter area?

It's my understanding that Slackware is in house only for their development, which brings a higher level of code quality, eliminating problems from the beginning. Now their code development and in house detection only needs to cover a 10 meter area against that termite trying to chew the place up, instead of something like Fedora where they have to cover 1 square kilometre of area to find the attacker.

I don't believe bigger is always better and smaller distros that have been around, at the level of the likes of Slackware are a testament to this.

I might be wrong in what others think about this, but personally, out the box I think that Slackware is as close as you get in the Linux world to the BSDs like OpenBSD.

There’s no sense in the simpler versus complex argument. If you want a simple framework, then clearly Qubes or virtualized OS’s are not what you seek. VM domains do represent in fact a higher level of complexity, like an OS in which to install another OS i.e. more complexity. It depends on what you are trying to accomplish.

Trying to find or prevent bugs, yes, you will want a simpler framework. On the other hand, trying to prevent an attacker from finding an exploit, a more complex framework is preferred. The devil, as they say, is in the details.

I also would like to add that while not everyone is nor can be a security expert, we all need security. I like to do media, web design, writing and a host of other things that rely on security amongst other things but that cannot be effectively achieved if my only focus is security. The division of labor is a problem because it is easy to relegate people to thankless and tedious tasks while others do the creative work while simultaneously building their repertoire. You cannot build a knowledge repertoire if you are only doing menial tasks but we are all limited, no one knows everything, and the tedious labor needs to be done one way or the other. The issue I guess is not the division of labor per se but that the division of labor is often used to relegate some to certain forms of work exclusively regardless of capability.

Not sure if this is totally germane but I felt it needed saying. There’s lower level discussion happening here I think.

I also believe we need a good stable & secure platform and I think that Slackware better represents this over Fedora.

It's also my understanding that Slackware is a more secure system compared to Fedora, Fedora just offers more goodies to the end-user that want a more complete out the box experience.

ears.box@gmail.com:

I also believe we need a good stable & secure platform and I think
that Slackware better represents this over Fedora.

I hate to say, when it comes to security, it's not about what you
believe or think. It's about facts, which you can backup with references.

It's also my understanding that Slackware is a more secure system
compared to Fedora, Fedora just offers more goodies to the end-user
that want a more complete out the box experience.

I don't know so much about Fedora, but for the sake of argument, let's
exchange Debian with Fedora.

It's also my understanding that Slackware is a more secure system
compared to Debian, Debian just offers more goodies to the end-user
that want a more complete out the box experience.

The out of the box user experience isn't relevant here. Debian is being
made by many people. I haven't found exact numbers, but many. The out of
the box user experience you may refer here comes from a Live DVD or
default installer DVD.

For example, the software "gnupg" might be securely (by whatever
standards) packaged as "gnupg" package. And in theory, the maintainer of
the "gnupg" package might not agree with with the package selection for
final default installer DVDs or not be interested in that. ("gnupg"
randomly chosen as an example.)

What gets installed by default is the work of a specific person or team
on that topic, sure many others may influence that process. If you read
the question/answers of tasksel (http://joeyh.name/code/tasksel/faq/) it
seems that many don't agree. (taskel is an important piece the installer
defining what set of packages gets easily installed.)

When a distribution installs too much and you prefer a minimal system,
that makes a bad first impression. Sure.

But what does this have to do with the quality of the individual
packages? What does this have to do with the security of its package
manager? What does this have to do with the security of Debian
infrastructure?

Only because Debian has more packages in it's repository than
minimalistic distributions, doesn't follow Debian is less secure.
Packages are maintained by maintainers, teams of maintainers and the
security team (and...).

I am not sure what you think. It's not like 300 Debian Developers all
working on the same packages/things (such as infrastructure, QA,
packaging, installer) and collectively agreeing to make a distribution
installing lots of packages by default. Rather, individual developers or
teams maintain package(s) and/or work on other tasks.
Compartmentalization. Not everyone works on everything and not the final
result of everyone's individual work is a distribution with a Gnome
default desktop.

In big distributions things like "just offers more goodies to the
end-user" or "want a more complete out the box experience" are
additional features. Not the focus of everyone involved or the only
features. Or an indicator, that this distribution isn't a good base for
a minimal derivative distribution.

I’ve used mostly Debian and very little Slackware, Arch or Gentoo. My understanding with Gentoo is that the package manager is actually an automated compiler. This is not like Debian and Fedora(?) which install binaries and so is more secure. You do not have to trust every person who compiled the binaries, only whomever was involved in compiling the package manager.