Why is Qubes OS project team so small?

Besides raising issues we need people who will contribute, in any
capacity. I suggested areas, and made some proposals to move forward.

@unman

Would it be possible to have an up-to-date task list of what actually needs to be done, so that a newcomer may start contributing fairly quickly without having to acquire a mountain of knowledge?

What I mean is: Looking at ~2k issues is not encouraging that at all (especially when there are “critical” ones from 2015). One would rather get lost in that and give up in 10 minutes.

Example:

  • fix typos in doc X, Y, Z (required skills: English language)
  • refactor code in files A, B, C (required skills: Python)
  • create a script for … (required skills: shell scripting)
  • create functionality for … in … (skills: C, …)
  • etc

Individual tasks may be linked to actual issues or milestones and a project manager will check each fulfilled task. Contributors may receive some kind of reward/score for each successfully fulfilled task, so they are recognizable in the community for their contribution. Based on pre-defined thresholds a contributor may receive extra rights, e.g. to add items to the task list and so on.

There is a help wanted label on GitHub: Issues · QubesOS/qubes-issues · GitHub

1 Like

There’s also the good first issue label, which is currently on only four issues.

1 Like

None of these 2 links is quite what I mean.

Well, there’s also the Current team tasks board, which shows what the team is actively working on at any given time.

Well, there’s also the Current team tasks board, which shows what the team is actively working on at any given time.

Shows an empty page in Tor Browser with JS disabled.

1 Like

Do you really believe a Whonix DispVM with JS enabled (which is the default because it actually keeps your fingerprint less unique: Qubes Disposables) will learn your identity just by enabling JS on that one site? I have difficulty imagining that, NSA are not gods.

There is also fingerprinting using hardware benchmarking:
https://www.pcmag.com/news/gpus-can-be-exploited-for-privacy-invasive-browser-fingerprinting
But I’m not sure how accurate this fingerprinting could be.

1 Like

Do you really believe a Whonix DispVM with JS enabled (which is the default because it actually keeps your fingerprint less unique: Qubes Disposables) will learn your identity just by enabling JS on that one site? I have difficulty imagining that, NSA are not gods.

“In the stock Tor Browser configuration, JavaScript is enabled by default for greater usability.”

1 Like

Did you read the Wiki page I linked?

A decision must be made in advance whether to disable JavaScript by default. There is a usability-security trade-off to consider: fingerprinting and usability is worsened by disabled JavaScript, but this provides better protection against vulnerabilities. Conversely, enabled JavaScript improves usability and increases the risk of exploitation, but the browser fingerprint is (likely) more common.

Security vulnerabilities likely don’t concern us in DispVMs, so better to have less unique fingerprint.

Did you read the Wiki page I linked?

The quote I provided is from a link from that same page (which you now provide back to me).

You asked:

Do you really believe […] NSA are not gods.

This is not about religious belief but about technical possibility. Having JS enabled does not reduce (or increase) your fingerprint per se. It reduces the possibility for more accurate fingerprinting, as JS can measure much more of your system (and your browsing behaviour). Whether you trust the remote host (part of the distrusted infrastructure) will use that possibility or not is up to you.

Compare these cases:

(A) JS enabled - you are “less unique” and the remote host can detect your OS, browser resolution, profile your moves, etc. How do you think Google Analytics, Hotjar and the like work?

(B) JS disabled - you are “more unique” and the remote host cannot do any of the above. The only “extra info” it has about you is that you refuse to provide that additional data. Bonus: you are immune to potential new Spectre-like vulnerabilities.

Anyway, this is going off-topic, so either request a thread split or we better stop.

2 Likes