Hi unman, I would like to welcome yourself and Qubes to the Debian derivatives census! Would you like to take this opportunity to introduce yourself and Qubes to us all? https://wiki.debian.org/Derivatives/Census/Qubes It would be great if you could join our mailing list and IRC channel: https://wiki.debian.org/DerivativesFrontDesk I would encourage you to look at Debian's guidelines for derivatives: https://wiki.debian.org/Derivatives/Guidelines You may want to look at our census QA page, some of the mails from there may apply to Qubes. https://wiki.debian.org/Derivatives/CensusQA You don't appear to be subscribed to the Qubes census page, I've made a few changes to the Qubes census page: https://wiki.debian.org/Derivatives/Census/Qubes?action=info I was under the impression that Qubes was based on Fedora. Are you planning on a transition to being based on Debian? I see that Qubes does have an apt repository available. It would be interesting to hear about your plans here. Some of the Release files in the apt repository for Qubes are missing the Valid-Until header, which allows clients to find out when active network attackers are holding back newer Release files. At minimum, rolling releases and suites containing security updates should have this header. With reprepro you can use the ValidFor config option. https://wiki.debian.org/RepositoryFormat#Date.2CValid-Until The apt repository for Qubes does not contain source packages, including for packages licensed under the GNU GPL (Xen). This may or may not be a copyright violation depending on whether or not you distribute those elsewhere. In any case, please add source packages to your repository so that Debian can automatically create patches to be presented to Debian package maintainers. https://wiki.debian.org/Derivatives/CensusQA#No_source_packages https://wiki.debian.org/Derivatives/Integration#Patches https://compliance.guide/ I note that some of the packages in the Qubes apt repository use http instead of https in their Homepage or Description fields. The page is missing a dpkg vendor field. It is important that Debian derivatives set this properly on installed systems and mention the value of the field in the derivatives census. https://wiki.debian.org/Derivatives/Guidelines#Vendor I've added the Qubes blog to Planet Debian derivatives which helps the Debian community find out the things that are happening in the world of Debian derivatives. I note that the automatically detected feed URL does not use TLS because the link in the HTML is http not https. http://planet.debian.org/deriv/ This year the annual Debian conference is in Montreal, Canada. It would be great if developers from Qubes could attend DebConf. The CfP for DebConf17 is currently open, this might be a good opportunity to talk about the relationship between Qubes and Debian. If this isn't possible, next year DebConf18 will be in Hsinchu, Taiwan. https://debconf17.debconf.org/ https://debconf17.debconf.org/cfp/ I would encourage Invisible Things Lab and the other Qubes sponsors to contribute financially to ensure the continued survival of Debian and the success of the annual Debian conference. https://www.debian.org/donations https://debconf.org/sponsors/ https://debconf17.debconf.org/sponsors/become-a-sponsor/ I would encourage any attendees to volunteer to ensure the continued the success of the annual Debian conference, here are some examples of things that need helpers. https://wiki.debconf.org/wiki/DebConf13/VolunteerCoordination I note that Qubes is partly based on Debian stable. The Debian release team recently released a timeline for the freeze for the next Debian stable release. I would encourage you to review it and prepare your plans for rebasing on the next Debian release (stretch). https://lists.debian.org/msgid-search/20170205222956.tgkvf222frsmsj7j@powdarrmonkey.net I note that Qubes is partly based on Debian unstable. A great way to help ensure that the next Debian release working well is to install and run the how-can-i-help tool and try to work on any issues that come up. http://www.lucas-nussbaum.net/blog/?p=837 https://packages.debian.org/unstable/how-can-i-help https://wiki.debian.org/how-can-i-help I note that Qubes also has wheezy in the apt repository. The Debian long-term security team has announced an LTS effort for wheezy. I would encourage Qubes to help out with this effort financially and or with developer time. https://www.debian.org/News/2016/20160425 https://wiki.debian.org/LTS Is Qubes collaborating with other related distros like Tails, Subgraph etc? You might want to consider adding DNSSEC to your domains and TLSA records to your domains. You might also want to reconsider Cloudflare :) Please feel free to circulate this mail within the Qubes team. -- bye, pabs https://wiki.debian.org/PaulWise
Attachment:
signature.asc
Description: This is a digitally signed message part