Re: [qubes-devel] Fwd: Debian derivatives census: Qubes: welcome!
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Mon, Mar 06, 2017 at 02:13:00PM +0000, Patrick Schleizer wrote:
> Forwarding to qubes-devel@googlegroups.com.
>
> -------- Forwarded Message --------
> Subject: Debian derivatives census: Qubes: welcome!
> Resent-Date: Mon, 6 Mar 2017 06:23:25 +0000 (UTC)
> Resent-From: debian-derivatives@lists.debian.org
> Date: Mon, 06 Mar 2017 14:22:57 +0800
> From: Paul Wise <pabs@debian.org>
> Organization: Debian
> To: unman <unman@thirdeyesecurity.org>
> CC: debian-derivatives <debian-derivatives@lists.debian.org>
(...)
> I was under the impression that Qubes was based on Fedora.
You can use multiple different distributions on Qubes OS. Debian is one
of them:
https://www.qubes-os.org/doc/templates/
> Are you planning on a transition to being based on Debian?
> I see that Qubes does have an apt repository available.
> It would be interesting to hear about your plans here.
The repository there contain Qubes-specific packages for Debian
templates.
> Some of the Release files in the apt repository for Qubes are missing
> the Valid-Until header, which allows clients to find out when active
> network attackers are holding back newer Release files. At minimum,
> rolling releases and suites containing security updates should have this
> header. With reprepro you can use the ValidFor config option.
>
> https://wiki.debian.org/RepositoryFormat#Date.2CValid-Until
In our current setup, we don't have a way to automatically periodically
upload new signed Release file. This means if we don't release new
packages for some period of time (larger than ValidFor setting),
repository will be treated as invalid, even if it isn't the case.
And setting ValidFor to a value large enough to mitigate the problem
(like 6 months) doesn't make much sense...
> The apt repository for Qubes does not contain source packages,
> including for packages licensed under the GNU GPL (Xen). This may or
> may not be a copyright violation depending on whether or not you
> distribute those elsewhere. In any case, please add source packages to
> your repository so that Debian can automatically create patches to be
> presented to Debian package maintainers.
>
> https://wiki.debian.org/Derivatives/CensusQA#No_source_packages
> https://wiki.debian.org/Derivatives/Integration#Patches
> https://compliance.guide/
https://github.com/QubesOS/qubes-issues/issues/1244
> I note that some of the packages in the Qubes apt repository use http
> instead of https in their Homepage or Description fields.
>
> The page is missing a dpkg vendor field. It is important that Debian
> derivatives set this properly on installed systems and mention the
> value of the field in the derivatives census.
>
> https://wiki.debian.org/Derivatives/Guidelines#Vendor
Unman, can you take care of those two?
> I note that Qubes is partly based on Debian stable. The Debian release
> team recently released a timeline for the freeze for the next Debian
> stable release. I would encourage you to review it and prepare your
> plans for rebasing on the next Debian release (stretch).
>
> https://lists.debian.org/msgid-search/20170205222956.tgkvf222frsmsj7j@powdarrmonkey.net
We already provide packages for stretch and run tests on it.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJYvrasAAoJENuP0xzK19csi6YIAI9l05UVmJGi5YP+6i5XcDFQ
OB3XMcKEUTPlw7AlJCauthdnPlMFdHcH1SSzaYsxO/LzO8KjisbwVeoI+xZXxYP+
XdDOYFfA3wpOhP1jlWe/EkvdGGWzE8WSkESG3zW2NLIfkunMWbKO/QairceceZGT
Zc0/bzEUrTs/VpMDGxZm9djD+qxj6Vmq9T5/RRUQxQOGuha6Oq7hobbitgrhV/jY
eynVYHC1mzJAoZqKDTCvT6sQXNYXRcJnxvq6A0A1rQgdkGegd4W7d1P6vFjCwIl5
fo4/GyOEQWOhTFfZ2SGQnxbp8o/psXJUnezWmcXW/6HTK1trUQM1MvOq1y6s4P4=
=eAei
-----END PGP SIGNATURE-----
Reply to: