5 posts were split to a new topic: Porting Whonix to Void Linux
Sorry for the late out of context reply, but I just saw this nice thread and want to specifically question the statement that Debian is a massive issue. I should note that I don’t personally use Debian and am not attached to it in any way.
It is well known that Debian stable is (intentionally) very much behind in general software updates, but is the situation really the same for security updates?
It’s worth noting that Debian also has the Testing and Unstable versions that get updates much faster.
More generally, is there available data on the response time to security issues of various Linux distros?
I know of no such resource, but I would think that since Debian is so popular and has a lot of developers and corporate users (for example Google uses Debian as the desktop OS for most engineers),
it can’t be much behind other distros.
I think you made a lot of good points in this post and the previous one. Namely, I agree that isolating applications from one another and the system (especially network facing ones) is the biggest issue to tackle (which, as mentioned above, is “on the roadmap” of Whonix).
I’d just like to comment regarding xpra/X11: although I’m not very knowledgeable about it, I don’t think it’s the same as the X security extensions that failed. Specifically, it runs a separate rootless X server for each client, which means it should be fully transparent to the clients, making it less likely to break any programs. The main issue I foresee is clipboard sharing, though this will be a usability issue and shouldn’t break any programs. To mitigate this, it may be possible to give every program write only access to the global clipboard, and provide a way for them to give the programs read access that is fully transparent to the programs.
Wayland seems like a better long term solution, but it also suffers from some usability issues.
Debian (and others like Ubuntu, etc.) freezes packages for a long time and only backports security fixes that receive a CVE which misses the majority of them. Most fixes don’t receive CVEs because either the developer doesn’t care or because it’s not obvious whether a bug is exploitable at first.
Debian maintainers cannot analyze every single commit perfectly and backport every security fix. They have to rely on CVEs which people don’t use properly.
For example, the Linux kernel is extremely bad at this:
presentation-cve-is-dead/cve-linux-kernel.pdf at master · gregkh/presentation-cve-is-dead · GitHub
Freezing packages is never a good approach. Debian is a major issue and I really think we should switch.
1 Like
In that case, I guess you could also use Debian unstable?
No, there is no sane Debian version. Debian unstable is potentially even worse since the Debian security team only work on stable.
Madaiadan, appreciate your efforts to harden Whonix, but I didn’t understand what was the suggested base OS if any?