← Back to context

Comment by fsflover

2 hours ago

> No, that's simply not the case.

You keep repeating this without providing any actual statistics. I provided statistics about Qubes vulnerabilities, https://www.qubes-os.org/security/xsa/. Show me the numbers please.

> anything in the disposable VM would be at risk.

This just shows that you don't understand the security approach of Qubes. You do not store anything important in a disposable. You run it specifically for one task of opening something untrusted and then it's destroyed. It's in the name: Disposable. Moreover, nothing prevents you from running Bubblewrap inside Qubes. Then one single VM will be as secure as your whole setup, and in addition, you get reliable isolation.

> Source? I assume they are referring to misconfigurations

You never give any actual reference, only I have to. Here you go: https://github.com/containers/bubblewrap.

> bubblewrap is not a complete, ready-made sandbox with a specific security policy.

> As a result, the level of protection between the sandboxed processes and the host system is entirely determined by the arguments passed to bubblewrap.

> Everything mounted into the sandbox can potentially be used to escalate privileges.

This is not a robust system designed for security first. You can use this to be (much) more secure than otherwise, but it's not a security-oriented design, unlike Qubes.

> Anything in the disposable VM is still at risk.

Which means nothing. Disposable can't store anything, it's destroyed every time you stop it.

> You've said before you don't have a lot of security knowledge and it continues to show.

I see the same about you. You keep repeating some myths about Qubes OS based on misunderstandings of its security approach. I don't have to be a professional in security to understand simple concepts. Qubes is not an OS made for professionals but for users.

> Qubes doesn't offer any more security than having a bunch of different machines to do different tasks on.

Yes, it does: https://doc.qubes-os.org/en/latest/introduction/faq.html#how...

> SEL4, ASOS and CuBit are all more secure than Qubes.

Do I have to trust you on this, or do you have any reasonable reference to security people? You don't even provide your threat model when saying this, which clearly shows how amateur your approach to security is.

> I'm just refuting your preposterous zealotry for it

Relying on professionals in the field is not zealotry. In contrast, you show exactly the latter. I see no references.

> The developers of Qubes would absolutely disagree with your claims.

This is plain false:

https://doc.qubes-os.org/en/latest/introduction/faq.html#wha...

https://doc.qubes-os.org/en/latest/introduction/faq.html#how...

https://doc.qubes-os.org/en/latest/introduction/faq.html#wha...

https://doc.qubes-os.org/en/latest/introduction/faq.html#why...

0 comments

fsflover

Reply