OS requirements/page: add a security tracker? (and otherwise think of the OS requirements) #1370
Labels
No Label
🔍🤖 Search Engines
approved
dependencies
duplicate
feedback wanted
high priority
I2P
iOS
low priority
OS
Self-contained networks
Social media
stale
streaming
todo
Tor
WIP
wontfix
XMPP
[m]
₿ cryptocurrency
ℹ️ help wanted
↔️ file sharing
⚙️ web extensions
✨ enhancement
❌ software removal
💬 discussion
🤖 Android
🐛 bug
💢 conflicting
📝 correction
🆘 critical
📧 email
🔒 file encryption
📁 file storage
🦊 Firefox
💻 hardware
🌐 hosting
🏠 housekeeping
🔐 password managers
🧰 productivity tools
🔎 research required
🌐 Social News Aggregators
🆕 software suggestion
👥 team chat
🔒 VPN
🌐 website issue
🚫 Windows
👁️ browsers
🖊️ digital notebooks
🗄️ DNS
🗨️ instant messaging (im)
🇦🇶 translations
No Milestone
No Assignees
1 Participants
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: privacyguides/privacytools.io#1370
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
d344dffd0b/.github/CONTRIBUTING.md (oses)
I would like to add requirement for having a security tacker or posting security advisories and list them on the OS page as currently there is nothing to judge their security or response to security issues from.
SSL_ERROR_INTERNAL_ERROR_ALERT
on puppylinux.org for me)Should we also require that the OS is not owned by a business/corporation?
Lol, no.
One requirement is probably at least having microcode updates available as we have rejected some based on that? https://github.com/privacytoolsIO/privacytools.io/issues/1404
That would exclude fully free distros, right?
I don't know, did anyone ever find out how do they handle microcode? And we have already been closing them out with microcode being a factor in https://github.com/privacytoolsIO/privacytools.io/issues/936#issuecomment-493655147, https://github.com/privacytoolsIO/privacytools.io/pull/978#pullrequestreview-247364516 and https://github.com/privacytoolsIO/privacytools.io/issues/1146#issuecomment-520619725.
Quoting @blacklight447-ptio from the last one:
This would serve no purpose.
If we do want to make a requirement, a sensible one would be reproducible builds with continuous tests.
The other requirement I would make is to only recommend mainstream distributions, and not ones designed to run on specific OEM hardware.
Microcode updates should be applied. They often fix critical security flaws. Yes its a blob, accept it, you're on x86_64 and that is not a free platform.
Realistically purists complaining about microcode, but trusting the silicon is just silly.
Hopefully one day we will have a decent and affordable RISC-V platform. Until then I guess there is the POWER9 solutions from Raptor Computing Systems.
In regard to the topic at hand, I think a security tracker would be duplicating what distributors already provide. If you use a Debian based distro you should look at DSA, or trust your distribution is maintained well enough that you do not have to.