Re: [Tails-dev] SecureDrop and Tails vs Qubes

Delete this message

Reply to this message
Author: u
Date:  
To: tails-dev
Subject: Re: [Tails-dev] SecureDrop and Tails vs Qubes
Hi!

Loic Dachary:
> On 12/14/2017 11:31 AM, sajolida wrote:
>> Loic Dachary:
>>> It was suggested to launch a thread
>>> (https://labs.riseup.net/code/issues/15052#note-3) about the reasons
>>> why SecureDrop is working on a Qubes based workstation for
>>> journalists as an alternative to using an airgap tails. Conor & Jen
>>> are cc'ed so they can comment on this.
>>
>> Thanks for starting this discussion!


>> Given that Tails will probably remain relevant in the SecureDrop
>> ecosystem for a while (for example on the source's side), my intention
>> with this thread is to:
>>
>> * Have more feedback from SecureDrop about the Tails in general,
>> hopefully opening communication channels that can be fruitful for the
>> future. I don't remember much discussion on public channels between
>> Tails and SecureDrop in the past.
>>
>> * Understand what Tails should do to be more relevant in similar
>> contexts ("Tails for journalists and their sources").
>>
>>> IMHO the most prominent ones are>
>>> * Qubes is not amnesic and the user can customize it more easily than
>>> Tails
>>> * Tails is amnesic, usable with an airgap workstation and more
>>> secure than Qubes
>>>
>>> * Adding a software distribution channel to a Qubes workstation is
>>> easy while creating and distributing tails derivatives is
>>> challenging and discouraged
>>
>> I agree with "challenging". I partly disagree with "discouraged".
>
> I meant to say I was discouraged by https://tails.boum.org/contribute/derivatives/ not that tail discourages it, sorry about that. My hunch is that it would take me at least three months full time to come up with a derivative addressing all problems (i.e. security releases, quality assurance process, automatic upgrades, ...). And most likely another three months before recommending that someone uses it for real. This is taking into account that I have experience with packaging, Q/A automated or manual and release management.


Creating a derivative does not only involve creating the derivative, but
maintaining it. As you might know, we release Tails every 6 weeks, based
on the TorBrowser & FF ESR schedule.

I believe that this is not necessarily the way to go. Instead, it would
be useful to know what SecureDrop is missing in Tails that it finds in
Qubes, and how this might be addressed. So instead of creating a
derivative, it seems more interesting to me at first sight to try to
contribute improvements to Tails.

Cheers!
u.