Q: Installing additional software
21 views
Skip to first unread message
Ulrich Windl
Jan 15, 2021, 6:41:08 PM1/15/21
to qubes...@googlegroups.com
Hi!
I have a question about installing additional software (e.g. GIMP in
debian-10):
The options I see are:
1) Install it in some AppVM based on debian-10
2) Clone debian-10 template and install software there. Create some
AppVM based on that template
I'd guess 1) needs less space, but for 2) I'm not sure what happens when
updates are applied to both, the template and the AppVM.
Regards,
Ulrich
I have a question about installing additional software (e.g. GIMP in
debian-10):
The options I see are:
1) Install it in some AppVM based on debian-10
2) Clone debian-10 template and install software there. Create some
AppVM based on that template
I'd guess 1) needs less space, but for 2) I'm not sure what happens when
updates are applied to both, the template and the AppVM.
Regards,
Ulrich
unman
Jan 15, 2021, 7:11:01 PM1/15/21
to Ulrich Windl, qubes...@googlegroups.com
based on that template will have a large number of
applications/libraries which may be ripe for exploit.
I'm not altogether clear on what you mean here. You then have two
templates which will need updating - unless you are using a caching
proxy instead of the standard tinyproxy, this is going to take time and
suck up bandwidth.
You can, naturally, update the AppVM separately from the template, as
usual, but updates will be lost on reboot. (I do this sometimes when I am
checking on updates/installs or configuration changes: one of the great
things about Qubes.)
Sven Semmler
Jan 15, 2021, 7:34:34 PM1/15/21
to qubes...@googlegroups.com
On 1/15/21 6:10 PM, unman wrote:
> at the expense of security, since all AppVMs based on that template
> will have a large number of applications/libraries which may be ripe
> for exploit.
Could you please elaborate? I am not sure I understand.
> at the expense of security, since all AppVMs based on that template
> will have a large number of applications/libraries which may be ripe
> for exploit.
> I'm not altogether clear on what you mean here.
1) AppVM based on debian-10 and install gimp in AmpVM. The OP might or
might not be aware of binds/persistence.
2) New template cloned from debian-10 which gimp is then installed into.
AppVM is based on that new template.
/Sven
--
public key: https://www.svensemmler.org/0x8F541FB6.asc
fingerprint: D7CA F2DB 658D 89BC 08D6 A7AA DA6E 167B 8F54 1FB6
unman
Jan 15, 2021, 8:39:31 PM1/15/21
to qubes...@googlegroups.com
On Fri, Jan 15, 2021 at 06:35:13PM -0600, Sven Semmler wrote:
> On 1/15/21 6:10 PM, unman wrote:
> > at the expense of security, since all AppVMs based on that template
> > will have a large number of applications/libraries which may be ripe
> > for exploit.
>
> Could you please elaborate? I am not sure I understand.
Many attacks rely on chaining exploits and loopholes in an assortment of
> On 1/15/21 6:10 PM, unman wrote:
> > at the expense of security, since all AppVMs based on that template
> > will have a large number of applications/libraries which may be ripe
> > for exploit.
>
> Could you please elaborate? I am not sure I understand.
applications and libraries.
You see this very often in "capture the flag" contests, and in real
world attacks.
If you use a single template and load it with software (and therefore
associated libraries) you have significantly broadened the attack
surface: this is particularly so if you install "recommended and
suggested" packages.
By contrast, if you use a minimal template and install a single
application, the attack surface is smaller.
If you have a template loaded with file viewers, office applications and
drawing software, it will undoubtedly be extremely useful. But the
attack surface is large. If you use that template as the basis for your
mail reader, for example, then there is scope for an attack using a crafted
email attachment.
But if you use a minimal template with a good mail reader like mutt,
and open all the attachments in an offline disposable VM based on that
extensive template, the risk to your mail reader, and by extension
your Qubes system, is reduced. (Note, reduced but nor removed.)
In my system, almost *all* my working qubes are based on adapted minimal
templates, and most of them, including my mail qubes, are offline.
This may be why I have an unholy number of templates.
File storage qubes are exactly that - they store files. If I want to
view, or edit, I do it in an offline qube: I *have* to do it in another
qube, because the storage qubes don't have the capacity for anything
except plain text editing (and imagemagick, and some python and....).
Are there risks? Of course.
>
> > I'm not altogether clear on what you mean here.
>
> I understood
>
> 1) AppVM based on debian-10 and install gimp in AmpVM. The OP might or might
> not be aware of binds/persistence.
Sven Semmler
Jan 15, 2021, 9:24:04 PM1/15/21
to qubes...@googlegroups.com
On 1/15/21 7:39 PM, unman wrote:
> If you use a single template and load it with software[...] By
> In my system, almost*all* my working qubes are based on adapted
> This may be why I have an unholy number of templates.
Which is no issue thanks to apt-cacher-ng
> If I want to view, or edit, I do it in an offline qube: I*have* to
> If you use a single template and load it with software[...] By
> contrast, if you use a minimal template and install a single
> application, the attack surface is smaller.
Now I see.
> application, the attack surface is smaller.
> In my system, almost*all* my working qubes are based on adapted
> minimal templates, and most of them, including my mail qubes, are
> offline.
I do the same.
> offline.
> This may be why I have an unholy number of templates.
> If I want to view, or edit, I do it in an offline qube: I*have* to
> do it in another qube,
Absolutely. Now it's clear. Thank you!
Peter Funk
Jan 18, 2021, 7:27:39 AM1/18/21
to unman, qubes...@googlegroups.com
unman schrieb am Samstag, den 16.01.2021 um 01:39:
...
If someone is going to attack my digital life I would like to
know about it.
What do you think about HIDS (host-based intrusion detection systems)?
For example https://www.la-samhna.de/samhain/index.html is such a
system. While your point about broadening the attack surface will
certainly also apply to such additional software it might on the other
hand help to get hints that you or more specific a certain qube of yours
is currently being attacked.
Best regards (oder in Deutsch: Liebe Grüße), Peter Funk
--
Peter Funk ✉:Oldenburger Str.86, 27777 Ganderkesee, Germany; 📱:+49-179-640-8878
...
> Many attacks rely on chaining exploits and loopholes in an assortment of
> applications and libraries.
> You see this very often in "capture the flag" contests, and in real
> world attacks.
...
> applications and libraries.
> You see this very often in "capture the flag" contests, and in real
> world attacks.
> Are there risks? Of course.
Sorry for stealing this thread and jumping to a related topic:
If someone is going to attack my digital life I would like to
know about it.
What do you think about HIDS (host-based intrusion detection systems)?
For example https://www.la-samhna.de/samhain/index.html is such a
system. While your point about broadening the attack surface will
certainly also apply to such additional software it might on the other
hand help to get hints that you or more specific a certain qube of yours
is currently being attacked.
Best regards (oder in Deutsch: Liebe Grüße), Peter Funk
--
Peter Funk ✉:Oldenburger Str.86, 27777 Ganderkesee, Germany; 📱:+49-179-640-8878
Ulrich Windl
Feb 1, 2021, 4:59:12 PM2/1/21
to qubes...@googlegroups.com
On 1/16/21 1:10 AM, unman wrote:
> On Sat, Jan 16, 2021 at 12:41:04AM +0100, Ulrich Windl wrote:
>> Hi!
>>
>> I have a question about installing additional software (e.g. GIMP in
>> debian-10):
>> The options I see are:
>> 1) Install it in some AppVM based on debian-10
>> 2) Clone debian-10 template and install software there. Create some AppVM
>> based on that template
>>
>> I'd guess 1) needs less space, but for 2) I'm not sure what happens when
>> updates are applied to both, the template and the AppVM.
>>
>> Regards,
>> Ulrich
>>
>
> 1. needs less space, but at the expense of security, since all AppVMs
> based on that template will have a large number of
> applications/libraries which may be ripe for exploit.
>
> I'm not altogether clear on what you mean here. You then have two
Sorry for the late response: I mean if I install e.g. GIMP in an AppVM
> On Sat, Jan 16, 2021 at 12:41:04AM +0100, Ulrich Windl wrote:
>> Hi!
>>
>> I have a question about installing additional software (e.g. GIMP in
>> debian-10):
>> The options I see are:
>> 1) Install it in some AppVM based on debian-10
>> 2) Clone debian-10 template and install software there. Create some AppVM
>> based on that template
>>
>> I'd guess 1) needs less space, but for 2) I'm not sure what happens when
>> updates are applied to both, the template and the AppVM.
>>
>> Regards,
>> Ulrich
>>
>
> 1. needs less space, but at the expense of security, since all AppVMs
> based on that template will have a large number of
> applications/libraries which may be ripe for exploit.
>
> I'm not altogether clear on what you mean here. You then have two
based on debian 10, what happens if I update the AppVM first (updating
some parts of debian 10 and GIMP) and later I update the debian10
template: Couldn't there be conflicts between the updates in the AppVM
and the template? If not, wouldn't that waste space by keeping some
updates more than once?
> templates which will need updating - unless you are using a caching
> proxy instead of the standard tinyproxy, this is going to take time and
> suck up bandwidth.
> You can, naturally, update the AppVM separately from the template, as
> usual, but updates will be lost on reboot. (I do this sometimes when I am
> checking on updates/installs or configuration changes: one of the great
> things about Qubes.)
Wouldn't that mean any (e.g.) update for GIMP would be lost as well?
Regards,
Ulrich
>
Ulrich Windl
Feb 1, 2021, 5:04:00 PM2/1/21
to qubes...@googlegroups.com
"adjusted" almost-minimal templates? And you make AppVMs from those or
disposable VMs?
I guess you have a special update cache also, as otherwise you spend
hours with updating.
Can you explain a bit more?
Sven Semmler
Feb 1, 2021, 5:48:37 PM2/1/21
to qubes...@googlegroups.com
> So you don't base AppVMs on the minimal template, but have multiple
> "adjusted" almost-minimal templates?
(https://www.qubes-os.org/team/#unman)
My understanding of what he wrote is that he bases "almost *all*" of his
"working qubes" on "adapted minimal templates". Meaning on
debian-minimal plus specific packets for the specific purpose.
He might have also other qubes based on other distributions (e.g. kali,
parrot etc).
> I guess you have a special update cache also, as otherwise you spend
> hours with updating. Can you explain a bit more?
https://github.com/unman/notes/blob/master/apt-cacher-ng
I am sure unman will answer himself, but thought I might already give
you a little preview as far as I can.
Sven Semmler
Feb 1, 2021, 5:53:41 PM2/1/21
to qubes...@googlegroups.com
On 2/1/21 3:58 PM, Ulrich Windl wrote:
> Couldn't there be conflicts between the updates in the AppVM and the
> template? If not, wouldn't that waste space by keeping some updates
> more than once?
>
> Couldn't there be conflicts between the updates in the AppVM and the
> template? If not, wouldn't that waste space by keeping some updates
> more than once?
>
> If the AppVM is not a disposable one, the updates are still lost?
> Wouldn't that mean any (e.g.) update for GIMP would be lost as well?
Hi Ulrich,
> Wouldn't that mean any (e.g.) update for GIMP would be lost as well?
I think all your questions get answered here:
https://www.qubes-os.org/doc/templates/#inheritance-and-persistence
Reply all
Reply to author
Forward
0 new messages