https://www.qubes-os.org/doc/security-critical-code/
"There is an important distinction between the buggy code and maliciously trojaned code. We could have the most secure architecture and the most bulletproof TCB that perfectly isolates all domains from each other, but it still would be pretty useless if all the code used within domains, e.g. the actual email clients, word processors, etc, was somehow trojaned. In that case only network-isolated domains could be somehow trusted, while all others could be not.
The above means that we must trust at least some of the vendors (not all, of course, but at least those few that provide the apps that we use in the most critical domains). In practice in Qubes OS we trust the software provided by Fedora project. This software is signed by Fedora distribution keys and so it is also critical that the tools used in domains for software updates (yum and rpm) be trusted."
--------------------------------------------------------
I am very confused by this part on the page.
It seems to imply that QUBES depends on being able to trust the security of word processors etc.
I thought the whole point of QUBES was that nothing is ever up-to-date and secure, and thus, you put everything in a sandbox and isolate it all... and therefore, it doesn't matter about things like security problems with a word processor.
But this page seems to imply something different.
Can someone explain this to me?