-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 2017-03-15 01:14, evo wrote:
> Am 15.03.2017 um 01:17 schrieb Unman:
>> On Tue, Mar 14, 2017 at 08:02:58PM -0400, Chris Laprise wrote:
>>> On 03/14/2017 01:55 PM, evo wrote:
>>>> hmm.. this is also a good point, thanks! so if i do not use
>>>> openoffice in my bankingVM, there is no practical
>>>> vulnerability in it.
>>>>
>>>
>>> Yes and no. Off the top of my head, there are two things to be
>>> concerned about with the (regular, distro) software you
>>> install:
>>>
>>> 1. Does it cause an additional service to start accepting
>>> connections?
>>>
>>> 2. Does it have a MIMEtype or similar mapping, so that clicking
>>> on a mislabeled file could cause it to open in an
>>> unwanted/risky app. Unfortunately, nautilus doesn't seem to
>>> have a setting for always asking before starting an app. But
>>> at least it defaults to double-click instead of single-click.
>>>
>>
>> 3. Installing some programs, like libre/openoffice, brings with
>> it numerous libraries and attendant programs which may widen the
>> attack surface of your qube considerably.
>>
>
> so its better to have such VMs as banking or email in
> standalone-mode.
No, that doesn't follow. See my previous message about having multiple
TemplateVMs.
> The thing is... as i understood, stanalone-machines (if they are
> not HVM) have all software from the template they use. So the only
> way is, to install new iso on HVM, isn't it?
>
This doesn't follow either. StandaloneVMs and HVMs are completely
independent of one another. It's possible that there is terminological
confusion here. Please consult the glossary:
https://www.qubes-os.org/doc/glossary/
> in that case, i don't really understand the sense of standalone
> AppVMs.
>
StandaloneVMs can be useful for many different things, but not every
user will have a need for them. For example, if you have a piece of
software that installs parts of itself in both the root fs and user dirs
(and you don't want to work around this with bind-dirs), and you need
the software in only one VM, then a StandaloneVM is probably a perfect
solution.
iQIcBAEBCgAGBQJYycPeAAoJENtN07w5UDAwZD0P/3LtjWYp5sB0p/jKM/bOXYea
shPiimxeaRgaEF/e714aamWiWCWN9a8OgaWnHbMPd2cajTSHgEc2zY8E4gPJN62B
uvs1Y4958KxrNIdmT7p6ECivlwA7ZsaynzFICSM1d9QTviRCmkj7SY1+qPt6XjqO
OTQ7IRGh1WBssaxWS1Dc320MJth25n9+ipNhhL7XpJA9vgOEZm6lUgeIhit3DiJg
n1cjnKCoXhD8+i9bhVRcT9uurZdFdXJ3zNV13+m3l4nZKvgqXWOLkxE0/BtLQSks
NyNpB4onqKA7PoQZpBLnp5sRE0axnay5Ny1uST492gFUy77B0FYdEePPtjeBoMtZ
t+Y2Wav3ORW7/aXjAssHWQkZC8pgYO9inZ08PrGDa4p1ud93YoswjXj8MlM2OUOp
IWZFKW8eDdjWte7vJ3lMabPJJawteTxYUS4eMsxSmcFq7JKnQwIEau0GHXerAnQn
g3zwh9cyDyz6B0j51oyq8qMb1u+f6+d91hdAjpS9edjX1FAx6GGNXtaPXNxTVYDg
RZQdbd5vlbq9OXLs/duEb3Dlgm7DSNmHl6Gig0Y+aBfujoq6+xY+g5CkwkPHJ8zK
P+G+t82TFKKPN0QSS0J8dHLM0Z7ln4YX+gmPZTzJszEU/CX8slL311P2KlCcJ2sB
fGGn+tSmARuHCbd+Lx7Y
=meYj
-----END PGP SIGNATURE-----