change the default templates which are pre-installed with qubes
119 views
Skip to first unread message
tnt_b...@keemail.me
Mar 19, 2017, 5:43:03 AM3/19/17
to Qubes Devel
hi there,
i was wondering why fedora-minimal is not the default template for Qubes instead of fedora all apps installed (full version) ???
using minimal over full has advantages:-
- decreasing the surface of attack/security flow by decreasing the unnecessary installed tools/apps
- light weight in speed and size/space
- lower resources to make it work properly (i know qubes by default needs alot of resources but i mean in comparison to minimal should be lower)
- decrease/avoid packages clash (happened many times when someone want to make an upgrade and he cannot because of this issue)
- when removing/erasing unnecessary tool inside the full version it might affect the necessary tool due to the share dependencies (inside the minimal version all what is inside it , it will be considered necessary)
so using fedora minimal and installing inside it the essential tools in order to run:-
Dom0 , sys-net (NetVM) . sys-firewall (FirewallVM)
is way much better/secure than the current state.
Thanks.
i was wondering why fedora-minimal is not the default template for Qubes instead of fedora all apps installed (full version) ???
using minimal over full has advantages:-
- decreasing the surface of attack/security flow by decreasing the unnecessary installed tools/apps
- light weight in speed and size/space
- lower resources to make it work properly (i know qubes by default needs alot of resources but i mean in comparison to minimal should be lower)
- decrease/avoid packages clash (happened many times when someone want to make an upgrade and he cannot because of this issue)
- when removing/erasing unnecessary tool inside the full version it might affect the necessary tool due to the share dependencies (inside the minimal version all what is inside it , it will be considered necessary)
so using fedora minimal and installing inside it the essential tools in order to run:-
Dom0 , sys-net (NetVM) . sys-firewall (FirewallVM)
is way much better/secure than the current state.
Thanks.
Jean-Philippe Ouellet
Mar 19, 2017, 7:25:15 AM3/19/17
to tnt_b...@keemail.me, Qubes Devel
On Sun, Mar 19, 2017 at 5:43 AM, <tnt_b...@keemail.me> wrote:
> hi there,
>
> i was wondering why fedora-minimal is not the default template for Qubes
> instead of fedora all apps installed (full version) ???
>
> using minimal over full has advantages:-
>
> ...
> hi there,
>
> i was wondering why fedora-minimal is not the default template for Qubes
> instead of fedora all apps installed (full version) ???
>
> using minimal over full has advantages:-
>
An operating system should be useful by default. We are not arch or
slackware or gentoo, our users expect to be able to get work done
without first opening a terminal and typing:
sudo dnf install ${basic stuff that everybody will always install anyway}.
... and then wondering why they need to do it each time they reboot,
because they don't yet understand how templates work.
So, since there is a compelling reason to have the full fedora-xx
template installed by default, the overall install is actually smaller
if we simply point all VMs at the fedora template, rather than having
an additional one installed. Extra disk space would be used by
additionally installing fedora-xx-minimal, and the runtime resource
constraints are not that different.
Empirically I observe that sys-{firewall,net,usb} sit at ~300mb ram
(the initial default) regardless of template.
That said, I sympathize with the argument that inexperienced users are
likely to eventually install arbitrary crap of dubious origin in their
one-and-only template (full fedora-xx), and it is desirable to avoid
that also compromising sys-*, so perhaps making it an *additional*
template (but not the default template as you suggest) has merit. The
question then is whether or not the benefits justify growing the
installer by another gb.
tnt_b...@keemail.me
Mar 19, 2017, 10:23:32 AM3/19/17
to Jean-Philippe Ouellet, Qubes Devel
it will be the same as u r suggestion to the user to install debian and whonix, it should be suggested to him as well fedora full version.
so by that the default situation is:-
- Dom0
- fedora-minimal with only essential things installed to run Qubes OS
- sys-net
- sys-firewall
additional installation OS:-
- fedora
- debian
- whonix
so by that the default situation is:-
- Dom0
- fedora-minimal with only essential things installed to run Qubes OS
- sys-net
- sys-firewall
additional installation OS:-
- fedora
- debian
- whonix
Andrew David Wong
Mar 19, 2017, 5:58:44 PM3/19/17
to tnt_b...@keemail.me, Jean-Philippe Ouellet, Qubes Devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
[Please don't top-post.]
On 2017-03-19 07:23, tnt_b...@keemail.me wrote:
> it will be the same as u r suggestion to the user to install debian and whonix, it should be suggested to him as well fedora full version.
>
> so by that the default situation is:-
>
> - Dom0
> - fedora-minimal with only essential things installed to run Qubes OS
> - sys-net
> - sys-firewall
>
> additional installation OS:-
>
> - fedora
> - debian
> - whonix
>
The main reason we don't include all the TemplatVMs in the installer is
because then the installer would be too big to fit on a single-layer DVD:
https://github.com/QubesOS/qubes-issues/issues/1568
>
>> On Sun, Mar 19, 2017 at 5:43 AM, <> tnt_b...@keemail.me> > wrote:
>>> hi there,
>>>
>>> i was wondering why fedora-minimal is not the default template for Qubes
>>> instead of fedora all apps installed (full version) ???
>>>
>>> using minimal over full has advantages:-
>>>
>>> ...
>>
>> An operating system should be useful by default. We are not arch or
>> slackware or gentoo, our users expect to be able to get work done
>> without first opening a terminal and typing:
>> sudo dnf install ${basic stuff that everybody will always install anyway}.
>>
>> ... and then wondering why they need to do it each time they reboot,
>> because they don't yet understand how templates work.
>>
I agree.
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYzv77AAoJENtN07w5UDAwO+gQAJCZhjgiohlB8CqWWsKW0BxU
XJ2nNi6P0tywgmacC8gNAiL1EvLGSwfkzl6tbKNlGN98gwNUfDtXlZ+8+wEw32tS
s8tp3yLMTXFtV+VF45DtPJ8hl9lcy9udaybzih7AJjbyDhHvRla19t7pVAb3ugFT
ZvLrdmmAZbeT6wOoH8WQqQ483fsdvDpvsH3Qzhu7IqxqH8nnd0I96iCBK353egJU
/OA9dHIcnvKaPgUso62Z3hMuzq/QXOUjihzdaIzD/e/ia/eDnZUc8dx0mTEp1mFO
wH3rFjeZN/x6gqYrghhusy2Z3V1aIF9i4UeqFE4nOaPMRpgXWppO6De6J/VwuO02
S2NqOV+DvTSvQuinlk/xK03hry79y+aLDHPDWlzW92EwGMCZsqa0lJ+9P0QoCOak
SBNE55OF6xY9qoJruj27ID6NL6rqWuH9FRtOjYFth75p0AxdymRfLj4rm6stUqwM
K0p1h/MPwnTqxKoBjTxRR86pIuuABVs00bU+aAr/t+UM/bNCs0z/makpz/nItfZL
q4rXR+i6XGPucUDNpFRVt/Xr8G86R4dCGfpIwUmbBXRwE6ap+z0ZD8qL3qVQpHh+
M4A07DMBOsio/uJxt1s9Um5qpk5P5Qhh5gHfSvDxHi1+rlpdkPXJ7bAGCEBwDx0Q
rjcDEpKxR2vStDYFfKGM
=lGtI
-----END PGP SIGNATURE-----
Hash: SHA512
[Please don't top-post.]
On 2017-03-19 07:23, tnt_b...@keemail.me wrote:
> it will be the same as u r suggestion to the user to install debian and whonix, it should be suggested to him as well fedora full version.
>
> so by that the default situation is:-
>
> - Dom0
> - fedora-minimal with only essential things installed to run Qubes OS
> - sys-net
> - sys-firewall
>
> additional installation OS:-
>
> - fedora
> - debian
> - whonix
>
because then the installer would be too big to fit on a single-layer DVD:
https://github.com/QubesOS/qubes-issues/issues/1568
>
>> On Sun, Mar 19, 2017 at 5:43 AM, <> tnt_b...@keemail.me> > wrote:
>>> hi there,
>>>
>>> i was wondering why fedora-minimal is not the default template for Qubes
>>> instead of fedora all apps installed (full version) ???
>>>
>>> using minimal over full has advantages:-
>>>
>>> ...
>>
>> An operating system should be useful by default. We are not arch or
>> slackware or gentoo, our users expect to be able to get work done
>> without first opening a terminal and typing:
>> sudo dnf install ${basic stuff that everybody will always install anyway}.
>>
>> ... and then wondering why they need to do it each time they reboot,
>> because they don't yet understand how templates work.
>>
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYzv77AAoJENtN07w5UDAwO+gQAJCZhjgiohlB8CqWWsKW0BxU
XJ2nNi6P0tywgmacC8gNAiL1EvLGSwfkzl6tbKNlGN98gwNUfDtXlZ+8+wEw32tS
s8tp3yLMTXFtV+VF45DtPJ8hl9lcy9udaybzih7AJjbyDhHvRla19t7pVAb3ugFT
ZvLrdmmAZbeT6wOoH8WQqQ483fsdvDpvsH3Qzhu7IqxqH8nnd0I96iCBK353egJU
/OA9dHIcnvKaPgUso62Z3hMuzq/QXOUjihzdaIzD/e/ia/eDnZUc8dx0mTEp1mFO
wH3rFjeZN/x6gqYrghhusy2Z3V1aIF9i4UeqFE4nOaPMRpgXWppO6De6J/VwuO02
S2NqOV+DvTSvQuinlk/xK03hry79y+aLDHPDWlzW92EwGMCZsqa0lJ+9P0QoCOak
SBNE55OF6xY9qoJruj27ID6NL6rqWuH9FRtOjYFth75p0AxdymRfLj4rm6stUqwM
K0p1h/MPwnTqxKoBjTxRR86pIuuABVs00bU+aAr/t+UM/bNCs0z/makpz/nItfZL
q4rXR+i6XGPucUDNpFRVt/Xr8G86R4dCGfpIwUmbBXRwE6ap+z0ZD8qL3qVQpHh+
M4A07DMBOsio/uJxt1s9Um5qpk5P5Qhh5gHfSvDxHi1+rlpdkPXJ7bAGCEBwDx0Q
rjcDEpKxR2vStDYFfKGM
=lGtI
-----END PGP SIGNATURE-----
Vít Šesták
Mar 19, 2017, 6:02:49 PM3/19/17
to qubes-devel
AFAIR, the Fedora minimal template is not even able of connecting to my Wi-Fi, because it lacks firmware. So, it is not suitable, unless ot becomes something “slightly more than minimal”.
I don't see much benefit of this:
* Attack surface – if I had, say, Firefox installed in my sys-net, would it change attack surface? Well, unless I click some link in NetworkManager About dialog or something similar, I don't run it. So, hile there is a small security benefit, I believe it is pretty minimal.
* Resources and performance – mostly the same as previous one. If I start the same applications, it does not seem to matter if I am using a 1GiB template or, say, 100GiB template. The extra apps are unused, so I don't care about them.
* Package clash – I don't share this experience.
* Uninstalling – well, if you read the questions, you can get it.
Regards,
Vít Šesták 'v6ak'
I don't see much benefit of this:
* Attack surface – if I had, say, Firefox installed in my sys-net, would it change attack surface? Well, unless I click some link in NetworkManager About dialog or something similar, I don't run it. So, hile there is a small security benefit, I believe it is pretty minimal.
* Resources and performance – mostly the same as previous one. If I start the same applications, it does not seem to matter if I am using a 1GiB template or, say, 100GiB template. The extra apps are unused, so I don't care about them.
* Package clash – I don't share this experience.
* Uninstalling – well, if you read the questions, you can get it.
Regards,
Vít Šesták 'v6ak'
Andrew David Wong
Mar 19, 2017, 6:10:25 PM3/19/17
to Vít Šesták, qubes-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hash: SHA512
On 2017-03-19 15:02, Vít Šesták wrote:
> AFAIR, the Fedora minimal template is not even able of connecting
> to my Wi-Fi, because it lacks firmware. So, it is not suitable,
> unless ot becomes something “slightly more than minimal”.
>
You should install the firmware specific to your Wi-Fi device. It
> AFAIR, the Fedora minimal template is not even able of connecting
> to my Wi-Fi, because it lacks firmware. So, it is not suitable,
> unless ot becomes something “slightly more than minimal”.
>
wouldn't make sense to pre-include firmware for all common Wi-Fi
devices in the minimal template.
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
BLxrKOxSYnClBJl7WfjzZ9GKrHN2LN5AAyzaiLThslO59dbl16+wzhvZ1UuC3nOR
ksUhNVULf9i0eDLf7ME3Q8XQI6/8GazSlMqoXgz0KxoYIDyjWPYKMs1upNM/FeSH
mqPBrld7X95PXhubDTLIDadjF26l6mzWuEdmZKeALiiJipH29UPCCN6B1Uqg1q/4
KkhKougaiYUOH3kll2K6KfildtBeRu06mtQXgQSWnE19I8pXzgMvok4/ltCTLcW3
yElAUR1fJ+9feGViVzWMbbxtXzRaK5Ap1W0fNvXD3Er6KmAvA0fLUzZdXU2Q+5e/
d2tsvsdpjWvwcOYmQJB+i3sYUqRb9tAu9T2ZC/A2mUwRKCyx2SzmyIMaQ6dQzvEd
Zp6Ou47Q1LtLK+sg/ank6WrcfjizFYwDb3s2kvek6KKfi0dWdMRbX6pff0TPp7k6
OO9HNLGppiyJk/SqTeQvse+7ralHD2P0VJBHe/FMf1GL62WS3w7GKnDTmPzXYp1L
O8axtzl6XBQkbHAyuuCUF8x2pVieWy5EIbWxnhunOYn+csyDmBLzu8pQXyZJTF2C
RLfxbZrlUr9NR1SyZwtBKASc8xvPw1PkNIq+fWngZdeI3IC379k81jV7Kcdp7AI9
IphYn1B3D0uABoj2qmWK
=aqrS
-----END PGP SIGNATURE-----
tnt_b...@keemail.me
Mar 19, 2017, 7:11:08 PM3/19/17
to Andrew David Wong, Jean-Philippe Ouellet, Qubes Devel
> [Please don't top-post.]
i dunno if this comment to me , but at any rate i dunno how to not top-post , this is how my email reply to all working.
well regarding this issue:-
https://github.com/QubesOS/qubes-issues/issues/1568
why dont we install the additional templates from the internet after the installation of Qubes OS ?
e.g:-
"Qubes os iso has only the essential things to install Qubes. now when the installation finish/complete we show a screen asking the user would he like to install:-
- fedora (which is going to be the full version)
- debian
- whonix
- xxx
if so please connect your device to the internet if its not already connected."
and by this we dont need to put the distros inside the iso image, instead it will be downloaded over the internet after the installation of Qubes finish.
and to this method has advantages:-
- iso dvd going to fit Qubes OS no matters how many distros it supports
- from security point view we gonna let Qubes to be installed first even without the need to the internet connection (which is safer) , then after everything finished we show the last page asking to install the flavored OS
- any security bug affecting any additional distro will not be a problem because he will install the latest updated distro through the internet. whereas this is a problematic with the iso image and i think everyone know this critical security bug:-
* https://www.qubes-os.org/news/2016/12/19/qsb-28
* https://github.com/QubesOS/qubes-issues/issues/2520
- size of Qubes OS much lighter to download
what do u think ?
i dunno if this comment to me , but at any rate i dunno how to not top-post , this is how my email reply to all working.
well regarding this issue:-
https://github.com/QubesOS/qubes-issues/issues/1568
why dont we install the additional templates from the internet after the installation of Qubes OS ?
e.g:-
"Qubes os iso has only the essential things to install Qubes. now when the installation finish/complete we show a screen asking the user would he like to install:-
- fedora (which is going to be the full version)
- debian
- whonix
- xxx
if so please connect your device to the internet if its not already connected."
and by this we dont need to put the distros inside the iso image, instead it will be downloaded over the internet after the installation of Qubes finish.
and to this method has advantages:-
- iso dvd going to fit Qubes OS no matters how many distros it supports
- from security point view we gonna let Qubes to be installed first even without the need to the internet connection (which is safer) , then after everything finished we show the last page asking to install the flavored OS
- any security bug affecting any additional distro will not be a problem because he will install the latest updated distro through the internet. whereas this is a problematic with the iso image and i think everyone know this critical security bug:-
* https://www.qubes-os.org/news/2016/12/19/qsb-28
* https://github.com/QubesOS/qubes-issues/issues/2520
- size of Qubes OS much lighter to download
what do u think ?
Andrew David Wong
Mar 19, 2017, 10:10:38 PM3/19/17
to tnt_b...@keemail.me, Jean-Philippe Ouellet, Qubes Devel, Marek Marczykowski-Górecki
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hash: SHA512
On 2017-03-19 16:11, tnt_b...@keemail.me wrote:
>> [Please don't top-post.]
>
> i dunno if this comment to me , but at any rate i dunno how to not top-post , this is how my email reply to all working.
>
Yes, this was directed to you. Please read our discussion list guidelines:
>> [Please don't top-post.]
>
> i dunno if this comment to me , but at any rate i dunno how to not top-post , this is how my email reply to all working.
>
https://www.qubes-os.org/mailing-lists/#discussion-list-guidelines
Information about posting styles:
https://en.wikipedia.org/wiki/Posting_style
You can either configure your MUA appropriately or simply type your reply at the bottom or interleaved. Either way, please do not post your replies at the top.
> well regarding this issue:-
>
> https://github.com/QubesOS/qubes-issues/issues/1568
>
> why dont we install the additional templates from the internet after the installation of Qubes OS ?
>
> e.g:-
>
> "Qubes os iso has only the essential things to install Qubes. now when the installation finish/complete we show a screen asking the user would he like to install:-
>
> - fedora (which is going to be the full version)
> - debian
> - whonix
> - xxx
>
> if so please connect your device to the internet if its not already connected."
>
> and by this we dont need to put the distros inside the iso image, instead it will be downloaded over the internet after the installation of Qubes finish.
>
> and to this method has advantages:-
>
> - iso dvd going to fit Qubes OS no matters how many distros it supports
>
> - from security point view we gonna let Qubes to be installed first even without the need to the internet connection (which is safer) , then after everything finished we show the last page asking to install the flavored OS
>
> - any security bug affecting any additional distro will not be a problem because he will install the latest updated distro through the internet. whereas this is a problematic with the iso image and i think everyone know this critical security bug:-
>
> * https://www.qubes-os.org/news/2016/12/19/qsb-28
> * https://github.com/QubesOS/qubes-issues/issues/2520
>
> - size of Qubes OS much lighter to download
>
> what do u think ?
>
https://github.com/QubesOS/qubes-issues/issues/1568#issuecomment-209165577
Previously discussed:
https://groups.google.com/d/topic/qubes-users/0FMM97IEaps/discussion
IIRC, Marek said somewhere (can't find it) that he didn't want to do a net-based install.
1SaqqNa2pXtXnLKOKwNKGLSDsqvoOlUA6lfM3HV3bNhcsi3JDPEBaQ7+vM4qgRGM
RDnYyYg/G3GRUBvRmUqPbav75R5duPEtV2lGr+kJMkFlyQb4GHqmFVUycjqSIbJv
hGK24iE1hmaemfIVjkLevnSnlcku551Z0XtNjet0oxc/kOiFnxHZLhRqqSomF7/o
zMV/f1oidLcrk7Qy36DpJoPWylqdsV0OfvZ07CVAvH1YRDlNWu4zLdVvHece/fsP
OKt13Yr8MV8kOp0/7wc3daq2q/IoVL0S6ZgkEFw1ZQWhDqhnpRAftJ2/DJ08H+LI
SW0FvbUCPTdHcxk8nLFeeNZqrJjFjlzvnT0H+kXXSogZId3728jycb/3cIeZO9PG
rCOhib2ydpWfnefWyqjQFs9kDZ/KVKrNijrU1TzFuCKzeGiE7NwiZLa/9R+9V371
+7vM33R1pVQ+HYoxngGDODGGkmHUAoHjhH5kFhyjxvYa3VBEt24FHUUSI/9SsNrF
ArPTUMNlNY90XVfwX4cn+auSFlhKt9c/hoXF4erg7MjmyYE+4wNKtt78gHdlP8h8
coWNlsvs2STEHlOZ59kCRHnEaALcwKiS010Aw+4aalQA0bO0uVYsJ++jiEq2V/RL
Tue+dQ9Qv9IvATaXGUcU
=WJFg
-----END PGP SIGNATURE-----
Vít Šesták
Mar 20, 2017, 1:59:23 AM3/20/17
to qubes-devel
I know I have to install it and it is what I have done. The point is it is unsuitable as a default option for sys-net, as you would easily get a chicken-egg problem: you need Internet connection in order to install drivers for your Internet connection. I agree they should not be included by default.
Regards,
Vít Šesták
Regards,
Vít Šesták
Reply all
Reply to author
Forward
0 new messages