not sure if should post this to qubes-devel but... has Alpine been considered for a Qubes Template?

[daltong defourne]

Hello!

Basically, I've been reading about Alpine Linux and it seems to me that it might make for a pretty good basis for an AppVM

The good:

Alpine is pretty Xen-friendly 

Alpine comes with Grsec/PaX out-of-the-box

Alpine is extremely compact (<200 MB images)

The bad:

Alpine uses musl libc which is kinda kinky and might (?) cause issues 

(I know of https://www.qubes-os.org/doc/building-non-fedora-template/ but frankly don't have the chops to do make an Alpine-based image myself)

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

There was a discussion about Alpine on qubes-devel last year:

https://groups.google.com/d/topic/qubes-devel/G6fGD2qxcZc/discussion

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXZrB8AAoJENtN07w5UDAw+8QP/RMG5O3Nd1prSctA2Bk2JoRu
waJq93etNV9RZPF7DbZAq4Htmjlh807Eb1R251YGMYq6vzM9DvCODsA+daYQ45ud
XAoLfQLbJ9O+40Jmf0KYeGqtPPR/HgdqR8uu5gzgHkTr9SghqYoEJEdaa09bXjvm
42M7FgjIP/hQnqwxMSeAtCviDudcOBob3wbAfnzH107dJsCvA6GyKp7AAvVUxEEh
xrBcY5ze/+ATAsFQJ7NjhrUE+ZqEWhGAwxi7hvxjo8NHilRUHaab2+194tylzBzM
jIseyxHSLyvaP4Uzim/rrn8iUg3i0z0zn7eIS09y+10CdF88xUoCTieSymPtBuAC
t/uK//qlni3LsLRkhkvIpvxTX0pz7bMpfUHuA7ccQc5ehdFiwL8ZKfMy3xc9tNZm
RvWLf3BtgKqDt1DMIIkxTInlHVwVEdTgdPHScb/IUzkfGx8vu2MP9VqE78TUzVbY
vZiuavBwY0sAEjSUQ8itS0DhUMKZERNlKKaIXQM5k+2Xb17gN2NHDF/Z1pncRE0E
OnbS5ncWOUI/Dd0NMmLthnyUxLgivCNp+LksTM/gkQDiU0vc5e5lqU6J+/3GJ1iQ
7gyyMdAfw1hbxgvCX6DOjDGjzjsDtnVhF9nH7ihWEyXOcStN61C2IlxKBA9jPorm
wE34QhgxsWslnthMwTbk
=V6NN
-----END PGP SIGNATURE-----

[Jane Jok]

I wonder if using something like this https://micahflee.com/2016/01/debian-grsecurity/  to "grsec up" a Debian template VM would be more productive (search turns up a lot of stories about how hard it is to marry a Xen VM to grsec, but they are pretty old. I think nowadays Grsec comes with a special "is kernel going to be a Xen guest" switch that should "theoretically" make it work out of the box.