> If I were looking to maximize security, which would you say is
> better--Debian, Fedora, or some other distro, like Gentoo or Arch? If
> you've changed your sys-net, sys-usb, or other templates to something
> other than Fedora, why? And to what?
> IMO, Debian is the best choice for secure templates. Its security focus
> is at least "normal" while Fedora's philosophy is haphazard "test the
> new stuff quick". Essentially all the worst systemd bugs will show up in
> a current Fedora release, for example. OTOH, my experience with systemd
> in Debian has been much smoother.
I think a good choice here is the distro you are most familiar with, as
you change given defaults to a more secure setting - and you have to
know about those settings in the first place. For debian I know all the
bells and whistles to switch but not I don't have much idea about fedora.
Imho the best choice here would be:
OpenBSD: Paranoid by design - sadly no working template (or is there by
now?!? :) )
Gentoo: Reduce attack surface by only installing (compiling) what you
actually need, plus compiling into the programs only what you actually
need. Downside: Time consuming to maintain.
Personally I'd love to see https://github.com/CLIPOS
in a qube :) But
I'm not sure how much work that is... When ClipOS was released to the
public I've been playing around with it and didn't get it running, but
maybe that changed. From what I understand it can be "installed" on top
Personally I use the debian-10-minimal template in Qubes and install
only what I need exactly for each Qube. Then on top of that, I apply
regular hardening... But I'm sure that something like OpenBSD or ClipOS
would be a better approach as they are build for the paranoid. I think
ClipOS would be "a" really good solution to run in a qube.
I think this is a good point in time to emphasize that we (the Qubes
community) should put some effort into actually creating a hardened OS
template for the qubes VMs (Please OpenBSD or ClipOS) :) as that is kind
of missing from the project. Something with preferably a host and
network IDS :P But I realize that this is lots of work too ofc..
We could make that better by providing a template for example hardened
with "thunderbird" pre-installed.
> Fedora is also the only major distro that doesn't cryptographically sign
> its top-level repo metadata, allowing a MITM attacker to selectively
> prevent individual packages from updating. I interpret this as a
> decision forced on Fedora project from Redhat's marketing dept. so they
> can easily scare mission-critical Fedora users into purchasing RHEL
> licenses. There is no other possible explanation, IMO, as even CentOS
> fully signs their repos.
> Debian is also more flexible: There are many more packages, and for the
> very latest stuff Debian lets you grab from the testing, unstable and
> experimental repos.
I'd like to add that for this you can also use qubes-builder to build a
> And you get to choose whether you want shorter or
> longer upgrade cycles; with Fedora its always short which is a cause of
> Finally, Debian templates are produced via Qubes official channels. That
> means something at least in terms of the level of oversight for
> building, distributing and updating the templates. OTOH, if this isn't
> so important to you, then Ubuntu and CentOS templates are alternatives
> to consider.
> I've read that Debian is generally considered more secure than Fedora
> because of, among other things, AppArmor and tighter oversight of
> packages. This makes me wonder why it is that Fedora is the default
> template for basically everything while Debian has its default AppArmor
> disabled. Are there any downsides to basically removing Fedora from my
I have done this - replaced everything including sys-net and stuff for
templates based on debian-10-minimal. Works lovely.
Now I only have fedora in dom0 ofc... I think there was some guy who was
trying to get this running with debian but not sure.. I don't do $things
in dom0 so I'm not sure how much it matters. If this would be debian, it
would be very cool though.
> IIRC, the choice of Fedora was sort of an accident; it was what the
> Qubes core developer was most familiar with at the time.
> There is an open issue about moving away from Fedora to another distro
> like Debian.
> Note: Debian does come with the Qubes install media (and Whonix
> templates are based on Debian as well) so at least its easy to choose.
Sidenode: whonix has its own very interesting hardening guide on the
> I've also considered that the nature of Qubes makes this discussion seem
> moot to some, but my stance is that I should increase security where
I think its not the best idea to say "we have Xen so we can do whatever
we want in the VM - lets get rid of passwords for sudo". Something I
never liked about qubes.. I realize that by doing this, Qubes is easy to
use for most people, but I think templates should be created by the
community which serve the more paranoid power-users.
> There is one thing I don't use Debian for: The Update VM (which may be
> sys-net or sys-firewall, but you can assign it to a separate VM). The
> reason is that dom0 uses rpm/dnf and Fedora template is needed to handle
> it properly.
Yeah... I've had my fair share of trouble with that update thingy ;)
So as I only use debian here is what I found:
This fancy tool allows you to install / update apt packages on airgaps -
which are, in a way, kinda like qubes VMs themselves.
I've written some bash / qvm-run magic to:
- Download packages in "sys-apt"
- Package them into an archive using apt-offline
- Copying and installing this archive on the target template VM
- you only download things once, not 20 times if you have multiple VMs
where all VMs need "cmatrix" installed
- for me it fixed me somehow breaking the updateVM all the time for
$reasons (the updateVM is then only required for dom0)
- you can create new qubes with packages you have downloaded already
At the moment my bash script around all that for qubes is a bit hacky
but I'll see to finishing it and putting it on github.
> Also, Fedora template is currently required for building Qubes itself
> and Qubes templates.
> Chris Laprise, tas...@posteo.net
> PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
> I have considered changing from fedora templates to debian templates, but this
> is what holds me back:
> I'm not a linux expert, so I don't know what/if services are starting, and if
> after an update new services are introduced or begin starting. It just seems
> like it would be an ongoing concern that doesn't exist on fedora. Is it easily
> I'm a basic user, I'm not running any servers. However, I certainly would like
> to have templates that are more secure by default. I would use the debian
> minimal template for all sys and vpn VMs. I would clone it and expand it to
> include libreoffice, rhythmbox and all the other things for a more full-featured
> template, that is still smaller than the default template. Any insight/feedback
> would be appreciated.
> You received this message because you are subscribed to the Google Groups
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email
> to qubes-users...@googlegroups.com