-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Wed, Mar 06, 2024 at 11:59:41AM +0000, 'unman' via qubes-devel wrote: > There's a recent issues on GitHub (#8980) about removing "non-essential" > packages from the Debian minimal template. > > The argument is that minimal templates should contain only "vital packages". > OP argues that a minimal system is one from which nothing can be removed > without breaking anything else, and therefore the minimal templates > should be trimmed accordingly. > > Debian has the concepts of minbase and base systems. > Minbase is a variant in debootstrap - it installs only essential > packages and apt. > The base system, or core installation, consists of essential packages, > and those tagged as required or important. > > The Debian minimal template is a core system, with some Qubes packages > installed. > In my view the minimal template contains a base system - it contains > packages that any user of Debian would expect to find installed. > > The docs say that "The minimal templates are lightweight versions of > their standard template counterparts. They have only the most vital > packages installed, including a minimal X and xterm installation." > > It may be that Qubes wants to ship a micro template, with only selected > packages installed, as well as the existing minimal templates. Or trim > down minimal templates to minbase, or smaller. > In either case, we would need to decide what packages should be included. > Any decision should be applied for all official templates. > > (I should say that building with minbase in debootstrap makes very > little difference once Qubes packages are installed, and that not all > packages correctly set out dependencies on packages that are assumed o > be present.) > > Thoughts would be appreciated.
Generally, I think minimal template should be as minimal as possible, while still allowing reasonable easy customization. The latter especially means: - - working package manager (thanks to updates proxy, it doesn't require all kind of networking packages) - - some terminal emulator - - being able to target with salt (or ansible in the future) The last two are debatable. Terminal emulator may not be strictly required since there is qvm-console-dispvm. And also salt is rather arbitrary choice here, but IMO since minimal templates in practice must be customized to be useful, being friendly to automating this customization makes sense (BTW, this is currently broken in Fedora minimal templates). If there is some smaller base Debian variant to start from, IMHO it's worth a try. Currently the main difference is that minimal template skips installing "standard" task: https://github.com/QubesOS/qubes-builder-debian/blob/main/template_debian/02_install_groups.sh#L45-L54 and also there is a smaller list of packages to be installed: https://github.com/QubesOS/qubes-builder-debian/blob/main/template_debian/packages_minimal.list many of the latter list probably can be removed. If some of those are actually required by other packages, it should be set in package dependencies. And if that's isn't the case, it's a bug to be fixed. Whether to actively remove packages that were installed automatically but aren't "vital" is another question. I suspect it might be quite fragile (something that wasn't essential before may become essential at some point, and thus removing will break stuff). I'd prefer the approach that prevents installing non-essential packages in the first place, so dependencies still can do their job. Minimal templates are built with "no-recommends" option[2] already. But maybe there is some place that doesn't use that properly and some "recommends" (not "depends") packages are installed anyway? [2] https://github.com/QubesOS/qubes-release-configs/blob/main/R4.2/qubes-os-r4.2-templates-itl.yml#L131 - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmXocJAACgkQ24/THMrX 1yzREAf+K3SnbpqCuQx8zyVyVZP1GqYpcvZ4yAn1+KMisiinpI1/x+3/wmOdP3f7 9AyuNBJ3wVBMgliYWAtQMLdZ2sqyS41KTEQd6BwVvuK9qjYp6cO72GdUdvK1WWbK 1cw6nq0gux+livKIbXjxgyjloABrGmzfG6F5/4QAi/Ce7TrED1DqlTW5RSjqORRj N8LWY0wZ+oyPn/fTNnNGh4KxZb5Ps+T8fHloK1E2A+N6mcBPkDaAsqvZ0+x2lqCR FxVgygFjoEo3LJBtjNamzg7ELjwWGDDXoKaYO0AfqIt93i04YNE3TtXh/YTH/QA+ 1omKuMoRjIj/0vJV+ACI/mnTYVyvfw== =tZfX -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/ZehwkPMa_2lkdnWv%40mail-itl.
