On Tuesday, 11 October 2016 20:30:54 UTC+11, Robert Mittendorf wrote: > Software that you don't need is a security risk as it imposes additional > attack surface - we all know that. > Besides exploits those tools might cause additional threat (e.G. RDP- > VNC-, SSH-Clients) > So you better do not install non-universal software* in a template VM. > *software that is not needed in every VM which is based on that template > > So where to put non-universal software? > > - user-space: allows malware to persist easily, because of persistent > write rights. And does not allow usage of standard repositories > - other (cloned) TemplateVM: You need to make sure that you keep all > templates up-to-date for security reasons, you need much more storage > space and cause more ssd aging > > So what about a multi-level template system. That way you can keep at > least most software up-to-date with a single update process. This would > need a delta-filesystem instead of the current image=directory approach > i think. I don't know whether Xen has such capabilities?! > > Robert
Hi Robert, Do you think you could build a template that would be that which you would consider secure? Personally, I've been asking what packages are REQUIRED for full integration, and never gotten an answer that provides the information I request from anyone, not even the qubes devs. I'm not sure if they don't know, or just think that the information is there when it isn't, but if you are able to build a secure template, one that is based for Qubes and works properly and fully, then you should do it and give it to them to put into the template repo. I think it would be interesting if you could actually do it, rather than these insecure systemd templates. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/bde33624-fc46-4e37-a731-109a2b0be023%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
