On Sat, Dec 24, 2016 at 12:52 AM, Andrew David Wong <a...@qubes-os.org> wrote: > On 2016-12-23 16:20, Jean-Philippe Ouellet wrote: >> On Thu, Dec 22, 2016 at 1:17 AM, Andrew David Wong >> <a...@qubes-os.org> wrote: >>> You'll want to install Dropbox in your TemplateVM so that you can >>> use it in AppVMs based on that TemplateVM. You can follow the >>> instructions on Dropbox's website for adding their repo in your >>> Fedora TemplateVM, then: >>> >>> $ sudo dnf install nautilus-dropbox >> >> However, be careful with which template you install it in! > > This is *always* true for *anything* you install in *any* template.
We agree. However, I wanted to point out that it is particularly relevant for services which establish some outgoing network connection automatically, as this necessarily increases the attack surface compared to a piece of software which does not. For example, compare it to installing rsync. Assuming neither the dropbox or rsync packages are malicious and actively target Qubes, Dropbox still incurs more risk in derived AppVMs than would rsync due to the fact that rsync does not *automatically* communicate with external untrusted machines which may attempt to attack you, whereas Dropbox does. In a template with derived AppVMs in which you only e.g. browse the web and never manually invoke rsync or make intentional use of Dropbox, this may matter. What I mean to say in practice for the OP is "if you currently have only a single template (as does a default install) maybe installing dropbox there isn't a good idea." -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CABQWM_Dv5XSa%3DDX45JpKtqsTHTfn-Nw-fDsXrkOHLjJD-s43MQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.