Am 15.03.2017 um 23:45 schrieb Andrew David Wong: > On 2017-03-15 01:14, evo wrote: >> Am 15.03.2017 um 01:17 schrieb Unman: >>> On Tue, Mar 14, 2017 at 08:02:58PM -0400, Chris Laprise wrote: >>>> On 03/14/2017 01:55 PM, evo wrote: >>>>> hmm.. this is also a good point, thanks! so if i do not use >>>>> openoffice in my bankingVM, there is no practical >>>>> vulnerability in it. >>>>> >>>> >>>> Yes and no. Off the top of my head, there are two things to be >>>> concerned about with the (regular, distro) software you >>>> install: >>>> >>>> 1. Does it cause an additional service to start accepting >>>> connections? >>>> >>>> 2. Does it have a MIMEtype or similar mapping, so that clicking >>>> on a mislabeled file could cause it to open in an >>>> unwanted/risky app. Unfortunately, nautilus doesn't seem to >>>> have a setting for always asking before starting an app. But >>>> at least it defaults to double-click instead of single-click. >>>> >>> >>> 3. Installing some programs, like libre/openoffice, brings with >>> it numerous libraries and attendant programs which may widen the >>> attack surface of your qube considerably. >>> > >> so its better to have such VMs as banking or email in >> standalone-mode. > > No, that doesn't follow. See my previous message about having multiple > TemplateVMs. > >> The thing is... as i understood, stanalone-machines (if they are >> not HVM) have all software from the template they use. So the only >> way is, to install new iso on HVM, isn't it? > > > This doesn't follow either. StandaloneVMs and HVMs are completely > independent of one another. It's possible that there is terminological > confusion here. Please consult the glossary: > > https://www.qubes-os.org/doc/glossary/ > >> in that case, i don't really understand the sense of standalone >> AppVMs. > > > StandaloneVMs can be useful for many different things, but not every > user will have a need for them. For example, if you have a piece of > software that installs parts of itself in both the root fs and user dirs > (and you don't want to work around this with bind-dirs), and you need > the software in only one VM, then a StandaloneVM is probably a perfect > solution. > >
so is it better to have more template-VMs? But why not standalone as a copy of the existing template-VM? After that i can delete all software i dont need on it and have rather clean VM with just the software i need. the other thing is, on standalone-vm i can see existing updates just in time... VM that works on general template dont show updates, for this case i must start the template vm. So if i do not start template for a long time, i will have insecure appvms. Or do i understand something wrong? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3030632f-a9e9-b1e1-6c35-ebfa75ef2d44%40aliaks.de. For more options, visit https://groups.google.com/d/optout.
