On Thu, Mar 16, 2017 at 6:01 AM, evo <[email protected]> wrote: > > > Am 15.03.2017 um 23:45 schrieb Andrew David Wong: > > On 2017-03-15 01:14, evo wrote: > >> Am 15.03.2017 um 01:17 schrieb Unman: > >>> On Tue, Mar 14, 2017 at 08:02:58PM -0400, Chris Laprise wrote: > >>>> On 03/14/2017 01:55 PM, evo wrote: > >>>>> hmm.. this is also a good point, thanks! so if i do not use > >>>>> openoffice in my bankingVM, there is no practical > >>>>> vulnerability in it. > >>>>> > >>>> > >>>> Yes and no. Off the top of my head, there are two things to be > >>>> concerned about with the (regular, distro) software you > >>>> install: > >>>> > >>>> 1. Does it cause an additional service to start accepting > >>>> connections? > >>>> > >>>> 2. Does it have a MIMEtype or similar mapping, so that clicking > >>>> on a mislabeled file could cause it to open in an > >>>> unwanted/risky app. Unfortunately, nautilus doesn't seem to > >>>> have a setting for always asking before starting an app. But > >>>> at least it defaults to double-click instead of single-click. > >>>> > >>> > >>> 3. Installing some programs, like libre/openoffice, brings with > >>> it numerous libraries and attendant programs which may widen the > >>> attack surface of your qube considerably. > >>> > > > >> so its better to have such VMs as banking or email in > >> standalone-mode. > > > > No, that doesn't follow. See my previous message about having multiple > > TemplateVMs. > > > >> The thing is... as i understood, stanalone-machines (if they are > >> not HVM) have all software from the template they use. So the only > >> way is, to install new iso on HVM, isn't it? > > > > > > This doesn't follow either. StandaloneVMs and HVMs are completely > > independent of one another. It's possible that there is terminological > > confusion here. Please consult the glossary: > > > > https://www.qubes-os.org/doc/glossary/ > > > >> in that case, i don't really understand the sense of standalone > >> AppVMs. > > > > > > StandaloneVMs can be useful for many different things, but not every > > user will have a need for them. For example, if you have a piece of > > software that installs parts of itself in both the root fs and user dirs > > (and you don't want to work around this with bind-dirs), and you need > > the software in only one VM, then a StandaloneVM is probably a perfect > > solution. > > > > > > Evo, let me oversimplify it
> so is it better to have more template-VMs? > yes > But why not standalone as a copy of the existing template-VM? > you do not need standalone VMs. StandaloneVMs are only for special cases/software, but since you do not mention any special case forget them as well as HVMs. > After that i can delete all software i dont need on it and have rather > clean VM with just the software i need. > you can do the same with templates > > the other thing is, on standalone-vm i can see existing updates just in > time... VM that works on general template dont show updates, for this > case i must start the template vm. So if i do not start template for a > long time, i will have insecure appvms. Or do i understand something wrong? > Evo, just start the templates every time Qubes-manager show than an update is available, with the green downward arrow, that is every few days. Then reboot your computer. Updating only a couple of templates you'll automatically update and somehow clean all of yours VMs, that in my case are 38. You'll probably have only a few of them, but with time you'll learn how convenient it is to create template depending light VMs for special purposes. But imagine having a lot of standaloneVMs each one needing an independent update. best Fran -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAPzH-qBQw98AjVWE4iGhwuS_v0vnHGUDdR8QZKuPvdUT2%3DvOgw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
