Am 17.03.2017 um 21:55 schrieb Franz: > > > On Fri, Mar 17, 2017 at 4:46 PM, evo <evolut...@aliaks.de > <mailto:evolut...@aliaks.de>> wrote: > > > > Am 17.03.2017 um 20:12 schrieb Franz: > > > > > > On Fri, Mar 17, 2017 at 5:07 AM, evo <evolut...@aliaks.de > <mailto:evolut...@aliaks.de> > > <mailto:evolut...@aliaks.de <mailto:evolut...@aliaks.de>>> wrote: > > > > > > > > Am 17.03.2017 um 01:19 schrieb Franz: > > > > > > > > > On Thu, Mar 16, 2017 at 6:01 AM, evo <evolut...@aliaks.de > <mailto:evolut...@aliaks.de> > <mailto:evolut...@aliaks.de <mailto:evolut...@aliaks.de>> > > > <mailto:evolut...@aliaks.de <mailto:evolut...@aliaks.de> > <mailto:evolut...@aliaks.de <mailto:evolut...@aliaks.de>>>> wrote: > > > > > > > > > > > > Am 15.03.2017 um 23:45 schrieb Andrew David Wong: > > > > On 2017-03-15 01:14, evo wrote: > > > >> Am 15.03.2017 um 01:17 schrieb Unman: > > > >>> On Tue, Mar 14, 2017 at 08:02:58PM -0400, Chris > Laprise wrote: > > > >>>> On 03/14/2017 01:55 PM, evo wrote: > > > >>>>> hmm.. this is also a good point, thanks! so if i > do not use > > > >>>>> openoffice in my bankingVM, there is no practical > > > >>>>> vulnerability in it. > > > >>>>> > > > >>>> > > > >>>> Yes and no. Off the top of my head, there are two > things > > to be > > > >>>> concerned about with the (regular, distro) > software you > > > >>>> install: > > > >>>> > > > >>>> 1. Does it cause an additional service to start > accepting > > > >>>> connections? > > > >>>> > > > >>>> 2. Does it have a MIMEtype or similar mapping, so that > > clicking > > > >>>> on a mislabeled file could cause it to open in an > > > >>>> unwanted/risky app. Unfortunately, nautilus doesn't > seem to > > > >>>> have a setting for always asking before starting an > app. But > > > >>>> at least it defaults to double-click instead of > single-click. > > > >>>> > > > >>> > > > >>> 3. Installing some programs, like libre/openoffice, > brings > > with > > > >>> it numerous libraries and attendant programs which may > > widen the > > > >>> attack surface of your qube considerably. > > > >>> > > > > > > > >> so its better to have such VMs as banking or email in > > > >> standalone-mode. > > > > > > > > No, that doesn't follow. See my previous message about > > having multiple > > > > TemplateVMs. > > > > > > > >> The thing is... as i understood, stanalone-machines (if > > they are > > > >> not HVM) have all software from the template they use. So > > the only > > > >> way is, to install new iso on HVM, isn't it? > > > > > > > > > > > > This doesn't follow either. StandaloneVMs and HVMs are > > completely > > > > independent of one another. It's possible that there is > > terminological > > > > confusion here. Please consult the glossary: > > > > > > > > https://www.qubes-os.org/doc/glossary/ > <https://www.qubes-os.org/doc/glossary/> > > <https://www.qubes-os.org/doc/glossary/ > <https://www.qubes-os.org/doc/glossary/>> > > > <https://www.qubes-os.org/doc/glossary/ > <https://www.qubes-os.org/doc/glossary/> > > <https://www.qubes-os.org/doc/glossary/ > <https://www.qubes-os.org/doc/glossary/>>> > > > > > > > >> in that case, i don't really understand the sense of > standalone > > > >> AppVMs. > > > > > > > > > > > > StandaloneVMs can be useful for many different things, but > > not every > > > > user will have a need for them. For example, if you have a > > piece of > > > > software that installs parts of itself in both the > root fs and > > > user dirs > > > > (and you don't want to work around this with > bind-dirs), and > > you need > > > > the software in only one VM, then a StandaloneVM is > probably > > a perfect > > > > solution. > > > > > > > > > > > > > > Evo, let me oversimplify it > > > > > > so is it better to have more template-VMs? > > > > > > > > > yes > > > > > > But why not standalone as a copy of the existing > template-VM? > > > > > > > > > you do not need standalone VMs. StandaloneVMs are only for > special > > > cases/software, but since you do not mention any special > case forget > > > them as well as HVMs. > > > > > > > > > After that i can delete all software i dont need on it and > > have rather > > > clean VM with just the software i need. > > > > > > > > > you can do the same with templates > > > > > > > > > the other thing is, on standalone-vm i can see existing > > updates just in > > > time... VM that works on general template dont show updates, > > for this > > > case i must start the template vm. So if i do not start > > template for a > > > long time, i will have insecure appvms. Or do i understand > > something > > > wrong? > > > > > > > > > Evo, just start the templates every time Qubes-manager show > than an > > > update is available, with the green downward arrow, that is > every few > > > days. Then reboot your computer. Updating only a couple of > templates > > > you'll automatically update and somehow clean all of yours VMs, > > that in > > > my case are 38. You'll probably have only a few of them, but > with time > > > you'll learn how convenient it is to create template depending > > light VMs > > > for special purposes. But imagine having a lot of standaloneVMs > > each one > > > needing an independent update. > > > best > > > Fran > > > > > > > hmmm, ok > > you won :) > > > > i just thought, its crude to create 3 different template-VMs > for vault, > > e-mail and banking. > > > > after using Qubes for some time, i understand the possibility to > > have 38 VMs > > > > so the appVM (based on template) will show me also the green > arrow of > > update? > > > > > > No, because the appVM does not need an update. Only the template does > > need it. > > > > i thought, it is just visible, if you start the template-VM. > > > > > > No, the green arrow is visible on the side of the template even if the > > template is kept always closed > > > ok... so if its closed, i see the green arrow then in menu, or where? > > > in Qubes manager under column "state" > > Do not reply only to me, reply to everybody
i know that, but i can see something in "state" just im the VM is running. I will see nothing, if the VM is not running. So i must run template-Vm everytime on startup, isnt it? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ba17c616-832a-c499-82f7-4f7d96482f32%40aliaks.de. For more options, visit https://groups.google.com/d/optout.