> Given that more installed applications generally create a larger attack 
> surface, why aren't the minimal templates set as the default templates for 
> sensitive VMs such as the SysVMs?

* Having an extra app installed might add some attack surface, but not always. 
Having app like Firefox in sys-firewall adds zero attack surface until you 
(either accidentally or on purpose) run it.
* With minimal Template without installing anything else, you might be unable 
to use Wi-Fi etc. So, this might be viable for sys-firewall, but not for 
sys-net. (Not sure about sys-usb.)

> Are there any significant protections afforded by the full-featured VM images 
> that are absent in the appropriately configured minimal VMs [going by the 
> current Qubes documentation]? Any pitfalls exposed by the latter?

The only (sort of) protection I am aware about is haveged – a RNG that feeds 
kernel RNG.

Regards,
Vít Šesták 'v6ak'

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/62f067a7-08e8-4d2e-8773-229a2af5119f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to