On 04/16/2018 04:50 PM, Jan Hustak wrote:
Hello,
I really like Qubes' isolation approach. I would also like to isolate
the programs I run from code they don't need. So I want to split not
just my data into separate qubes, but also the software that works with
said data.
One way to do this is to install required software under /usr/local in
each qube. That has the important drawback of ignoring the qube's
package manager and the consistent updates it provides.
Another option is to build my qubes as StandaloneVMs copied from a
minimalist template. The qubes have to be updated one by one but at
least it's still done using the package manager.
So I created a Debian template trimmed to about 2.5 GB. I identified my
task domains - there were about 10 - and planned to cut a 4GB qube for
each. This would eat up 40 GB from my 500 GB drive which I can live with.
However, The VM Manager insists on at least 10 GB for each qube. Giving
up 100 GB with 75 GB empty (i.e. 15 % of total disk space) is steep. So
my question is: how can I create smaller images for my qubes?
I'm also open to discussing the basic concept: is it worth trying to
keep, for example, Firefox and GIMP in separate qubes, or should I just
relax and use one fat TemplateVM with the union of all packages I need?
awokd is right about root non-persistence... its a good thing to keep. I
only use standalone VMs for rare types of tests.
I'm also not sure that separating large GUI apps from each other in
different VMs is an answer to anything; once you have the layers in
place to support one large app, you probably have most potential
app-related vulns installed at that point.
My personal recommendation is to use debian-9 for most things; create a
larger version with the usual desktop environment (KDE or Gnome) + apps
installed. The smaller one works for sys-net, firewall, vpn, etc. plus
browsing and email. The big one is for content creation and special
comms: office apps, media, messengers, etc.
The isolation concept works best (on Qubes at least) when applied to the
types of _tasks and risks_ you expose each VM to... not so much when
applied to specific apps (although occasionally risk types translate
into specific apps).
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/1f3f5cba-cc99-d819-2eb3-767c2f90fafe%40posteo.net.
For more options, visit https://groups.google.com/d/optout.
