I've started making special templateVMs where I install less
trusted software, typically closed source binaries or code
distributed directly from a vendor.
I am curious if others do this and if people think it adds much
security wise.
For example, in addition to vanilla fedora-32, where I will
install any number of packages from the standard repos, I have -
fedora-32-zoom (the proprietary videoconferencing software)
fedora-32-slack (the group chat app, installed from their own rpm)
fedora-32-print (had to run a Brother install tool to get printer
working, use it from my dvm-print wich is firewalled only to my
local printer ips)
fedora-32-media (has some proprietary media hnadling software)
I just don't like the idea of putting untrusted code in a
templateVM used by sensitive VMs. On the other hand, perhaps I
worry too much, in theory at least I do control when any given app
is run? The Brother install was a bash script run via sudo (!!)
that could have done anything but the others typically go in as
rpm files via dnf, so presumably (?) they can't just install
untrusted services that get auto launched.
Obviously this makes updates take longer, so it's got some cost.
Is this a wise approach? Or no? Thanks for any thoughts....
Ryan
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/87h7sfzqv3.fsf%40disp2634.
