On Sun, Nov 15, 2020 at 1:36 PM Matt McCutchen <m...@mattmccutchen.net>

> I have a bunch of VMs based on one Fedora TemplateVM.  In most cases,
> I'm willing to install any Fedora package needed by any of the VMs in
> the TemplateVM.  However, due to security concerns, I have one VM that
> runs Zoom, one that runs Skype, one that runs Google Chrome, and one
> that runs Visual Studio Code... you get the idea.  Each of those
> applications offers its own dnf repository, but I don't want to add
> those repositories to the TemplateVM.  And I don't want to use
> StandaloneVMs because that will multiply my management work; even if
> there are management tools that could handle most of my needs, I'd
> still have to learn and configure them.
> So far, I've been manually downloading the RPMs and extracting them
> into the user home directory.  (Fortunately, none of them have had
> dependencies on absolute paths that would break this approach.)  This
> is enough of a pain that I rarely update the applications, which may be
> bad for security.
> Does anyone know of a better but still convenient solution?
My way of dealing with it is to just clone your pristine fedora-32
template and add the required packages to that template clone, then create
an AppVM that uses that template. This way you limit any potential data
loss or damage to just that one AppVM which you then use whenever you need
one of those proprietary apps. The question now is what data would they
share in that AppVM and is it reasonable for them to share the same AppVM?
If the answer is yes then there is no problem. If no, then create another
AppVM based on the same template for the other app.

The downside is you now have to update two templates instead of one, but
that of course can be automated.

How many specialized AppVMs you create is then based on your own
risk/benefit analysis. I would think it's reasonable for instance to have
Zoom and Skype share the same memory space unless the topics discussed in
each app are highly confidential. If so, you could also just launch a
Disposable VM based on that one template, but for each and every instance
of conversation, and then nothing is ever shared since each instance starts
up with no user data. You just need to move any presentations between
AppVMs to support those conversations.


You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 

Reply via email to