On Wed, 2020-11-18 at 22:49 -0800, Andrew David Wong wrote:
> On 11/18/20 5:54 AM, Matt McCutchen wrote:
> > I assumed the update process was the same for a TemplateVM or a
> > StandaloneVM (though I've never tried the latter),
> 
> It mostly is, but I personally find it easier to be able to update and 
> install packages in the TemplateVM separately from the TemplateBasedVM.

Why?  One advantage I see to the StandaloneVM is that package changes
are immediately persistent and usable in combination with the private
volume.  When using a TemplateVM and TemplateBasedVM, I generally make
package changes first in the TemplateBasedVM for rapid iteration (where
they will be lost on shutdown) and later make them to the TemplateVM
once I am sure what changes I want.
 
> There's also the minor fact that I can update all of my templates with a 
> single qubesctl command, whereas StandaloneVMs would be left out.

That's strange.  If qubesctl has an option to target all TemplateVMs,
I'd think the case for an option to target all updatable VMs
(TemplateVMs and StandaloneVMs) would be equally strong.

> Oh, and there's also a bit of a security benefit, which I forgot to
> mention:
> 
> https://www.qubes-os.org/doc/templates/#note-on-treating-templatebasedvms-root-filesystem-non-persistence-as-a-security-feature

I'm of the firm opinion that auditing a home directory for user-level
rootkits is impractical, as suggested by that page.  IIRC, I came to
this conclusion long before I migrated to Qubes OS in 2014.

> Yes, but even if you don't skip backing up templates, just being able to 
> include them in different backup sets and being able to back them up at 
> different frequencies is handy.

Another interesting point.  Currently, I just back up all my VMs
weekly.  If I were to try to improve that, rather than set different
frequencies for different VMs, I'd be more likely to try to find a
solution to back up each VM incrementally so I can afford to back up
all of them more frequently.  In the past, I've seen some discussions
of how to do this without significantly increasing the attack surface,
but I don't have the links on hand.

> > Though I suppose the more general
> > observation underlying my original proposal was that if the process to
> > generate the system volume from that of the main TemplateVM is
> > automated and reasonably fast, then there's the option to run it on
> > every boot of the TemplateBasedVM rather than persisting a separate
> > system volume at all.
> > 
> 
> I can't speak to that. My experience has led me to keep things simple 
> and in line with intended functionality, since I've found that erecting 
> elaborate custom processes that aren't necessarily supported by the 
> underlying system results in too high of a maintenance burden for me in 
> the future.

I personally am not worried about this.  While I was waiting for 
https://github.com/QubesOS/qubes-gui-agent-linux/pull/107 to be merged,
rather than build a custom RPM and install it in my template, I elected
to set up a script that ran on every boot of the TemplateBasedVM in
which I wanted the functionality and overwrote module-vchan-sink.so
with my custom-built one.  Maybe modifying the template would have been
better, but modifying the TemplateBasedVM on every boot did work.
 Installing RPMs on boot differs only in degree.

Matt

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d0c354d6b21faf4be9de7f7b9d9ed2c0055c5a59.camel%40mattmccutchen.net.

Reply via email to