Re: [qubes-users] minimum size for a qube image
On 04/21/2018 03:44 AM, Manuel Amador (Rudd-O) wrote: On 2018-04-16 20:50, Jan Hustak wrote: Hello, I'm also open to discussing the basic concept: is it worth trying to keep, for example, Firefox and GIMP in separate qubes, or should I just relax and use one fat TemplateVM with the union of all packages I need? Fat template with everything you got there, *so long as your fat template does not have anything installed that installs systemd system or user units that will start on boot or login*. If you have a template that runs some sort of package on boot or login, you can nuke it using a systemd unit override ( in the right directory) so it won't start. Fedora is really good about not starting units by default (except for SSHD, which is in fact disabled by default in Qubes templates). Aaand then perhaps a thin template for things that could be your service VMs. (I'm really rooting for the MirageOS templates). Thanks, that's another angle to consider. My original question concerned code simply sitting on the disk that could (somehow) be activated by an attacker - but it's true that a fat template may also mean a busy runtime with lots of code already active. I do believe the approach outlined by awokd works to address this issue as well. Thanks everyone for your responses, they've really been helpful. jh P.S. And yes, MirageOS is cool :-) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/21befed7-4cc1-71f2-293b-883a394e6e5a%40journey.sk. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] minimum size for a qube image
On 04/19/2018 10:00 AM, awokd wrote: On Thu, April 19, 2018 5:45 am, Jan Hustak wrote: I guess there's a cognitive aspect to it as well, not related to security as such. I have over 2300 packages installed on my main Debian notebook, many of them not needed anymore. Cleaning them out is a tedious job I never get to. If I had a VM/filesystem with "only packages needed for Project X", things would be more orderly. I don't need Qubes OS for that, of course, but it's an issue I seek to address in addition to security. Sorry if I'm straying off topic. It's not off topic. I've said before I'd keep using Qubes even if it provided no additional security over any other Linux distributions (but it does a lot) merely for the convenience/flexibility it provides! In your case then, you might want a workflow something like: 1- Clone one of the stock templates to create a base template with common packages 2- Clone as needed for project X, install specific packages 3- Make Project X AppVM based on the new template 4- Delete project specific VMs when done If you can figure out a union of common packages (hopefully less than 2300!) then you could skip step #2 some of the time and base #3 on #1. Yes, this is exactly what I'm thinking about. It does mean having 2 VMs per project but that's a trivial cost. jh -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2ccd2211-8046-2113-f117-d8fd927f59e4%40journey.sk. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] minimum size for a qube image
I'm also not sure that separating large GUI apps from each other in different VMs is an answer to anything; once you have the layers in place to support one large app, you probably have most potential app-related vulns installed at that point. My personal recommendation is to use debian-9 for most things; create a larger version with the usual desktop environment (KDE or Gnome) + apps installed. The smaller one works for sys-net, firewall, vpn, etc. plus browsing and email. The big one is for content creation and special comms: office apps, media, messengers, etc. I guess there's a cognitive aspect to it as well, not related to security as such. I have over 2300 packages installed on my main Debian notebook, many of them not needed anymore. Cleaning them out is a tedious job I never get to. If I had a VM/filesystem with "only packages needed for Project X", things would be more orderly. I don't need Qubes OS for that, of course, but it's an issue I seek to address in addition to security. Sorry if I'm straying off topic. jh -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/084c5dee-63bb-08cf-3020-3af282e74055%40journey.sk. For more options, visit https://groups.google.com/d/optout.
[qubes-users] minimum size for a qube image
Hello, I really like Qubes' isolation approach. I would also like to isolate the programs I run from code they don't need. So I want to split not just my data into separate qubes, but also the software that works with said data. One way to do this is to install required software under /usr/local in each qube. That has the important drawback of ignoring the qube's package manager and the consistent updates it provides. Another option is to build my qubes as StandaloneVMs copied from a minimalist template. The qubes have to be updated one by one but at least it's still done using the package manager. So I created a Debian template trimmed to about 2.5 GB. I identified my task domains - there were about 10 - and planned to cut a 4GB qube for each. This would eat up 40 GB from my 500 GB drive which I can live with. However, The VM Manager insists on at least 10 GB for each qube. Giving up 100 GB with 75 GB empty (i.e. 15 % of total disk space) is steep. So my question is: how can I create smaller images for my qubes? I'm also open to discussing the basic concept: is it worth trying to keep, for example, Firefox and GIMP in separate qubes, or should I just relax and use one fat TemplateVM with the union of all packages I need? Any advice appreciated. jh -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2a754a65-6e8f-5746-e9d8-94322d445a9c%40journey.sk. For more options, visit https://groups.google.com/d/optout.
[qubes-users] HCL report for Lenovo ThinkPad T520 4240-4HG
Hello, See attached. Regarding BIOS settings mentioned in "remark": the combination of both VT-d and Discrete Graphics being ON causes the installer to freeze. If configured post-install, it causes the OS to freeze while booting. Turning VT-d OFF allows for installation (with warning) but breaks networking and who knows what else. As the remark states, the proper configuration is VT-d ON and Discrete Graphics OFF. jh -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/abca4a31-59a1-65e2-f37c-a75fd9107923%40journey.sk. For more options, visit https://groups.google.com/d/optout. Qubes-HCL-LENOVO-42404HG-20180206-203645.yml Description: application/yaml
