Re: [qubes-users] Re: How to handle untrusted applications?
Issue related to Flatpak and Snapd: https://github.com/QubesOS/qubes-issues/issues/2766 It seems that Flatpak is better for this purpose, as it allows per-user installation. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a27c8e77-26f1-4975-8930-815ffaa01cc9%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: How to handle untrusted applications?
On space usage: That's true, but that's also exactly what minimal templates are good for. I have cloned Debian minimal template in order to install Spotify. Some time, I had just 1GiB root filesystem, now it is slightly larger. On installing every boot: That's also some option, but it has some drawbacks: * You miss updates. Well, theoretically, one could solve it by some bash script and incron, so once you update the package, you remember to install a newer version. * If you add another repo (important for getting updates) and install its software, you will AFAIU get false update notifications for the base template. * It will cause some IO load when the template is booting. (Flatpak/snapd can probably avoid it.) * Boot can complete before /rw/config/rc.local finishes. This is good for fast start, but the software installation might be finished after the boot completes, so the software would be missing for some time. It also would mean that qvm-run -a vm the-additional-software would be a kind of race condition. Regards, Vít Šesták 'v6ak' -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b37e60b0-b803-4970-b8ce-703959e12468%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: How to handle untrusted applications?
On 04/18/2017 01:09 PM, Unman wrote: On Tue, Apr 18, 2017 at 08:20:53AM -0700, cooloutac wrote: On Tuesday, April 18, 2017 at 5:30:47 AM UTC-4, nons...@graumannschaft.org wrote: What is a sane way to manage applications one doesn't trust (e.g. Skype )? As far as I understand the qubes concept so far, I would either have to install the app in my general template (which I do not want ) or create a dedicated template just for the app vm that is supposed to run that app ... is that correct? Joh yes correct. Another option is disposable vm instead of appvm based on the dedicated template, but that might be trickier with skype. I have no experience with it. There are two other options as well - install it on a standaloneVM, or install in to some location in /rw in a normal template based qube. In the case of Skype, it's simple to install under your home directory, although you will have to load the template with some extra libraries. And if you don't want to do that you can work off a standard template, store debs in /rw and install them when you start up the qube. That way you get a customised standard template based qube. This is perfectly workable if you will keep the qube running for a while, and with Skype that's likely. (The advantage of keeping the libs locally, of course, is that you wont need to download them every time you boot the qube. An alternative approach would be to use a caching proxy - I use apt-cacher-ng but other proxies are available, as they say.) unman Yet another option: If the app is easy to install, you can store the package in /home or /rw and do the install each time you use it. -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9f91fc1e-f798-31c1-b526-061ee8008342%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: How to handle untrusted applications?
You are right with the local installation in /rw, except that you might miss automated updates (including security updates) then. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5633dee1-9c71-4678-82b0-36e37c7e0983%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: How to handle untrusted applications?
On Tue, Apr 18, 2017 at 08:20:53AM -0700, cooloutac wrote: > On Tuesday, April 18, 2017 at 5:30:47 AM UTC-4, nons...@graumannschaft.org > wrote: > > What is a sane way to manage applications one doesn't trust (e.g. Skype )? > > As far as I understand the qubes concept so far, I would either have to > > install the app in my general template (which I do not want ) or create a > > dedicated template just for the app vm that is supposed to run that app ... > > is that correct? > > > > Joh > > yes correct. Another option is disposable vm instead of appvm based on the > dedicated template, but that might be trickier with skype. I have no > experience with it. > There are two other options as well - install it on a standaloneVM, or install in to some location in /rw in a normal template based qube. In the case of Skype, it's simple to install under your home directory, although you will have to load the template with some extra libraries. And if you don't want to do that you can work off a standard template, store debs in /rw and install them when you start up the qube. That way you get a customised standard template based qube. This is perfectly workable if you will keep the qube running for a while, and with Skype that's likely. (The advantage of keeping the libs locally, of course, is that you wont need to download them every time you boot the qube. An alternative approach would be to use a caching proxy - I use apt-cacher-ng but other proxies are available, as they say.) unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170418170948.GA20007%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.