Attack surface of templates

The templates come with many common applications not installed. I assume this is done “to reduce attack surface”.

So for example some of your application qubes may need to use libreoffice, but not all of them. One option is to add every application you want to use to the template and have every application qube use that template. Another option is to create a seperate “debian-11-with-libreoffice” qube, and have just the application qubes that need libreoffice to use that, while the others use plain “debian-11” template.

As you add the new programs your qubes need, it can fragment the templates with the worst case being “one template per appvm” (I.E. “debian-11-with-libreoffice-and-sshfs-and–python3-psycopg2–for-qube-work07” template used only by appVM “work07”)

Both extremes seem undesirable. Maybe the best is a balance between exposed attack surfaces and disk consumption/template proliferation?

What are peoples thoughts?

See also:


Check this out:


Another reason is that including a lot of software makes the default templates quite large, which, in turn, makes the Qubes installation ISO very large.

The author says using Flatpak is more secure than tradionally installed software due to all applications being in sandboxes, this is not true, and it is even less secure due to lack of fast security updates:

1 Like

Annnnnd another flatkill link


Annnnnd another flatkill link

I cannot find a single instance of flatkill being linked or even mentioned in the forum, except this very one. In addition it was only mentioned once in #2766. Not sure what makes you react this way.

1 Like

Sorry, not trying to be rude. You’re right it’s not particularly discussed here, but in general, we can’t mention flatpaks anywhere without having someone posting flatkill, getting a bit boring

I don’t know what to make of the flatpak criticisms. They seem quite legit… yet flatpak is also being recommended by a knowledgeable Qubes advocate who is sensitive to matters of privacy and security. Is it possible that the vulnerabilities mentioned are less of a concern when using template-based VMs?