I’m aware there are community templates and, in my research of security hardening when it comes to Linux distros, I’ve heard that Gentoo is the most secure with Fedora coming close. Is that right?
What does anyone here think?
To make sure my installation of Qubes OS is the most secure there is,
should I stick to using a minimal Gentoo template for all my Qubes or is it more complex than that?
Thanks.
A bit more complex than that.
You’re safest, most secure option is one of the official Qubes OS Project templates. Using a Community template, such as Gentoo, may be fine but they have not been security tested by Qubes developers.
For more information see Templates | Qubes OS
Personally, I use a completely unadulterated official Qubes templates for secure work and updated official Qubes templates, such as with Libreoffice, for less secure work.
You lost me. Why an updated official template for less secure work
and a non-updated one for more secure work?
Sorry if I misunderstood but
aren’t updates supposed to, you know, keep them secure?
If you can do all your work in an offline qube, then you don’t really need security updates, and not having to download executables from a repository can be more secure.
It’s not that not updating in itself is more secure, but you can use Qubes OS in a way where you potentially can gain extra security by not installing any updates.
Interesting.
I think I see where you’re coming from.
Because the repository is maintained by a separate party, how can you trust them 100% not to install any malicious code into the software when they compile them for users to download and install?
And even if they are trustworthy, there’s always a chance that a new update can unintentionally cause more problems to the app.
How close to the mark am I?
Yes, that is the idea, any update could potentially contain malicious code.
Local exploits in offline qubes are also largely irrelevant, not updating doesn’t have the same consequences as it does with traditional Linux.
From what I understand it’s not so much what you install as how you use Qubes’ isolation features – what your workflow is. It’s supposedly super difficult for an attacker to break out of a VM into dom0. So you can even install Windows in a VM if you need to. 
Check the docs about “inheritance”.
This is the principle that lets me run Windows 7 (albeit as infrequently as possible!).
It’s a non-networked VM. What’s going to get in and corrupt it? And what will it do anyway, if it somehow manages to do it?
Since Micro$haft isn’t updating Win7, there’s simply no good reason to run it online, and every reason not to.