I’m aware there are community templates and, in my research of security hardening when it comes to Linux distros, I’ve heard that Gentoo is the most secure with Fedora coming close. Is that right?
What does anyone here think?
To make sure my installation of Qubes OS is the most secure there is,
should I stick to using a minimal Gentoo template for all my Qubes or is it more complex than that?
You’re safest, most secure option is one of the official Qubes OS Project templates. Using a Community template, such as Gentoo, may be fine but they have not been security tested by Qubes developers.
Personally, I use a completely unadulterated official Qubes templates for secure work and updated official Qubes templates, such as with Libreoffice, for less secure work.
If you can do all your work in an offline qube, then you don’t really need security updates, and not having to download executables from a repository can be more secure.
It’s not that not updating in itself is more secure, but you can use Qubes OS in a way where you potentially can gain extra security by not installing any updates.
Interesting.
I think I see where you’re coming from.
Because the repository is maintained by a separate party, how can you trust them 100% not to install any malicious code into the software when they compile them for users to download and install?
And even if they are trustworthy, there’s always a chance that a new update can unintentionally cause more problems to the app.
From what I understand it’s not so much what you install as how you use Qubes’ isolation features – what your workflow is. It’s supposedly super difficult for an attacker to break out of a VM into dom0. So you can even install Windows in a VM if you need to. Check the docs about “inheritance”.