Hey, I’m a new user, and I have to say I’m blown away by Qubes, it’s a lot more user friendly than I expected it to be given the level of security that is possible with this system.
Regarding being inclusive of non technical users I would doubt non technical people install or setup Qubes by themselves, for a Journalist they likely have their IT folks involved in setting up the system. I wonder if part of the barrier to entry for some non technical users is actually budgeting engineer time to install and configure the OS. I don’t know if they typically hire outside contractors who specialise in Qubes installations or if they usually ask their general IT folks to install it, but if it is the general IT folks doing a small number of installs then even though it’s a technical user the UI and time commitment is still rather important.
Even as a technical user getting going with Qubes has been a serious time commitment, it’s not that I couldn’t get the operating system working just like any other linux distro in a similar amount of time but rather that if I want to benefit from the features of Qubes there is a lot of work involved in setting all of that up. Then if for some reason my yubikey breaks or my laptop dies I’m going to have to do all of that setup again, even if I have backups created that only covers the home directory.
Ideally there would be a list of developer maintained and (for the brave) a community supported repository of one click configurations like split-gpg with thunderbird or similar. This could actually increase security for users by reducing the barrier to entry for some of the more complex security configurations.
I dislike SaltStack in Qubes, learning SaltStack is quite a time commitment by itself and then you have to understand the differences that Qubes brings to the table. I’m not sure that Qubes leverages enough of the advantages of SaltStack for it to add real value. I think that becomes pretty obvious when you try to imagine what parameterising SaltStack would look like to avoid collisions with existing configuration. Square peg, round hole.
I wonder if a better arrangement might be something custom, something similar to docker compose that just defines the vm definition, relationships to other vms in the compose file and the bash script to run inside each vm on init?