Debian 12 is ~60000 packages, the full template is ~1800, and the minimal template is ~400, and a lot of the “bloat” in the full template is applications like firefox, thunderbird, gnome, libreoffice, etc.
I don’t think the difference in attack surface is that important, and there doesn’t seem to be any reported cases of someone getting compromised by using the full template. The minimal template also relies on the user configuring the environment themselves, which can do much more harm than good.
I do think the minimal template is better than the full template, but I see better performance and lower resource requirements as the main selling points, not some vague promise of better security.
Agreed that the right answer depends on a person’s circumstances.
The more interesting question is, whether there is a single right answer, given a particular set of circumstances. In other words, if John d’Eau explained his threat model precisely, would all of the gurus agree on what he should do? Or is there still uncertainty about the best way just because this is an evolving art? Or is a lot of this up to personal preferences, and we’d end up having a “religious” argument?
Like everything in life, “it depends”. Does having additional pieces of software installed in a Qube that isn’t running cause your attack surface to increase? Probably not in a way that matters. Exploit development is pretty involved these days and I can’t think of an initial attack on a normal Linux system where having X software installed, but not used matters. I guess there could be a really basic bug in the software you’re using which allows them to execute arbitrary commands locally? In that case, sure those commands not being there would cause the attack to fail. ofc, I’m not sure that the software you’re avoiding installing would be on that list.
That said, I use a number of templates and only install the software I need for that specific template into it. I do this using salt, so it’s easy to maintain and I don’t give it much thought once I set it up.
I also use the fedora minimum base template for everything. This choice is due to resource utilization and not for any security benefit. I’m not a big fan of having software running/taking up disk space when I don’t need it.
Edit: I reread the OP again. I’d say this is more a user experience thing? This can all be done relatively easily using salt, but that requires you to learn both salt and how to manage qubes with salt. Perhaps we need something between salt and hand-managed templates.
Before I started using salt, I created bash scripts. I would:
Create the TemplateVM (by cloning another template VM),
Copy the script onto it, then
qvm-run the script from dom0. The new TemplateVM would then run the script, configuring itself.
The process of cloning, copying the script to the VM, then qvm-running the script could itself be automated in another script. But the point is, that setup script should give the same result every time you run it, with very little to be done manually; you can edit it when you decide to remove/add other things to that template, then rerun the process. In some cases you can probably skip step 1 (e.g., adding one more package to the script).
In essence, the setup script was kept on dom0. I’d then write a second script to 1) qvm-copy-to-vm new-template setup_script, then qvm-run new-template “setup_script”. That would cause new-template to be set up properly, including installing needed software, adding things to .bashrc, etc.
With a consistent naming convention (like naming the setup script the same as the template, except with “-setup” at the end of the name), I could even make the second script just take two command line parameters (the name of the template being cloned and the name of the new template) so I only needed one script like that.