As far as I know in order to use the “Software” graphical installer on fedora (which shows in the application list of fedora-32 by the way) on has to enable internet access to the TemplateVM. (or use the updates proxy, but activating that requires the terminal, which we are avoiding in the first place)
This discussion follows because some tutorial for Qubes compelled users to do this (and it may be bad advice).
I wanted to know the community’s thoughts on this. I’ll outline mine bellow.
Using the terminal is a big usability pain point. And for a regular user only thing that is probably needed to do on the terminal on a semi-regular basis. So if this could be avoided, this would possibly avoid a lot of not-IT people dropping out of Qubes.
As such one potential workaround could be to use the graphical software installer for fedora (a default AppVM application). Unfortunately, it doesn’t work unless one gives the template access to the internet (which may be bad for security).
The following image is what one sees if the fedora is opened on a TemplateVM with no internet access:
As you can see, no software is presented and the application is unusable.
Just contrast the following image of the graphical software installer with the hard-to-use
dnf utility that relies so much on recall.
Potential user-related dangers
Updating to fedora-33 via “Software application”
As you can see on the picture bellow, there is an option to upgrade from fedora-32.
After testing a bit it seems the “restart and update” button gets stuck which prevents the user from completing the potentially problematic action. But this can lead to user confusion as the software didn’t perform what was expected by the user.
User starts doing internet-related tasks on TemplateVM
Because in order to make this work, one has to enable internet access, it may be possible the user starts using stuff like a web browser on the template VM, which defaults their entire purpose.
Opening the browser by mistake
On the templateVMs we want to minimise as much as possible running software. And the browser is probably the most complex software that could be ran.
When visiting a particular piece of software’s installation page, the interface present two buttons [website] and [Donate] which when clicked will open the browser.
Making it simple to enable third-party repos
The software center makes it extremely easy to enable third-party repositories. Which may not be desireable for the user from the security standpoint.
Potential technical risks
Increase attack surface (complex code)
Running a complex GUI application, can increase the attack surface.
Increase attack surface (internet access)
I don’t know exactly how the software center for fedora works under the hood, but I can imagine there is much less scrutiny as to how the protocol works. For typical package mangers, the protocol is probably well defined and it can even work with mirrors, but with the software center, I can imagine it only fetches the images from one source, for example