How does Qubes OS work?

General Discussion
12

Hello,
Thank you so much for your reply.
1- You said VMs are already preinstalled. What does it mean? When you install the Qubes OS, then by default some VMs already there? Which OSes?

2- You said No, and you don’t have to do it on Qubes (although some people do it). You use VMs as security domains,… so, Is the Qubes OS a hardened OS? If yes, then why install a virtual machine?

3- How Qubes OS use both of the Debian and Fedora operating systems simultaneously?

4- Are templates complete operating systems?

13

Hello,
Thank you so much.
Do you mean AdminVM is Qubes OS itself? If yes, then how much of the OS? For example, when you install a Linux distribution, then some applications like the Internet browser, LibreOffice, Media player and etc. are part of the distribution.

14

Hello,
Are you sure the project is abandoned? Please check it.

15

Maybe this could answer some of your questions

16

Hello,
Thank you, but I prefer that someone answer the few questions I asked.

1 Like
17

Yes. Here is my super-short introduction to Qubes explaining which VMs are preinstalled. They are based on Fedora by default.

Qubes OS is hardened by the fact that you run everything in VMs, which are isolated from each other by hardware virtualization.

You can have several VMs, some of which are based on Debian and some on Fedora.

Yes.

Qubes is Xen, and it runs minimized Fedora in a special, privileged VM (dom0, adminVM), which is only used to manage other VMs.

On Qubes, you have all these in VMs.

© 2014 CC:BY-SH-NC

Indeed, looks abandoned.

18

So what do you see there that contradicts my comment?

Last alpha release was in 2017. The last commits I can see in the repositories is from 2021. Last time the posted on Twitter was in 2018.

Looks dead to me.

1 Like
19

It’s dead. The issues page in github has been read-only since 2021.

20
  • No, Qubes OS is not based on Fedora, but it uses and incorporates Fedora.
  • No, the AdminVM is not Qubes OS itself. It is one part of Qubes OS.
  • No, Qubes OS is not Xen, but it uses and incorporates Xen.

Qubes OS is its own thing. It is not Fedora or Xen, but it uses and incorporates them.

Why does this matter? Because “Ubuntu is based on Debian” is a true statement, and this type of “distro X is based on distro Y” relationship is quite common in the open-source world. So, when people say things like “Qubes is based on Fedora,” there is a real risk that people who are knowledgeable about the open-source world in general will get exactly the wrong idea about the nature of Qubes OS.

6 Likes
21

Hello,
Thank you so much for your reply.
1- So, the Qubes OS itself has not been hardened. Some Linux distributions are hardened by default.

2- You said “You can have several VMs, some of which are based on Debian and some on Fedora.”, I don’t mean VM, I mean is Qubes OS itself. What kind of Linux is it based on?

3- How many VM templates are there? The Qubes OS is just 6 GB.

4- I meant do you have all these programs (Internet browser, LibreOffice and etc.) in AdminVM?

22

Hello,
Thanks again.
Did you read Downloads disabled as we are still developing Citadel and the new Subgraph OS. Check back soon for a new release.?

23

When was this written?

Why would you need hardening of “Qubes OS itself” if you never run anything in dom0 (AdminVM)?

I explained above that it’s based on Xen. It’s also explained in the FAQ, which I linked and the post of @adw above. Perhaps you could reformulate your question; why exactly you are asking?

Fedora and Debian.

No, and you shouldn’t.

There must be a quick way to describe “what is Qubes” for technical people who know what Linux and Xen are. “Qubes OS is its own thing” is not very helpful. FAQ itself says that “more of a “Xen distribution” than a Linux one”, and I think it’s a perfect short-cut in such case. I also linked the FAQ for more information that it’s not simply Xen.

In principle, Ubuntu is getting further and further from Debian, see snaps. “Based on Debian” is not supposed to explain everything, only to give an idea how to start thinking.

24

Ok, one last attempt to reason with you:

  1. last commit to citadel happened on April 2, 2019

  2. the issue tracker has been archived on March 11, 2021

  3. one of the developers answered in 2019:

… checking his github the last commit to citadel was on May 10, 2021.

1 Like
25

Hello,
Thanks again.

1- About “When was this written?”, you can check it.

2- About “Why would you need hardening of “Qubes OS itself” if…”, so, applications like Internet browser, LibreOffice and etc. are not run in the Dom0. Am I right?
Why do you trust Dom0? To harden Linux, it is necessary to enable or disable some parameters in the kernel, some services, and apply some firewall rules.

3- About “I explained above that it’s based on Xen. It’s also…”, Xen is just a Hypervisor that you can install it on GNU or BSD. For the Qubes OS, Xen Hypervisor installed on Fedora or Debian?

4- Why did the Qubes OS team choose GNU, not BSD or even Solaris?

26

Hello,
Thanks again.
Maybe they are working privately. Who knows?
Why is their website still up?

27

For the sake of clarity for future folks interested in both parts of the conversation: should we split this topic and move the last part to the All around Qubes category?

It seems to me that the conversation has moved away from the original “How does Qubes OS work?” topic a number of posts ago and that splitting wouldn’t be too difficult.

1 Like
28

Why don’t you just post the answer then?

Sun Jul 28 21:30:50 2019

At this point I have to think you are simply trolling (on this point).

Dom0 is isolated from domUs. DomUs can access only a few interfaces, such as Xen, device backends (in the dom0 kernel and in other VMs, such as the NetVM), and Qubes tools (gui-daemon, qrexec-daemon, etc.). These components are security-critical, and we provide updates for all of them (when necessary), regardless of the support status of the base distribution. For this reason, we consider it safe to continue using a given base distribution in dom0 even after it has reached end-of-life (EOL).

Xen runs below the OS. So Fedora is the OS in the Admin VM. This is basic stuff posted multiple times now in this thread.

Qubes aims to be as free as possible without sacrificing security . All of the code created by the Qubes OS Project itself is 100% free.

… all this stuff is answered in the FAQ.

Nope. This is not “All Around Qubes” material. Just ignore that little nitpicking about Subgraph OS. It ought to be settled to death at this point.

29

The two Whonix templates (Gateway and Workstation) are also included in the ISO, which helps to explain the size.

Correct.

3 Likes
30

You harden Linux in order to run something untrusted on it. When you don’t run anything on it, there is no reason to harden it. Also, a lot of software is removed from Fedora in dom0, decreasing the attack surface.

If you are talking about operating system in VMs, this choice allows to run any software designed for GNU/Linux in VMs. And you can in principle run BSD. If you are talking about dom0, see this: Change the OS used in dom0 · Issue #1919 · QubesOS/qubes-issues · GitHub.

2 Likes
31

Hello,
Thank you so much for your reply.

1- About “Sun Jul 28 21:30:50 2019”, maybe they are working on the project. Are you in contact with the team of its creators so that you are so sure that the project will not be developed anymore?

2- The big problems are Fedora and Red Hat. A company that always advertises against the Xen Project. I wish AdminVM didn’t use Fedora.

3- Is FreeBSD not safe or free???