I have been curious as to wondering if it would cause too much headache to either:
have an immutable OS like VanillaOS as Dom0
or
create a VanillaOS Template
(as an immutable OS would this mean that the Template qube can’t be broken — as in altered — since an immutable OS is its template making it therefore truly ethereal in a disposable qube Templated with VanillaOS as its base template? So then maybe Dom0 need not be altered to an even harder state if the qube is made immutable and disposable, correct or no?)
I tuned out after about the first 10 posts of rationalized arguing. It irritates me to see people arguing to no end without actually working to a solution. Apologies if what I say next has already been covered, or if the frustrations I mentioned were worked out.
I can sympathize with both sides of this argument. On one hand, the actual security risk of widely used blobs in dom0 is extremely small for the vast majority of users, and the Qubes devs have no place wasting their time sorting through all the paranoia. However, it is equally senseless to assume that just because it isn’t likely to be an issue that it isn’t worth the time.
It took me less than 5 minutes to figure out that atheros-firmware, brcmfmac-firmware, mt7xxx-firmware, and realtek-firmware are all WiFi/Bluetooth firmware that aren’t, and haven’t been since sys-net, necessary in dom0. As for AMD/Intel/Nvidia GPU, these may very well be necessary. Could it not be simple to autodetect in the installation ISO which are necessary and accordingly install? I’m not a dev, but it should seem pretty easy to me to see what GPUs are present and accordingly install these packages. If so, then this is a simple fix. If it isn’t important enough for you to fix or fund yourself, then it isn’t that important to you.