The Default VMS are NOT good for security. Fedora is a bit better than Debian and Whonix is just piling security features onto an insecure OS. Whonix does it’s job of making a leak proof Tor based OS but for users that need options other than Tor, we need better options.
Also I tried the arch templates and Qubes seems to make arch more unstable than it already is. We truly need better options for Guest VMs. Something like GrapheneOS in the guest VMs would have been great. But doesn’t seem to be an option anymore. What are some other guest OS’ that could possibly be implemented into Qubes?
solene
August 19, 2024, 12:19pm
2
What is your threat model that make you say it’s insecure? From there, we could suggest better suited OS for you.
3 Likes
opened 12:52PM - 30 Jun 24 UTC
T: enhancement
C: templates
security
P: default
### The problem you're addressing (if any)
Qubes OS is marketed as "a reasona… bly secure operating system", leading users to expect comprehensive security hardening across all aspects of the system. This includes a hardened default browser and other Template hardening. However, the current default templates, particularly for default App Qubes, often include software with suboptimal security (and privacy) settings. This creates a disconnect between user expectations and the out-of-the-box experience.
Here are some examples. Quote [Is there a reason Firefox needs to have vulnerable insecure settings in the templates?](https://forum.qubes-os.org/t/is-there-a-reason-firefox-needs-to-have-vulnerable-insecure-settings-in-the-templates/23566) and [Is Firefox really an appropriate default browser for Qubes?](https://forum.qubes-os.org/t/is-firefox-really-an-appropriate-default-browser-for-qubes/26042):
* > Firefox comes configured with worst privacy settings
* > When I first installed Qubes and I saw Firefox was preloaded I did assume it would have default security setting to be more secure out of the box due to the nature of the system. It was kind of shock to me that it was just setup like a straight download off Firefox.
* > why the hell is Firefox allowed to be the default browser on a privacy/security OS when every time I launch it it wants to call all of its friends back home? Literally all of them, even its grandma.
It is currently not possible to address this issue in Debian, Fedora Templates, because of the related Qubes FAQ: [What is Qubes’ attitude toward changing guest distros?](https://www.qubes-os.org/faq/#what-is-qubes-attitude-toward-changing-guest-distros). The policy of respecting distribution policy is in direct conflict with Qubes making changes for customization (selected default installed packages), usability (Qubes tools integrations) and security hardening.
Example Qubes tickets which can currently not be implemented because of this policy.
* https://github.com/QubesOS/qubes-issues/issues/2238
* https://github.com/QubesOS/qubes-issues/issues/1885
This was confirmed by @marmarek in https://github.com/QubesOS/qubes-issues/issues/8730#issuecomment-1828296135.
> As you can see, in both cases we in fact did not include them, and in the first case it's even explicitly discussed if that wouldn't be against what Debian is.
Fork in this context only means to have for example a Template based on Qubes Debian template, with a distinct name, where security-hardening by default would be permissible without being in contradicting with respecting upstream Linux distribution policy. No other gigantic steps (such as forking all of Debian archive `packages.debian.org`, re-building all the Debian archive are suggested.
### The solution you'd like
* ***A)*** Adopting an existing security-focused Linux distribution as the base if any suitable exists; or
* ***B)*** A fork of a base distribution by Qubes for the purpose of security-hardening it by default and use it by default.
This new template would:
* Have security-optimized default settings for browsers and other key applications.
* Minimize autostarting services to reduce attack surface.
* Allow Qubes developers to implement security best practices without conflicting with upstream policies.
Other alternatives:
* ***C)*** Reject use of a security-focused Linux distribution by default (due to lack of resources) and improve Qubes branding to reflect that this is out-of-scope. (non-ideal)
* ***D)*** Abolish "respect distribution culture" policy. (non-ideal)
### The value to a user, and who that user might be
* Aligns the out-of-the-box Qubes experience with user expectations of a security-focused OS.
* Provides better default protection for users who don't customize their templates.
### Completion criteria checklist
Something like this is what I had in mind
2 Likes
ymy
August 19, 2024, 1:18pm
4
have you tried the minimal templates? you could build your security from there?
2 Likes
qubist
August 19, 2024, 2:35pm
5
The Default VMS are NOT good for security.
For the security of what?
Fedora is a bit better than Debian
Evidence, please.
Something like GrapheneOS in the guest VMs would have been great. But doesn’t seem to be an option anymore.
When was it an option?
3 Likes