I’m new to QubesOS and organizing my qubes and templates. I wanted to know how people generally approach a specific question as I try things out.
Do you make new templates for qubes with a limited use, or modify a preexisting one? For example, if I want a qubes for a work Signal account, do I make a Signal-only Debian template, or do I modify the same Debian template I may use for other qubes? Currently I’m doing the latter.
Thanks
Edit: if signal is not a good example, switch it for any other app like LibreOffice
Mixture.
If I install apps from default repos then mostly it’s in one template.
If I need to add additional external template or install RPM downloaded from somewhere then it’s in separate template.
I also have separate template per use, like e-mail, multimedia, vpn, audio, devel, donutbrowser-dvm, trivalent (mostly because I’ve installed in them some external things )
I wasn’t able to pinpoint my specific concern but adding third-party repos to templates used for a lot of Qubes is a major one. Your setup makes sense, thank you!
Personally, I use minimal templates for network, vpn, usb and audio.
I really like minimal templates because I use a lot of templates but the most important thing, I think, is to use a blank template every time.
What I mean is to always keep the “basic” template and clone the templates you need. and not to use a template for a lot of different things.
After that, everyone does as they feel, as I told you, depending on your threath model
Makes sense! To my newbie eyes, cloning a template seems like a bigger decision than spinning up a new qube but I just have to get used to it being another tool for my threat model as you said. I assume hardware wise, I’m just loosing more space per template? Which is not really a concern
When I started with Qubes, I was using many different templates, one for each kind of task. However I realized that I find wasteful to have too many slightly different templates (that is, use more than 1GB space to have another template to install one software package there).
Now, I have a few different ones: One for software coming from official repositories, where I install all I need for the different tasks (email, work, programming, etc.), one for installing proprietary software (where I dump all proprietary stuff I need, such as MS Teams, proprietary VPN clients, etc.), and then others by need (for instance a GPU template with all the required liibraries and drivers, or one for sys-audio, or some networking functions) when the overhead for duplicating the template is small compared to everything else that needs to be installed.
I would love a deduplicating template storage, so that cloning a template to add a package would use only the space needed for that package, but that is not available at the moment. If such a thing existed, I would probably go back to having a large number of templates.
To cope with updating multiple templates I use a caching proxy instead
of the qubes proxy. This minimises the network load and decreases the
update time.
The cacher package is available from here
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.
Initially, I also thought about qubes, templates, and software packages. Over time, my perspective shifted: I began to think of threats as part of my overall threat model and how I could manage them to minimize risks.
I believe that Qubes “by design” led me to this way of thinking.
)