Minimal Fedora, Debian and Kicksecure - when to use which?

I’ve finally had the time to learn and implement minimal templates on my Qubes machine. Now I’m wondering what the differences there are and which is best either in general or for specific use-cases.

The three minimal-based templates I tried were:

  • official debian-XX-minimal
  • official fedora-XX-minimal
  • self-made minimal kicksecure-cli based on debian-XX-minimal following the official guide

Thus far I’ve replaced all but the sys-qubes without encountering issues, so that hasn’t yet become a factor for me.

Security wise, I usually assume Fedora > Debian because of faster updates and generally more modern technologies. Idk to what extent that evaluation changes when talking about minimal variants running on Qubes. Where Kicksecure places in this ranking, I have no idea. On one hand, it obvioisly has lots of security hardening, on the other, it also has the biggest attack surface, so I could plausibly see it anywhere from “way less secure than debian-minimal” to “way more secure than fedora-minimal”

I’m using seperate templates for every purpose/program, so I’m able to pick the best option for each specific use-case. The question is how do they differ, both in security and in functionality.

Debian and Fedora, with the appropriate packages, are equal in functionality. Kicksecure is not.

As for security, I can’t give a more specific answer because your question is also ambiguous: it can be answered by the already existing abundance of material on each distro’s security. You have to threat model and understand what you’re trying to do and why, as well as understand the basics, before someone can effectively secure your systems.

For example, Signal Messenger requires Debian and therefore cannot be installed on Fedora, so therefore Debian is better. The best thing you can do is understand for yourself what Fedora and Debian both bring to the table and then decide which to use.

Distros vary in many different ways, not the least of which being package managers. I’d recommend starting there.
https://www.makeuseof.com/apt-vs-dnf-vs-yum/
I’m sorry I cannot be more help.

I am also interested in the very same question.
Official qubes documentation on minimal suggests some packages that may improve desktop experience (e.g. qubes-linux-common, qubes-menus). Also, there is a package called qubes-vm-recommended containing a bunch of stuff. I am wondering whether some of the packages improve the security like fakeroot?
What concept would be more secure ssh-split based on fedora-40-minimal or fedora-40-xfce template?

2 Likes

Minimal templates offer only a relatively small amount of security: they represent nothing more than decreased attack surface and resource usage. By including less programs in the template, there are less potentially compromised or vulnerable packages, less things for an attacker to leverage, and less system resources busy. The practical security benefits are not actually that that big, however, because most of what comes in regular templates isn’t risky to run (beyond the normal level that is).

IMO, the real benefit of minimal templates is less resource usage and a cleaner system. I personally don’t see the point of running applications you aren’t using, so therefore I use minimal templates. They are also (once again, IMO) easier to manage.

If you want security, minimal templates do provide a reduction in attack surface, but not much in the grand scheme of things. I would recommend looking into a package called lynis, and if you’re willing to do a little more learning, AppArmor and SELinux for Debian and Fedora, respectively.

4 Likes

Security wise, I usually assume Fedora > Debian because of faster updates and generally more modern technologies.

Faster = latest features, less time for testing != more secure.
Stable = well tested.

There is a good reason why servers use stable distros (which also backport security fixes).

Idk to what extent that evaluation changes when talking about minimal variants running on Qubes. Where Kicksecure places in this ranking, I have no idea. On one hand, it obvioisly has lots of security hardening, on the other, it also has the biggest attack surface, so I could plausibly see it anywhere from “way less secure than debian-minimal” to “way more secure than fedora-minimal”

Such comparison has no meaning without answering “Secure against what?” and a clear methodology for evaluation. This is a huge topic.

I’m using seperate templates for every purpose/program, so I’m able to pick the best option for each specific use-case. The question is how do they differ, both in security and in functionality.

It depends what your goal is. Usually, it is a good idea to stick with stability for service qubes. If you want features, use a “faster” distro/repo for desktop stuff.

You may also be interested in:

3 Likes

If I would switch to a minimal template now and just install the things that I need without configuring, would there be actually an increased attack surface / risk, due to missing programs, configuration or anything else that I miss?

There shouldn’t be any increased risk.* All official templates are regular templates with modification only for integration to Qubes, so there is no configuration difference between them and their regular versions, besides Qubes stuff. Any security-related packages and configuration will have to be done on both minimal and regular distros equally.

*This is assuming all things are equal, i.e. you don’t already have configuration on your current templates