Minimal templates by default for sys vms. Or option to choose them for sys during installation

General Discussion
1

From what I have read so far, many users, including several Qubes core developers, strongly recommend using minimal templates for sys-net, sys-firewall, sys-usb, vault vm etc. If this is indeed whats best for security, why not use minimal templates for sys by default ? Or at the very least allow users to choose them for sys vms during installation, akin to how that-s already done for whonix.

More advanced users can of course do this later themselves, but many if not most users will not.

If you dont want to make the iso too big, perhaps give the option for a different iso that would contain both normal and minimal templates?

2
1 Like
3

I see, why is space consideration an issue though? Usb drives are huge nowadays.

4

not always

  1. internet speed: with me, downloading a normal qubes iso file is already painful enough especially tor user, what will happen if we add 1gb to it by using minimal template?
  2. newbie will confuse what is minimal template and how to use it
1 Like
5

Where I live I can not even find usb drives smaller than 16gb, besides 16gb is plenty.

The speed, well, that can be bothersome, but surely it is just a matter of waiting a little longer. That could be fixed by providing more iso options, one with both minimal and default templates would be perfect for many use cases.

To me personally this would be significant, I have configured many computers with Qubes, having minimal templates pre-configured by default for sys would be amazing. Especially given that it is the most secure option.

6

Imagine that a ‘default minimal’ template must include EVERY firmware for every supported network device… I could not call it minimal any more.

1 Like
7

Excellent point.

@fram: minimal templates are meant for experienced users who understand the basics of Linux, how to install packages, how to diagnose missing dependencies, who know what a firmware package is and which one they need, etc.

The idea is that a minimal template contains the minimum viable qube and you then add whatever is needed for a specific job.

1 Like
8

Another point , that I do not think any one has mentioned, is that
minimal templates have no Qubes networking packages installed.
So if you used minimal templates for all sys-qubes, your system would
be offline, and you would not be able to install packages to bring it
online.
Nor would you be able to use USB devices.

Of course, you could provide custom stripped down versions of the standard
templates, but that’s a different matter.

1 Like