There are few points here:
- Please do not confuse “firmware” with “applications”. Both are software, but there is a huge difference of their impact on the attack surface. Firmware does not run on the main CPU, it runs on specific device (be it network card, sound card, or something else). If a qube doesn’t have any of those attached, it has literally zero impact on attack surface.
- We want standard Qubes OS installation be as easy to use as possible (which is already “hard” in case of Qubes OS for many people). Setting Debian as a template for sys-net/sys-usb is one of the supported configuration (you can choose it during installation - there is a drop-down for default template, or you can trivially change it later in sys-net’s settings). This feature was requested by many users. If default Debian template wouldn’t be usable for sys-net/sys-usb by default, we’d need to rollback that feature too (or even remove Debian from default installation). I’d hate to do it, but we don’t have capacity for handling even more support requests “I installed Qubes and cannot connect to the network” (we’ve been there before…).
- Finally, and perhaps most importantly, not including firmware packages in many cases does not mean device won’t run “non free software”. Some will still run it, just an older version from its internal ROM, possibly with many bugs that were already fixed in later version. Not including firmware updates is a security risk.
Also, take a look at this issue: https://github.com/QubesOS/qubes-issues/issues/5123