According to QSB-91 qubes-windows-tools have been replaced with a dummy package due to a possible security issue with the Xen Windows PV Drivers. If I’m reading this advisory correctly the issue is only with the PV drivers and none of the other windows tools. So, since a fixed version still isn’t available, it seems to me a simple workaround would be to just not install the PV drivers. The installer doesn’t install them by default anyway. However, if it was that easy, it seems the security team wouldn’t have disabled the package, so I’m guessing there must be some issue I haven’t thought of that makes this workaround not secure?
If I were really paranoid I could rebuild the iso and just remove qubes-vmm-xen-win-pvdrivers-xeniface-92236b2f92acebb8.tar.gz and qubes-vmm-xen-windows-pvdrivers-873e5e8598fefed7.tar.gz so there is no question of tainted code in dom0. Am I missing something? Was this already considered and discarded as a workaround for some reason? Is this even the right place to have this discussion? I don’t see a QSB mailing list, but if there is a better place to have this discussion with the security team, please let me know.