Ready to use qubes with third party software

Those who do not have time to develop their own sets of Qubes with third party software. Newcomers. Non-technical people such as Businessmen, Journalists.

I also want to avoid the contradiction of telling newcomers, Not to open a Template to the internet. But some things they will need right away. Having some additional, alternate, third party software already installed is easier on newcomer.

For all the Qubes offered as extra downloads, the Key needed to verify authenticity it would be preferred if, If that Key already be pre-installed in the standard Qubes.
No contradiction about not putting anything into dom0. Or complexity about how to.

Extra Qubes should be click - click to download, and install.

We could offer, easy to download and install, some Qubes. My thought being, not by using SALT to create them, which I suspect will quickly lead us to long threads of forum entries about how something has changed in a repository somewhere, upgraded version of software. If it leads to much of any question of how to get something to work, then something about the download of these additional alternate qubes is not what I envisioned. One download, click to install. Ready to Use is what I envision.

Yes, I realize, I am requiring large amounts of downloads in exchange for simple install. Some users might not be in a good situation to download large amounts. For them a fork of the original download of their first version of Qubes would be

Some suggested, off the top of my head, alternate, extra Qubes.

First thing the newcomer to Qubes needs is a functional sys-net with VPN already inside.

Restrictions: For all the great reasons to implement the VPN into a sys-net with debian.—No… The Wireless Adapter in some computers might not work with Debian, which a newcomer likely does not have the time or perhaps the expertise to fix. Fedora version first.

Which VPNs? I see a lot of VPN’s which I personally would not use; Because of their previous history. How it is known they are written. Who owns them.

I hope someone can provide at least four of the possible, VPN providers. I don’t like that it appears that the standard for Wireguard is to do one wireguard address per one sys-net Qube. Any one offer a -Secure- alternative?

Put in a note about one can use Whonix, Tor, in needed circumstances to download the alternate sys-net with VPN already in it. Gee, I see a lot of questions on the forum about why Whonix does not seem to want to download updates.

Alternate Vault with password manager, Librem Office.

Offline Qube, like spinoff of Personal Template. already installed:
Files. Librem Office. calculator. calendar. data for this one should be set to persist. Is that a Stand Alone.

Online Qube, with Mullvad Browser, System Monitor (so I can see if the internet is flowing), Text. I guess this is a temporary Qube. Could be used in place of the one now that uses open Firefox, with Google connections.

Perhaps a similar online Qubes with another more trusted browser, already installed. Suggestions?

Split gpg. Unman has several very interesting Qubes, but for my hope, they should be easily downloadable, easily installable. Minimum effort for a first time user.

Qube with Ubuntu already installed, The Software to accomplish, “I talk it Types” After the correct language is installed. Keep this offline. Must retain data, like long written documents.

A Qube that allows for the use of one of the more secure, alternatives to Zoom. Like the rest, already installed. Only need login credentials.

Yeah. Doing that is a lot of work. Needs Server Space, somewhere. Needs trusted people to accomplish it. If a very technically competent person comes along and offers to help. If the that individual is not well known as to what their intentions are. Ask them to audit what on the site is being offered to download. Audit is important work that needs a competent person.

Presenting alternate, extra Qubes, easy to download/install, with third party software already installed is not less secure than encouraging new users to do, these kinds of Qube building (with third party software), for themselves.

I’m sorry, I may have misunderstood the point, but I don’t see a correlation between your long message and the title about getting more donations for Qubes OS development

I thought about that point when I wrote it.

You bring up, Precisely the point. If Qubes is not usable to more average folks. The only users is a bunch of fan boys.

No one who works with Qubes gets the need to make it more easily usable to obtain more financial support.

Developers have made a good decision to stop their efforts before implementing actual third party software. To implement some of the third party software increases complexity, security risks, instability. And would require a huge multiplication in effort to get it to work.

Developers have stitched together several working software systems. Xen to allow several operating systems to run securely on the same computer.

To pick up using Qubes, not just the basic Qubes as it comes on the initial install. requires either lots of effort, or to have, I guess, the equivalent of three years of multiple Computer Science classes with an emphasize on Linux.

Once someone actually experiences using Qubes (or should I say, trying to use Qubes) they realize all the security holes offered in the normal Operating System, and would not want to go back to just one Operating System.

Perhaps this topic, of alternative ready to install Qubes needs its own forum, as it is, as Sven says, noise. But this is what is needed.

If I were a non-technical person, who wanted to provide Human Rights information, living in a place where the internet is controlled by authoritarian powers. If It is not easy to use, it becomes a greater security hazard to try to use the current iso.

and yes, I still feel the folks who are likely to donate money are business people who have to travel while doing their corporate business.

Other donations may come from groups, who support blog journalism.

It comes back to creating a version of Qubes that is usable to the computer inexperienced is the direction to go.

Look at the length of the thread that come up trying to establish a VPN, with only one login wireguard node. Something that in Windows (barf) would directly accomplish (false security).

moderation note

@catacombs your post is about something Qubes OS specific and consequently off-topic in “All Around Qubes”. I’ve moved it to “General Discussion” and also adjusted the subject line to avoid confusion.

@solene I think @catacombs is looking for funding to develop actual qubes with third party software as a separate community project.

It’s an idea worth discussing but it needs to be formulated clearer. I see many potential pitfalls here (trust, configurations, support) that need to be discussed.


oh, like an “App store” of ready to use qubes / templates?

While an App store is an idea.

I felt all the money should go to Qubes Development.

Unless Qubes becomes more easy to use. Then the Qubes OS will not have the large amount of use. Expand the user base. Allowing some of the user base to be those who use their computer to be part of how they earn a living.

Creating fully usable, downloadable Qubes, I thought would be a volunteer project. Except. Someone would need to provide the Server space.

An App Store, as in people paying in money for this that or the other, already fully implemented, download Qube for use. Is this not against the Free Software which Qubes and much of Linux is based. But, While I can not afford much money.

It is a thought.

IMO this is more something that a specific vendor, e.g. of a Qubes-certified laptop, could offer. Qubes certification ensures compatibility already, so all the vendor would have to do is make sure that he sells the laptop in an (optionally, perhaps for a fee) pre-configured state with some extras. Seems like it solves many problems simultaneously, that is if vendors feel like expending the effort to do this makes financial sense (leads to more sales). This helps Qubes development as well, since every purchase of a certified machine will include kick backs for the Qubes team.

There are other models as well, of course, e.g. Nitrokey’s NV41 comes with only some basic pre-configuration (mostly outside Qubes, e.g. Heads), but they offer “expert Qubes lessons” or something like that for an hourly fee. That option is, of course, not mutually exclusive with doing other stuff, such as the first option I mentioned.

On the Qubes side of things the main effort is making better widgets and GUI tools as well as the tutorial framework that is supposed to come at some point.

Ultimately the problems are compatibility and maintenance as well as the effort of creating some new qube in the first place…who will do it? If this is supposed to happen “for free”, then “feel free” to volunteer or contribute on Github, the forum, etc., but if it’s supposed to be more stable, with more competent and dedicated dev time involved then financial incentives are probably a good idea.

I am not the technological competent person to do such, if that was your question. and I am not known by those who develop Qubes. For all they know, my day job could be at the NSA. (???)

I tried to be vague in the suggestions of what Extra Qubes, what the third party programs should be inserted to allow for other, more expert users to make those decisions. That is first time, initial decisions to be made by someone other than me.

I was thinking donations would be a natural occurring increase with greater use of Qubes. In particular, those individuals who need real security as part of their employment. Likely flowing to Invisible Things, Qubes Development. Not another group.

I am aware that some of the issues, problems with how easy it is to install third party software will get much better by the 4.2 Final issue of Qubes, (as noted elsewhere in the forum, it has something to do with the Gnome installer).

I also am aware, that any use of third party software dramatically increases the Security Risks to the user.
Is security worse to download an extra Qube(s) from a website, rather then my trying to build it on my own.

I do not own, what some might call a Sterile Computer to create these extra Qubes on. but I guess that is one of the details Sven is referring to.

Might be useful if someone who has a better grasp for the specifics needed, how to phrase details, could rewrite my first post.

Apologies @solene it appears your initial take was correct. I changed the subject once more removing the donations part and making it more clear what the thread is about. Essentially it would be a parallel / alternative effort to the Salt-based approach that’s under development by @unman.

1 Like

Existing topic that’s relevant to this discussion:

It’s less about providing such templates, it’s more about complaining (pardon me, expected support) for all kinds of banal things related to Microsoft-level skilled users we can see on their support forums and reddit.


“for all kinds of banal things related to Microsoft-level skilled users we can see on their support forums and reddit.”

I feel you have accurately and succinctly put your finger on a major part of the problem. Although I would not have couched it in those terms.

Someone else once said that BSD, while a highly secure operating system, was composed of maybe 200 people, who were fanboys. I assume he meant they did not want to help their operating system proliferate. Attitude, straight out of Debian.

As you seem to understand the problem. What is your projected solution?

Hm… In shortest: hiring project management and information security (not IT security) specialists.

21 posts were split to a new topic: “unhackable”

Before the detour off in to a completely fruitless discussion, there
was a germ of an interesting thought here.

The server space is trivial.
The difficult part is determining what these “fully usable,
downloadable Qubes” should do.
I dont see (yet) any contribution on that.

This is the same problem that @catacombs has had in previous posts re
journalists and aid workers - they have no idea what sort of Qubes would
be useful in those contexts.

Any one who supports Qubes installations will already have configured
qubes that can be installed on new systems.

I should probably drink some coffee before writing this, but my heart doctor would not approve. So please feel free and fill in the blanks.

When I was running my mouth off before on the subject, I received some emails from Human Rights people. They spoke very highly of you, unman, Deeplow, and Insurgo (and the rest of the Heads development group.) There are a whole lot of other names which might be mentioned gratefully by Human Rights advocates. There was an individual who has been working on this, whose list name I forgot, I think most of that individuals work is on github.

When I posted before, I was both feeling my way, and wanted to not limit the discussion to my ideas. One of the issue is the one which those who talk about what third party software should be in which Qube, is how much information should be retained in that Qube. The programs, the ability to update, the ability to keep those updates.

Eventually, I wanted to adopt the a similar approach to that advocated by a Human Rights worker. Who wrote an article

He was advocating for beginners, to mostly use one Qube like it was a usual operating system. I think someone wrote a derivation install of Qubes that was likewise limited to just getting started mostly with one Qube.

The first Qubes, I have already described; Several easy to download and install, sys-net VPN. Which I think a newcomer needs immediately, before becoming knowledgeable in how to create such on his own. As little newcomer interaction needed as possible is the goal. But let us leave behind the idea, first we do the things the documentation tells the newcomer not to do. Open a Template to the Net. Modify dom0. If SALT can accomplish this without violating the security, Do not open a Template to the web. Do not modify dom0. I would prefer, do not use Terminal (FYI, I started with computers when their was no mouse. Text commands only.) Plus, Not a lot of extra reading documentation.

Next choice would be to create a Qube, (two versions, one is a stand alone, and a disp that reads from the stand alone.) with a lot of typical Operating System things. Browser. A browser already modified to use one of the better search engines. If Firefox, a lot of privacy, security addons already installed. Perhaps a wide open Browser, like Chromium. Calendar. Calculator. I want this Qube to be open to the internet. Here, in the disp of this, the individual gets information from the internet. Saves it to a directory. The goal being to prevent information from different work areas (projects) from able to interact with each other. New User should restart the disp of this Qube for each project. In some ways it needs to retain which programs are installed, and which settings are made for those.

EDIT: I was thinking this could be a “Stand Alone Qube,” Points back to standard Fedora xx Template. With another disp pointing back to the Stand Alone. But I am not technically knowledgeable enough to recognize the security nuances of this kind of arrangement.

Then that directory. it to another Qube, which is not open to the internet, with a lot of those things, plus Office software to read things. Without the risk of some kind of string, a link to out on the internet, being started. yes, there are times when it seems necessary to allow, an article to open a link to somewhere on the net. ??? Mostly this Qube stays open, to the user, never the internet. As information flows into, possibly decrypted/encrypted here, offline, and out of- a directory copied to back to a Qube, which is open to the internet. EDIT: Riffing here, this would be like a standalone pointing back at another standalone, not a Template. The Second Stand Alone (which is sometimes opened to the internet) , the second stand alone - which is pointing back at Fedora xx Template.

I feel sure someone will now point out: Hey you should use the Split Qubes to accomplish that separation. Is it intuitive for a newcomer to do that? I can’t say.??? I might worry that the split Qubes might require a lot of reading to use correctly. Split Qube might have -surprise- a security hole. I think those who have written the Split Qubes. Split pgp, and such will not have left a hole. Plus some software, like verifying gpg Keys from internet servers is obviously meant to be interactive. What I have suggested covers a lot of early-configuration issues (for a newcomer - not perfect - just better than nothing.) Is meant to eliminate all the times when some web page tries to install something when I go to a web page, whether I click on something or not.

In my case, I put my Passwords in the Password manager in Vault. I copy and paste Passwords out, to the Qube on the internet, as needed. My point being, it is obvious how it works. The separation, the security of a Qube to hold Passwords. Then used, as needed, temporarily, and the Qube where I used the password is shut down. Oh yes, now I am suggesting a Vault Qube with some things pre-installed. Which brings up the concept of these Qubes be kept in a different column that the ones provided by the original Qubes. Always be sure of what parts of the basic Qubes OS as/is provided by Developers. Sounds like a fourth column is a lot of extra trouble to keep up with.

A Qube which has all the current Qubes documentation, so a newcomer does not have to be online to read a -how to.

I would use a separate Qube(s) for doing things like video chat. Which is another Qube to download. But only a Video Chat software which is now considered somewhat safe. Also some kinds of, each in their own Qube, pre-installed Chat software. My goal being, I don’t want a newcomer to just install anything he just finds, and I am pretty sure newcomer will not spend hours reading privacy/security web pages as to what is never recommended to use.

Now I have more Qubes than I wanted to have. I guess I could have installed the Video Chat, and other quality chat programs in the main-open to the internet Qube, and the user should only do one thing at a time in such a Qube. Make starting that Qube more memory consuming. Since I almost never use Video Chat, I guess I don’t give it consideration. Wissam wrote about spending hours talking with someone who -was related to a Human Rights issue- and who was not technical.

I felt that no one would work much beyond the hypothesis phase of what to include, before 4.2 Final is out.

unman, you bring up good points. Every one feel free to pile onto criticizing my ideas. I blame my lack of coffee.

Qubes is great just the way it is, yeah there can be somethings better but that goes without saying for anything,it does take understanding to use but it also teaches you and can take you places you would have never dreamed of finding. As for 3rd party software well that can be a huge mess in and of itself, let alone all the trackers/ads/miners “bugs”.

For corporate support “hope that never happens” as we all know what comes from it.

I can advertise here the project which I am developing from March.
Qubes-Enthusiasts · GitHub . With the main tool is some sort of package manager for QubeOS.

I have different vision then OP. Till I would love to have some set of software available, I consider it’s a little bit utopia in QubeOS context , to EXPECT the same level of security. Till probably there could be some subprojects which give the same level of trust, mostly it’s not possible.

I consider myself QubeOS enthusiast. I love most QubeOS features, I like to feel “cool” but mostly I have no need for main purpose of QubeOS.

Then with optimal trade off for me it would be nice to have cool OS and to be able to use it without suffering

So I created this tool which suppose to manage complexity and give needed features easily.

  • It manages @unman packages and templates
  • installs windows easily

I hope with time I can get some trust with it and create some community around it.


I get the point that adding things to Qubes can make it less secure, add a great deal to the complexity of Qubes.

If 500 people try to take up Qubes this month, Perhaps thinking the Operating System, being said to be the most secure operating system on the internet. It is actually, potentially the most secure operating system. Op-Sec makes it more secure.

Allowing a newcomer to choose the packages they install means they can easily choose the wrong packages, and increase their security hazards. I see this group being, lets say one of three groups of potential threat levels. A Businessman, who needs to use his computer, not spend hundreds of hours of researching, trying, learning to do things which are already well known to some on this forum.

I would guess some on this forum could put together a version of the same Qubes which I have described in an evening, or a rainy afternoon. What comes with that is some other risks.

I don’t see a business person who takes up Qubes, (an already partially prepared Qubes with programs added) is going to be any company who will pay for their entire computers, Servers be converted to use Qubes. It will be a single salesperson, an executive who understands the dollar loss to his company with security hazards, and knows enough about computers to realize that others are after what he knows, what he has on his computer.

If the threat level of the person is - we say a Journalist. Actually Professional Journalists have IT departments to advise them. But if they work for an funded organization, it is like one of the major Journalistic groups that has a predetermined, slant, agenda in what they report. And there are more than one side. We have the new journalism, bloggers. Snitches on states and powerful organizations (drug cartels, big companies) who are the fresher, emerging Journalists. That are not affiliated with a single big reporting entity, like a big news paper, who do not have an trained IT department behind them, to advise them. It is someone out there all on their own. With little or no computer experience. Perhaps just an individual who is blogging on the internet after having the blood of an unarmed, un-resisting person on his shoes – warning others.

If the basic hurdle for the use of Qubes, is hundreds of hours of study. Perhaps from a country who will not approve of individuals learning how to - protect the flow of information. Then the bar is too high.

But you are right. What I am suggesting in creating a few additional add on Qubes adds complications, not necessarily more security. Perhaps avoids some security hazards.


I feel you are on the right track. I will read over your website, well when I get over the headache of my last vaccine injection.

Perhaps I should more carefully increase spacing in my idea post, and let others critique it more. I am not sure those who actually know what they are doing, (which includes a lot of those on this forum) actually don’t see extreme flaws in my approach, or don’t already have something in mind. Did you understand what I suggested?