The following article is helpful to organize QubesOS VMs into different security domains:
But what isn’t mentioned is the template that is recommended for each domain. For example.
which domain is recommended for the vault VM (Fedora, Debian, or Whonix-ws)?
I don’t think that templates matters in this article or in pratice: with default templates everything is working.
Please update your title to something more precise.
If the distro choice doesn’t matter, why are there three different Linux distros available as default templates?
And on a side note, are there Saltstack formulas available for some of these VMs?
It matters for the user: which software you prefer, etcetera. But it doesn’t matter when partition one’s digital life. So which template I use for which VM, is a very personal choice, if you have questions about a concrete situation, feel free to ask.
Actually, it allows to compartmentalize more: By having different distributions responsible for different domains, you, in theory, decrease the chance that a single bug/malicious code in one distribution ruins all your domains.
I guess the idea is to have a diverse set of linux distros so that a vuln in one doesn’t compromise
every VM based on that distro. But Whonix is basically Kicksecure which is basically Debian.
So it’s basically Fedora and Debian. They could actually benefit from having a more diverse set of
default templates like Void/Alpine or even TailsOS. There should also be a feature to change the
dom0 VM kernel source.