I am trying to understand the security implications in the following scenario:
Have some template, let’s call it TemplateX. It can be minimal, xfce, Fedora/Debian, doesn’t matter.
Start TemplateX and install some new packages from the official distro in it: package1, package2. If any of these 2 packages create services, make sure they are disabled.
Shutdown TemplateX
Create 2 qubes based on TemplateX:
qube1 - it needs package1 but not package2
qube2 - it needs package2 but not package1
In qube1’s /rw/config/rc.local remove the unnecessary package2 (e.g. apt -y purge package2; apt -y --purge autoremove), thus supposedly reducing the potential attack surface which that package may introduce. And vice versa for qube2.
For the sake of preventing qubes accidentally using unnecessary packages, step 5 can be moved before step 2.
My question is:
How does that compare security-wise to the case of having 2 separate Template1 (having only package1) and Template2 (with only package2) and the respective qubes based on these two?
IOW, does installing (from the official distro), never using, then removing completely a package introduce any security risk?
If the installation script for one of the packages is compromised, then both app qubes will be compromised with your approach (since their template is).
You can however check the source code yourself and also rely on the community, so it’s unlikely.
So, is it safe to conclude that as long as we trust the distro (and its maintainers), and no services are auto-started as a result of installing packages, then installing and purging packages brings no danger and is equivalent to never having installed them?
Or is there anything else which is not so obvious but needs to be considered?
Well, even if you trust the distro, decreasing the number of installation scripts you rum in principle decreases the attack surface. But it might be a reasonable compromise to decrease the number of templates (and I will consider this, thank you for this topic).
Well, even if you trust the distro, decreasing the number of installation scripts you rum in principle decreases the attack surface.
The challenge here is trusting the whole thing while distrusting its components at the same time.
Here is a scenario:
package1 and package2 are safe, however they both depend on package3, whose installation script is compromised. This means that Template1 and Template2 are both compromised + all qubes based on them. So, separation becomes futile.
As it seems, the template separation approach makes sense, only if packages have no common dependencies. However, such packages are usually small, well verified (suckless, as it were), therefore less necessary to separate in the first place.
So, it makes sense to ask - how much do we actually decrease the attack surface?
But it might be a reasonable compromise to decrease the number of templates (and I will consider this, thank you for this topic).
I am actually working on something related to this and I hope to be able to share something practical, if it works. However, I was hoping to clarify the current subject first, as it is a cornerstone.
Just trying to speculate here without having any real technical knowledge.
Imagine someone wanted to incorporate a piece of malicious code into some package of Fedora (I don’t discuss here how it’s done). If they do it for every package, it will be very likely revealed quickly. If it involves some important package on which many others depend, then also I expect many people are checking it regularly, and it’s gonna be found more or less quickly.
So in my understanding, it’s more likely to expect malicious code in a smaller, less popular package. Hence for every single package which you don’t install, you decrease your chance of being compromised.
I understand that, it’s a generic speculation and it is logical. My question though is in the context of the described specific scenario.
The rest of your reply is also interesting and worth discussing, but since it is a huge other topic, it deserves its own thread rather than be buried here. If you decide to open one, please feel free to tag me, so we can talk further.