Hi everyone, I’m a new Qubes user(hopefully) and will appreciate if you could assist me with some technical and non-technical questions I have.
Non-technical:
So in here: Qubes Partners | Qubes OS it says “(none)” sometimes as a source of contribution, does it mean the contribution is done from individual, anonymous source or what exactly does it mean?
Does the core team are volunteers or full-time employees?
How many active users there is who use Qubes as their main? Is there any data on this?
Technical ones:
I’m a bit unsure what kind of software I should be ok with installing within the dom0. From one side I do realize I increase the attack surface with each line of code from the outside, but in the same time, you guys say it’s ok to install something like KDE as DE inside the dom0.
Can I install something like htop(any other soft alike)? If not, what the alternative(not for htop, but in general), if I can’t run it within template/appvm?
Do I need to disable networking for my sys-usb?
Do I need to create separate templates for each service and app or to use one template for many? Because I’ve read here on forum both sides and I don’t really know what approach is more appropriate from perspective of Qubes’ team / official position.
How do I disable updates for specific packages within the dom0?
How do I disable root in AppVMs, but keep it in its TemplateVM?
What you install or not in dom0 really depends on your threat model (what you want to protect, from whom, what are the consequences of you fail / how much convenience you’re willing to sacrifice towards that goal).
Could you elaborate on why you couldn’t run hotp for example in a vault VM (that is an appVM that has no network access)?
This too depends heavily on your treat model. (Hint: “more appropriate” to whom, in what circumstances?)
For that reason, you’ll find people on the forum looking for help to set up their own machines in a variety of ways. Granted, the discussion about each person’s threat model is not often explicitely included in the advice folks give them… and many answers really sound much more authoritative than they should.
The Qubes OS team and other folks like me can help you understand the trade-offs involved with different approaches, but you are ultimately the only one who can decide what the right balance is between setting up a system that offers you the right theoretical protections, and a system that you understand well enough not to make mistakes when using it that void those protections in the first place.
In other terms: there can’t really be such a things as a “more appropriate” setup in general. Now, when it comes to your particular needs, I read your longing for an “official position” as a matter of trust. I hear you trust the Qubes OS team to make recommendations for you, they may well be able to do that. @adw regularly reminds that besides Qubes OS development, Invisible Things Lab (ITL, the company where many Qubes OS developers work) has consultancy offerings.
Can you elaborate why you need some software in dom0? Normally, you do not run anything there, you only use it to manage VMs. See also: How to install software in dom0 | Qubes OS
Unless you have a USB network card, yes.
It depends on which level of compartmentalization you need. I wouldn’t start from that, it takes a lot of effort to manage many VMs.
Hi @marlionso! If you could next time, please consider opening these questions in separate threads. At most you can group some together (questions about team / vonunteers of Qubes OS).
The reason for this is because then you can have a more explicit title (instead of “some questions…”), which makes it both more visible (increases participation) and more findable (for those with similar questions).