I recently learned of Spectrum OS from this tweet:
a NixOS distribution focused around security through compartmentalisation in the style of Qubes OS, but with the diversity of hardware support and ease of maintenance afforded by the Linux kernel and Nix.
On the motivation page, there’s a discussion of Qubes:
Existing implementations of security by compartmentalization
Qubes OS is a distribution of the Xen hypervisor that isolates IO and user applications inside their own dedicated virtual machines. Many people interested in secure computing are aware of Qubes, however they are often hampered by usability issues:
Hardware compatibility is extremely limited. People often have to buy a new computer just to use Qubes, and even then it can be a struggle to set up.
People are reluctant to use Xen on their computer for power management etc. reasons.
VMs are heavy, and there is no isolation between applications in the same domain (VM).
GUI applications are buggy, command line tools are mostly undocumented.
Maintaining many different TemplateVMs with persistent state is difficult. (Qubes can use Salt to mitigate this.)
It is important to note, however, that the Qubes developers have created utilities for using compartmentalized environments that could be very useful to other implementations. For example, Qubes allows clipboard data to be safely shared between isolated environments with explicit user action on both ends, and Qubes Split GPG allows one environment to perform operations using a GPG key stored in another environment, with permission granted on a per-operation basis.
The design page goes into more detail:
I thought this might make make for an interesting discussion topic, and I’m curious to hear what you all think.