I’m about to update some of my Template Qubes from Debian 12 to 13. This is my first time upgrading Qubes from one major release to the next - I think I have it figured out, but wanted to confirm because frankly this feels super easy! I also have a kind of “Best practices” question. Onto them:
From what I can tell from reading the documentation for updating Debian Qubes (Debian templates — Qubes OS Documentation), all I have to do is install a Debian 13 Template, install all of the apps I currently have installed on my Debian 12 Template on the 13 Template, and then set all of the App Qubes that currently use the 12 Template to the 13 Template…And that’s it? It’s really that easy?
Given the isolation between Template & App Qubes, is there really any practical reason not to install all of the applications I want to use across various App Qubes in the same Template Qube? For example, If I want App Qube 1 to use applications A/B/C, and App Qube 2 to use applications D/E/F, and I want to keep activities in App Qubes 1 & 2 isolated from each other - installing applications A/B/C/D/E/F in the same or separate Template Qubes won’t make what I do in the App Qubes more or less isolated, correct?
I’m fairly certain the answers are that yeah, updating is that easy, and no, separate Template qubes for app qubes isn’t necessary, but I’ve been away for a minute & would greatly appreciate some confirmation!
You seem to be scared about a potential bug in the process in that case you can also clone the debian-12 template as backup before starting your journey and in everthing is okay after that delete the backup
In my opnion it depends on your hardware and what kind of app. Do your pc can handle multiples vm open in the same time easily ? The app you want to mix in the same templates how much do you trust those apps in term of security and privacy? 2 years ago a random maintainer was pushing a backdoor across software update The XZ Utils Backdoor in Linux: How it Happened if your hardware can do not mix your app in the same template just put 1 or 2.
Example of my own setup : I consider every browsers apps dangerous in term of security so i have 1 template per browser and there is nothing else than that in the template.
If you have the space and it doesn’t cause confusion, you might as well use multiple templates. It can only help, even if marginally.
For browsers or specific apps, I have them only installed in dedicated templates. But I also have “heavy” templates that have lots of packages installed.
I find it helpful for organization.
