Why do we install in templates? or, why do we trust packages?

We are told (e.g. in How to install software | Qubes OS) to install software, even from untrustworthy vendors like Facebook/Microsoft, in templates.

How does this help? I think there is an implicit assumption here that no installer would ever misbehave and write over other apps’ binaries, or install spyware.
Is that a necessary level of trust, or do we really need to maintain separate templates for Vault versus where-ever we install untrusted software?

I use separate templates for 3rd party installs. My initial default is to attempt an install in the AppVM and if it doesn’t work, I resort to the templateVM.

Yes some use separate minimal templates by purpose like a vault, web, net or vpn templates.

1 Like

i use snap and flatpak to install software to only one qubes

Actually, there is an explicit assumption that installers may misbehave.
Qubes chooses to trust official packages from Fedora and Debian.
Qubes users choose to trust official packages from Qubes.

As for the rest, as it says in the docs -

The user should decide by themselves whether such third-party applications should be equally trusted as the ones that come from the standard Fedora signed repositories and whether their installation will not compromise the default template, and potentially consider installing them into a separate template or a standalone VM

I strongly recommend using minimal based templates for the Vault, gpg and
ssh-agent qubes, as well as high security qubes.

@Narvey:

do we really need to maintain separate templates for Vault versus where-ever we install untrusted software?

While having several templates is certainly something I do, you do not have to necessarily. You need to ask yourself what you are trying to protect against.

  1. if your vault is always offline (really should be)
  2. and you assume that malware cannot escape the virtualization (otherwise: why use Qubes OS?)
  3. and you do regular backups (you absolutely have to)

You might decide that one template for everything works. It’s the default after the initial install to not overload new users with too many decisions.

However over time, as your understanding of Qubes OS and Linux grows, you might find comfort in “minimal” templates customized for specific tasks/qubes. This greatly reduces the attack surface AND prevents you from accidentally opening files in programs when you did not intent to (what’s not installed, cannot run).

This is addressed in the documentation:

https://www.qubes-os.org/doc/templates/#trusting-your-templates

I think that answers all my questions. Can we link to that on the installation page? It really affects the install process.

Sure. Where on the page would you like to see it?