On Sun, Jun 19, 2016 at 07:39:45PM -0700, Ben Wika wrote:
> Hi,
>
> Not sure what's been happening on this subject since September (maybe
> discussion has moved?) but thought I'd make a contribution. Pretty new to
> some of this so appreciate the feedback.
>
> If we install the base qubes template for Debian-8, and then do:
>
> dpkg-query -f '${binary:Package} ' -W >> ~/inst
>
> (refer https://wiki.debian.org/ListInstalledPackages )
>
> Then we end up with a file in the home directory that lists all installed
> packages.
> I can use "apt-mark auto" against all these items to clear out the list,
> but before doing the autoremove, there's obviously some that have to
> remain.
>
> To not 'break' the template completely, I'm finding that qubes-gui-agent is
> the only one that needs to be set to manual.
> But for good measure I follow it up with the following apps which I know
> I'll be leaving in the minimal template:
> sudo apt-get install firefox-esr lxterminal leafpad xfe
>
> Finally we do the autoremove step and end up saving about 100MB. Not alot,
> but I'm more focused on simply reducing the attack surface.
>
> Having done this, all seems to work fine but I imagine some features are
> missing behind the scenes (particularly qubes features).
> So I appreciate any further recommendations or suggestions as to why debian
> minimal has to be any more complicated than what I've stated.
>
> Regards
> Ben
>
>
> On Thursday, 24 September 2015 07:15:42 UTC+10, Jason M wrote:
> >
> > On 22 September 2015 at 21:19, Unman <un...@thirdeyesecurity.org
> > <javascript:>> wrote:
> >
> >> On Tue, Sep 22, 2015 at 07:37:37PM +0000, Axon wrote:
> >> > -----BEGIN PGP SIGNED MESSAGE-----
> >> > Hash: SHA512
> >> >
> >> > V??t ??est??k:
> >> > > I have created something like "minimal" Debian TemplateVM by
> >> > > removing (almost) all needless things. I can share the list of
> >> > > packages (e.g. output of apt-mark showmanual) if someone is
> >> > > interested.
> >> > >
> >> > > The sparse root.img has just 1.2GiB. OK, I admit it is not as
> >> > > minimal as Fedora.
> >> > >
> >> >
> >> > To be fair, fedora-21-minimal is actually larger than that after doing
> >> > a normal yum update (without installing any new packages), and of
> >> > course it's almost always a good idea to update the software before
> >> > using the template for anything important.
> >> >
> >> > > Regards, V??t ??est??k 'v6ak'
> >> > >
> >> > > On Thursday, August 27, 2015 at 7:19:36 AM UTC+2, cprise wrote:
> >> > >>
> >> > >> On 08/26/2015 08:38 PM, nrgaway wrote:
> >> > >>> On 26 August 2015 at 16:04, Marek Marczykowski-G??recki
> >> > >>> <marm...@invisiblethingslab.com <javascript:>
> >> > >>> <mailto:marm...@invisiblethingslab.com <javascript:>>> wrote:
> >> > >>>
> >> > >>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
> >> > >>>
> >> > >>> On Wed, Aug 26, 2015 at 05:50:41PM +0000, Qubed One wrote:
> >> > >>>> Hi, just curious if anyone has any plans for a
> >> > >>>> Debian-minimal
> >> > >>>>
> >> > >>> template
> >> > >>>> for Qubes R3 (ITL or community-maintained)?
> >> > >>>
> >> > >>> Jason, does the minimal template flavor (which exists in
> >> > >> configuration)
> >> > >>> is usable in the current state? Could you provide short
> >> > >>> description
> >> > >> what
> >> > >>> functionality is there (like working as NetVM etc) and what
> >> > >>> requires additional packages. Something like the same for
> >> > >>> Fedora minimal:
> >> > >>> http://www.qubes-os.org/doc/Templates/FedoraMinimal/
> >> > >>>
> >> > >>> Then I could simply build and upload the package.
> >> > >>>
> >> > >>>
> >> > >>> I will document this for you. I do not use minimal template
> >> > >>> since it's not that much smaller than the regular one so I
> >> > >>> will need to test it all out again.
> >> > >>>
> >> > >>> --
> >> > >>
> >> > >> Then it would be good to make the Debian template selections
> >> > >> similar to Fedora, with the supplied 'regular' Debian template
> >> > >> having desktop features and apps. This would allow a user
> >> > >> preferring Debian over Fedora to use their system as a desktop
> >> > >> immediately instead of going through manual steps.
> >> > >>
> >> > >>
> >> > >>
> >> > >
> >> >
> >> > -----BEGIN PGP SIGNATURE-----
> >> >
> >> > iQIcBAEBCgAGBQJWAa3+AAoJEJh4Btx1RPV8OGMQAOb/QipOtiPaBLpccTZaZsr5
> >> > yxfYrwjfFzpkLNhNU8ta0ClWl9MkoLp/tgUiAEfTC8c/DxA65UXGakKvmZrY4bfZ
> >> > WiEuL1Y5lGcJraABrdC+ehTl7Fd/jRufnuyQE5d9UWleu5VBHfvGvBKMn6wwZmwN
> >> > kXT1nfh5+SKHb3QaFMXz8l4pkLbQSy52TfscvgYPapDWuoM6JoQwOwQbtkdPOmxh
> >> > m1sLgj7I8zq7yT6OEgS5+gJO1qrtbfFNafaEuyaYeWep1zoMRLYhgr2HSWWCeCEi
> >> > 5bkKoWoIqvZVjMvhzM7vM2PMiPFHzQ4xvOtHY0v0+j2QZjhuhA9LvcjUZMDAH8rY
> >> > i+ZONMjxqWGrd4VH3kQsqb8YESl1reQXIlMgro4KTr5y3Y2lvNbsPjdNiiyWLgpZ
> >> > 1JM6aa4uCMLTviNiSFz++i2o40uPJXRwjOcB8hE8Kz/g17W+IpP6QEDbYUdJwG8U
> >> > 1lyBnSF/ShARCthbJSzgoXvmZbZ0DuNE1j3MK/NSuE3QXIgnTrUqtJM8IfcfaPX+
> >> > 4jF7cNdtDJcq4gn25rGVUR3jMTfFqX/n3dtNnjcIX4d/VG799rvj8n71ghxEamDQ
> >> > iavGE3q3JaH1Hq+9P4koKJhoR/8wefMFkZnwTacg44ZpiVzxj7XvhTQg0kIVbkFy
> >> > DudC0rAk6dy5lUdAoyWI
> >> > =wiQV
> >> > -----END PGP SIGNATURE-----
> >> >
> >> There's already a debian minimal spec which is easy to build.
> >> I use it for most VMs - it is perfectly usable as is.
> >> Jason - are you doing that write up or do you want me to pick it up?
> >>
> >
> > I am currently finishing up on a salt management project which is due to
> > be complete by end of month. If you have time to do that before then, that
> > would be great, otherwise I will be able to complete it at that point :)
> >
> >
Hi Ben,
There's already a minimal template which you can build - it would be
somewhat smaller than you've got to, although you haven't said what your
final size is.
I use a debian mini for most of the system qubes, including tor and usb.
A slightly larger one for sys-net. My guess is that most people
wont want the hassle of configuring and installing packages required
so using a default template is probably best for most users sys-net.
Look back over the thread and compare what you have against the minimal
package list.
I think there should be an official debian minimal template but it's just
got lost along the way, I think.
cheers
unman
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/20160621000648.GB3681%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.
