Am 17.03.2017 um 01:19 schrieb Franz: > > > On Thu, Mar 16, 2017 at 6:01 AM, evo <evolut...@aliaks.de > <mailto:evolut...@aliaks.de>> wrote: > > > > Am 15.03.2017 um 23:45 schrieb Andrew David Wong: > > On 2017-03-15 01:14, evo wrote: > >> Am 15.03.2017 um 01:17 schrieb Unman: > >>> On Tue, Mar 14, 2017 at 08:02:58PM -0400, Chris Laprise wrote: > >>>> On 03/14/2017 01:55 PM, evo wrote: > >>>>> hmm.. this is also a good point, thanks! so if i do not use > >>>>> openoffice in my bankingVM, there is no practical > >>>>> vulnerability in it. > >>>>> > >>>> > >>>> Yes and no. Off the top of my head, there are two things to be > >>>> concerned about with the (regular, distro) software you > >>>> install: > >>>> > >>>> 1. Does it cause an additional service to start accepting > >>>> connections? > >>>> > >>>> 2. Does it have a MIMEtype or similar mapping, so that clicking > >>>> on a mislabeled file could cause it to open in an > >>>> unwanted/risky app. Unfortunately, nautilus doesn't seem to > >>>> have a setting for always asking before starting an app. But > >>>> at least it defaults to double-click instead of single-click. > >>>> > >>> > >>> 3. Installing some programs, like libre/openoffice, brings with > >>> it numerous libraries and attendant programs which may widen the > >>> attack surface of your qube considerably. > >>> > > > >> so its better to have such VMs as banking or email in > >> standalone-mode. > > > > No, that doesn't follow. See my previous message about having multiple > > TemplateVMs. > > > >> The thing is... as i understood, stanalone-machines (if they are > >> not HVM) have all software from the template they use. So the only > >> way is, to install new iso on HVM, isn't it? > > > > > > This doesn't follow either. StandaloneVMs and HVMs are completely > > independent of one another. It's possible that there is terminological > > confusion here. Please consult the glossary: > > > > https://www.qubes-os.org/doc/glossary/ > <https://www.qubes-os.org/doc/glossary/> > > > >> in that case, i don't really understand the sense of standalone > >> AppVMs. > > > > > > StandaloneVMs can be useful for many different things, but not every > > user will have a need for them. For example, if you have a piece of > > software that installs parts of itself in both the root fs and > user dirs > > (and you don't want to work around this with bind-dirs), and you need > > the software in only one VM, then a StandaloneVM is probably a perfect > > solution. > > > > > > Evo, let me oversimplify it > > so is it better to have more template-VMs? > > > yes > > But why not standalone as a copy of the existing template-VM? > > > you do not need standalone VMs. StandaloneVMs are only for special > cases/software, but since you do not mention any special case forget > them as well as HVMs. > > > After that i can delete all software i dont need on it and have rather > clean VM with just the software i need. > > > you can do the same with templates > > > the other thing is, on standalone-vm i can see existing updates just in > time... VM that works on general template dont show updates, for this > case i must start the template vm. So if i do not start template for a > long time, i will have insecure appvms. Or do i understand something > wrong? > > > Evo, just start the templates every time Qubes-manager show than an > update is available, with the green downward arrow, that is every few > days. Then reboot your computer. Updating only a couple of templates > you'll automatically update and somehow clean all of yours VMs, that in > my case are 38. You'll probably have only a few of them, but with time > you'll learn how convenient it is to create template depending light VMs > for special purposes. But imagine having a lot of standaloneVMs each one > needing an independent update. > best > Fran >
hmmm, ok you won :) i just thought, its crude to create 3 different template-VMs for vault, e-mail and banking. after using Qubes for some time, i understand the possibility to have 38 VMs so the appVM (based on template) will show me also the green arrow of update? i thought, it is just visible, if you start the template-VM. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5afe8005-5f22-c28e-d56e-6abd5667153b%40aliaks.de. For more options, visit https://groups.google.com/d/optout.
