I haven’t noticed many people talk about what should be installed in a template VM for actual real-world usage cases.
Assuming that we apply our Linux recommendations to Qubes, pretty much everything would become compartmentalized in Whonix or Fedora VMs. However, that is not outright stated by us, so we technically do not have an opinion on custom templates.
Has anyone here tried creating their own custom template beyond what is originally provided? Would you recommend it for beginning users?
out of curiosity, yes.
no. additionally: for what use case?
qubes templates arent limited to debian (minimal), fedora (minimal) and whonix:
debian, fedora and whonix are already more than enough. obviously there are specific use cases were you may want to use another template, but such cases are only rare and are typically not stemming from the need for better security.
edit: i think i heavily missunderstood something. i am not sure, but after reading it again i think the question is in regards to installing software in templates itself. if so, then yes: i think it would be a good idea to mention the existence of minimal debian & fedora templates and to explain how and what to install there.
i setup all my qubes in minimal templates using saltstack.
I don’t mean just only distros.
It could also mean VMs with purposes beyond the default profiles (untrusted, work, personal, anon etc)
Basically, something along the lines of both (so a combination of software and distro for a specific usage case)
Of course, anyone can install whatever distribution they want for their VM, but expanding upon a minimal template has not been discussed enough. Customizing a Whonix template is probably a BAD idea, but creating an immutable SecureBlue template does have potential if done properly. Whether any of this would actually be useful in the real world is another question though.
I do not have the time to test these different setups myself, but I bet there are a few beginner users fumbling about with their own setups.
agree. minimal templates are underrated
i see the potential for it, and i would love to try it! while secureblue is of course more secure than fedora, i dont think that secureblue is more secure than minimal templates.
secureblue increases security if you have all your things inside one qube (which would be somewhat against the idea of qubes) but minimal templates + compartmentalization is way superior than secureblue (even with correct compartmentalization)
Secureblue relies on Wayland which QubesOS does not support, so using secureblue would require a less secure HVM
PrivSec features a script that trims down Fedora GNOME templates: