Excellent write-up!
Though, it’s a pity that a great ambassador of OpenBSD has stopped using it.
Welcome to the dark side! Although I am curious how long you will stay with QubesOS… I have the feeling its overkill for non-snowden use-cases. Also it would be interesting why you went from OpenBSD directly to Linux and didn’t take freebsd into consideration? Or if you tried, what made your decision to go for Linux instead?
As someone who does a lot of infrastructure work on AWS, Azure, GCP etc, it’s just about the only operating system I’ll use at this point for that kind of work. The isolation I get per-client and per-environment is unmatched. There’s a little more upfront work to get everything the way you like (putting ZSH configs on /etc/skel of your templates for example) but once it’s set up it’s really solid. Having the windows named and color coded really helps me keep from crossing wires when stuff gets chaotic and I’m jumping around a lot.
It’s obviously MUCH worse at certain things such as CAD, but they’re still workable in it. HVMs can remedy this pretty easily but it’s not quite as seamless as the standard Qubes unfortunately but it’s progressed a LOT in a short amount of time so we’ll see what the future holds!
So what about FreeBSD? And did you read up on Flatpak having security issues because the containerization is supposedly not sufficient?
I switched off of BSD about a decade ago so I can’t weigh in on it’s current state at all. I generally avoid Flatpaks at least in Qubes. I do have a template that supports it but it’s only running on my Music VM currently which is offlined, the rest follow the traditional template+AppVM approach which I keep updated on a schedule.
I have never operated under the assumption that flatpaks are sandboxed or secure because they really aren’t. It’s a system to bundle packages with your software without contaminating the host environment. The big issue really is in the package maintainers shipping outdated packages, containers were never a security measure in my eyes due to the shared kernel and especially not with the default share of the homedir for flatpaks. If you need that kind of isolation you really need a VM. I treat them as a standard install personally without any expectations of isolation, and really with Silverblue I’m leaning more towards installing apps directly in Distrobox and exporting them to the host, it still has the shared homedir issue but you’re getting up to date packages in a desired environment that you fully control (this is both good and bad since maintenance is on you).
I think it’s a good idea if there were stricter requirements, maybe vulnerability scanning as a requirement to releasing and pulling stale flatpaks after a period of no releases to start. It’s difficult to appease everyone in this situation and breaking changes would be inevitable so it is difficult to fully solve now that it already exists as it does. I do think supply chain attacks will only get more common though so they definitely need work.
Great blog post, always nice to read about other people’s experiences. I was curious if you’d switch back to NixOS, but that’s not the case. Cubes OS looks interesting, I checked it out a few years ago. I should give it another look.
I believe the author continues to make use of NixOS VMs withing Qubes OS.
I find the authors concerns about security to be at odds with their enthusiasm for flatpak and systemd. Personally I don’t think containerised applications get as much attention from package maintainers or security audits. Systemd is also expanding into every area of the OS including recently offering a sudo alternative which is basically creating one massive attack surface.
Even if you’re rightfully concerned, they become non-issues in the author’s platform of choice: Qubes OS.
The reason (I think) they mentioned all of those explicitly Linux things, is because they’ve also stopped using OpenBSD VMs in Qubes OS.
QubeOS has quite a bit of issues to , unless it’s better now?
It ain’t perfect. But it’s the best we got when it comes to a secure OS on x86.
The author is even quite explicit when they mentioned to use Fedora Silverblue for gaming.