[PhilipRoman]

Compartmentalization is only a part of the solution. Once you have that finished, you still need to deal with the actual vulnerabilities in guests, which will contain your secrets and be exposed to the internet, one way or another.

[fsflover]

Guests don't have to be exposed to the Internet [0] or even run full OSes [1].

[0] https://www.qubes-os.org/doc/how-to-organize-your-qubes/

[1] https://www.qubes-os.org/doc/templates/minimal/

[ylk]

In what way are [1] not “full OSes”? They’re minimal templates, but afaik they still run systemd, the kernel, etc. needed to boot the standard Linux systems they are.

When I clicked the link I was expecting something like a unikernel, eg https://roscidus.com/blog/blog/2016/01/01/a-unikernel-firewa...

[fsflover]

You certainly can run distros without systemd [0] or something very different like *BSD or Mirage [2].

[0] https://forum.qubes-os.org/t/devuan-or-other-non-systemd-tem...

https://forum.qubes-os.org/t/alpine-linux-template-non-offic...

[1] https://forum.qubes-os.org/t/openbsd-as-a-ubes-os-component/...

[2] https://forum.qubes-os.org/t/mirage-firewall-0-9-0-released/...

[ylk]

> You certainly can run distros without systemd

Does it then become not a full OS anymore? Mirage is what I linked to above.

[fsflover]

> Does it then become not a full OS anymore?

Probably not. I mentioned it, because you mentioned systemd. And yes, I saw your Mirage link and showed how you can use it on Qubes.