Read this first to understand what I'm counter arguing against:
http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/faq/#how-does-qubes-os-compare-to-running-vms-in-a-conventional-os<p>QubesOS devs make a great point about how difficult it is to trust operating systems and because of that qubesos is great because it's easier to trust the xen hypervisor.<p>But all the Qubes still use a "conventional" OS, by default it's either Fedora or Debian. That means if Fedora or Debian OS is compromised then all Qubes will be compromised if all Qubes are using either of those OS. And most likely a user won't mix between both Fedora and Debian, more likely they will use just one of these OS for all or most of the Qubes.<p>How would the OS be compromised? Probably a 0 day in one of the official packages which come by default with a fresh installation of the OS. Or maybe one of the developers have been compromised such as the one who builds the .iso for installing the OS from.<p>So qubesos is more secure but just from this FAQ I've linked to, I think it doesn't seem like such a huge difference. I could even argue that qubesos is less secure because like I have explained, if the OS used in all or most Qubes is compromised then all or most of your Qubes are compromised so it's almost same problem as if you used that OS to host VMs on. But when you use QubesOS you also have the additional attack surface that comes from the hypervisor.<p>I'm still learning about QubesOS because I'm not sure if I will use QubesOS or a linux distro to host VMs on. I think if you use a similar approach as QubesOS does by using VMs for compartmentalization of different identities and trust levels alongside strict SELinux/AppArmor/Firejail/Bubblewrap and firewall configurations you can achieve close to same level security as QubesOS.<p>QubesOS also does some things I need to do more research on, such as making the GPU nearly useless in App Qubes. But if you use a linux distro to host a VM then you won't have problems passing through the GPU if your hardware supports IOMMU. But there is probably a good reason for QubesOS doing that and that's a reason to use QubesOS because QubesOS does a lot of things most people don't understand or know about but it increases security.<p>Another thing I like about QubesOS is I've read that anyone can build the OS from source code and that way there is no trust involved when installing QubesOS. And you can also do updates for QubesOS and the Qubes from source code as well. I haven't looked into how all that is done yet but if it's not too difficult or too much work for every update then that is a huge huge reason to use QubesOS because with most other OS you have to trust the .iso because you're not installing from the open source code because the dev who build the .iso could secretely add malicious modules.
QubesOS is significantly more secure than the individual VMs. The vulnerability that the OS is compromised at the distribution level is a very special case. First of all, if Debian is compromised at source, it would be everyone that is compromised not just Qubes. This will be big news.<p>Qubes VMs are ephemeral. If they are compromised by the user installing malware, obviously the malware is jailed to that VM. It will also be cleared from that VM in the next reboot.<p>Qubes implements strictly separate compartments. Like, your password manager has no business to be in a VM that runs your media server.