Comment by JCattheATM
2 days ago
Just FYI, there are some people that vastly exaggerate the security it provides. For the most part, you're just as safe using flatpak versions of applications.
2 days ago
Just FYI, there are some people that vastly exaggerate the security it provides. For the most part, you're just as safe using flatpak versions of applications.
When was the last Flatpak escape? Last VM escape from VT-d virtualization, which Qubes uses by default, was found in 2006 by the Qubes founder, https://en.wikipedia.org/wiki/Blue_Pill_(software)
The most recent VM escape from VT-d virtualization was in 2022[0].
Escapes are not the only vulnerability. QSB-108 allows for reading the memory of other qubes running on the host[1].
[0] https://nvd.nist.gov/vuln/detail/CVE-2020-15565
[1] https://www.qubes-os.org/news/2025/07/11/qsb-108/
Apart from the fact that this is extremely rare, the first vulnerability is not a complete escape. For example, any offline vault VM storing secrets stayed secure. This is just not happening with any other security approach.
Speculative sidechannel attacks have nothing to do with OS or compartmentalization technology, since they are the problem of CPUs. Nothing can help here, so this is irrelevant to this discussion. Except that Qubes Air will save you in the future: https://www.qubes-os.org/news/2018/01/22/qubes-air/
1 reply →