qfile-unpacker is whitelisted and a security risk.
…but only a threat model when Qubes would be already using sudo lockdown by default or when opt-in by the user.
Implement permission-hardener enable compiler. The initial implementation does not necessarily include the list of interpreters / compilers (separate lists) but the config / variables for these lists need to be implemented first.
Am I correct in understanding that with QubesOS currently allowing passwordless root by default, this will have limited impact on improving security for Qubes-Whonix, unless used in a non-standard configuration?
(Even in that case it’s useful to have, as in the future Qubes may finally move toward supporting root account protection again.)