How to install software on templates (Qubes 4.0)
Eric Scoles
Per this, in Qubes 4.0 software is to be installed using Qubes tools.
https://groups.google.com/d/msg/qubes-users/aBE-U9YKhjU/0t7hspsbAgAJ
Is there at this time any documentation of how that's done? The current list of CLI tools doesn't seem to include anything that relates.
I looked at Yum Extender under System Tools, but don't see any way to either install arbitrary RPMs or add new repos.
This:
https://unix.stackexchange.com/questions/334117/how-to-add-software-sources-for-dom0-in-qubes
...suggests that the correct way to do it is to temporarily add a repo, then remove it when you're done installing.
1. Is that the canonical method?
2. How would we retrieve updates?
3. What if we need to install a package that's not available via a repo?
Tom Zander
you would do it in the ‘upstream’ way.
So if you are using a debian template, you’d be able to go to the debian
wiki pages that explain how to do it.
So your question 1 and two are answers with; “like in the upstream distro".
> 3. What if we need to install a package that's not available via a repo?
public repo may cause the issue of it not being trusted. I don’t trust
skype, for instance.
Technically the installation is not too difficult, you just follow the
instructions from the place you find the software.
But it is important to assess how much you trust this software and its
installer because changes made in a template will have an effect on ALL
qubes that are based on it.
Installing untrusted software in a template may end up exposing your data in
the “work” qube that is based on it.
You may consider creating a new AppVM where you install the software (again,
using the instructions from the place where you find the software). Check the
/rw/config dir, there is a binds configuration that allows you to specify
which files or directories are kept between restarts.
Hope this helps.
--
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel
Eric Scoles
<quote>
Templates don't have Net-VM's in Qubes 4. All updates are run over the Qubes-tools, and are no longer networked.
[https://groups.google.com/d/msg/qubes-users/aBE-U9YKhjU/0t7hspsbAgAJ]
</quote>
What I imagine I'll try next is to get the RPM into the template filesystem and use command line tools to install it. Is that what you mean by "the usual methods"? That still leaves the package without a clear way to be updated.
As far as the 'trusted' or 'not trusted' nature of a particular piece of software: We need to install what we need to install. If the system prevents people from doing what they need to do, they won't use the system -- that's axiomatic. So that's a net reduction in security. ('The best security is the security you use.')
Tom Zander
> Sorry, I guess I'm not understanding your answer. The 'usual way' to
> install in an upstream distro would be to connect to the network.
solution.
Please give it a try.
Eric Scoles
Eric Scoles
Unman
> I don't know what you're asking me to try.
>
in 3.2 the templates used a proxy upstream but connected using Qubes
networking.
In 4.0 the proxy is accessed using qubes services. These are already
installed in the Templates.
You should therefore just be able to use native tools and the Qubes
internals should just work.
cooloutac
> I don't know what you're asking me to try.
you can connect to the fedora repos but nothing else. unless that program comes from 3rd party repo it should just work.
have you tried the 2016 version? That one is beta prolly why its not in the repos. 2018 is only on windows according to their website.