Clone template vs. stand alone for untrusted software?

I would like to run Signal Desktop, and Element in a Whonix-16 qube.

As far as I understand, the typical way of installing software outside of the Debian repos (and thus “untrusted” software) would be to create a stand-alone whonix-16 qube, and to install it there, as per Standalones and HVMs | Qubes OS.

However, in the discussion of Debian-minimal templates, users have described cloning a base template before adding more packages within the template (and using apt-cacher-ng to speed up updates).

When is one approach more appropriate than the other? Is it only useful to use the latter when you intend on having more than one Qube with that specific package? Tagging @Sven re: the latter approach

Thanks!

Regarding matrix clients specifically, you might want to try mirage. It’s available via apt install matrix-mirage and the version in debian-testing is up-to-date. The version in debian-stable (and whonix) is old (and buggy IMHO), but there is an updated appimage you can run directly from homedir. In either case, no dedicated template is needed.

@behemothwerecat

As far as I understand, the typical way of installing software outside of the Debian repos (and thus “untrusted” software) would be to create a stand-alone whonix-16 qube, and to install it there, as per Standalones and HVMs | Qubes OS.

That’s not really how I see standalone qubes. I see them more like a fallback in case the standard Qubes OS template approach is either explicitly unwanted (simulating a standard PC install for verification/observation) or too much trouble (single qube that constantly needs software / libraries / dependencies installed as part of the normal workflow – e.g. certain development qubes).

Or when the user lacks the technical know how to create a template using an OS other than Fedora/Debian (e.g. Windows).

However, in the discussion of Debian-minimal templates, users have described cloning a base template before adding more packages within the template
There are multiple concepts in here:

1. clone from the installed template and customizing it (to always be able to fall back / restore a clean starting point)

2. having multiple specialized templates (e.g. based on minimal) to reduce attack surface / complexity / dependencies

(and using apt-cacher-ng to speed up updates).

… making 2) less of a burden especially on low bandwidth connections.

When is one approach more appropriate than the other?

Again, I don’t see them even as comparable.

You want to clone the template and install your less trusted software in that cloned template to preserve all the advantages that come with using templates (read only system partition, being able to have multiple qubes to further compartmentalize).

A standalone qube behaves just like any standard virtual machine and any and all changes persist. I would go so far as to say: if you are not sure that you NEED a standalone qube, then don’t use it.

Is it only useful to use the latter when you intend on having more than one Qube with that specific package? Tagging @Sven re: the latter approach

No. Even if you only base one qube on the respective template (as many of my qubes and templates have a 1-to-1 relationship), there are still advantages (like having the system/root read-only and separate from home/rw).

That’s very interesting, I had definitely overestimated when to use a standalone qube, in part due to the framing of the docs, given the description: “Qubes used for installing untrusted packages.” Would use say that the “template cloning” method requires using apt-cacher-ng to not be a total pain during updates?

I live in a rural setting and most of the time are limited to 1-2 Mbit down, while at the same time having 12+ Debian based templates. In that case you definitely want a cache.

If you are on a 100/Mbit connection and/or have only 2-3 templates of the same distribution, you probably won’t mind downloading things redundantly.

I’d start without the cache and see how you do. Especially when using Debian stable as updates there are much less frequent than Fedora.

Getting the cache to work with Fedora… I tried to see if I can and gave up / banished Fedora from my life (except dom0 of course)