@behemothwerecat
As far as I understand, the typical way of installing software outside of the Debian repos (and thus “untrusted” software) would be to create a stand-alone whonix-16 qube, and to install it there, as per Standalones and HVMs | Qubes OS.
That’s not really how I see standalone qubes. I see them more like a fallback in case the standard Qubes OS template approach is either explicitly unwanted (simulating a standard PC install for verification/observation) or too much trouble (single qube that constantly needs software / libraries / dependencies installed as part of the normal workflow – e.g. certain development qubes).
Or when the user lacks the technical know how to create a template using an OS other than Fedora/Debian (e.g. Windows).
However, in the discussion of Debian-minimal templates, users have described cloning a base template before adding more packages within the template
There are multiple concepts in here:
-
clone from the installed template and customizing it (to always be able to fall back / restore a clean starting point)
-
having multiple specialized templates (e.g. based on minimal) to reduce attack surface / complexity / dependencies
(and using apt-cacher-ng to speed up updates).
… making 2) less of a burden especially on low bandwidth connections.
When is one approach more appropriate than the other?
Again, I don’t see them even as comparable.
You want to clone the template and install your less trusted software in that cloned template to preserve all the advantages that come with using templates (read only system partition, being able to have multiple qubes to further compartmentalize).
A standalone qube behaves just like any standard virtual machine and any and all changes persist. I would go so far as to say: if you are not sure that you NEED a standalone qube, then don’t use it.
Is it only useful to use the latter when you intend on having more than one Qube with that specific package? Tagging @Sven re: the latter approach
No. Even if you only base one qube on the respective template (as many of my qubes and templates have a 1-to-1 relationship), there are still advantages (like having the system/root read-only and separate from home/rw).