Confused with correct way to install software

Hello, I’m following the docs and it says software installation has to be through templates. But then it says network connections are disabled for templates and that I need to use Updates Proxy. But I don’t know how to start up Updates Proxy. I couldn’t figure out what to type into the terminal from the docs. I went from Template:fedora-32 > fedora-32: Software and of course, no network access so I couldn’t install any of those items available in the software screen. What do I do? Should I just change the “Networking” field in settings to sys-firewall? I don’t want to do the wrong thing…

what software screen

if you don’t care about security, yes

it use tinyproxy

can you check this file in dom0


The updates proxy service is configured by default in the templates, so
you should not need to do anything.
The Fedora Software app does not honour this proxy, so you cant use it
to install software. (I recall this is long standing fedora bug.) You
can, of course, use dnf at the command line in the template.

It’s not advisable to enable networking in the template.

Sorry, I’m new to all this Linux stuff. So I chose instead to download the software in one of the Qubes that was setup by default. Is it ok to use “Copy to Other AppVM” and select the Fedora-32 template? And then from that template, install the software? Is this the correct way to do it?

you can, just make sure that file is safe

So I chose instead to download the software in one of the Qubes that was setup by default. Is it ok to use “Copy to Other AppVM” and select the Fedora-32 template? And then from that template, install the software? Is this the correct way to do it?

It is recommended to install software directly from the TemplateVM’s package manager, if it’s available. You can use dnf search <package> for Fedora or apt search <package> for Debian to look for the software you’re trying to install. I would not recommend copying any files into a TemplateVM for security.
Also, see:
How to install software | Qubes OS

Hi, what if the software isn’t available in the package manager? For example, I had to download NordVPN from their website as it wasn’t listed in the package manager. What would be the right way to go about it if copying from a Qube is unsecure?

I have read the help file multiple times. Unfortunately, it is not very user-friendly to an absolute beginner coming straight from Windows. :frowning: Hence, my posts.

No problem. You wouldn’t want to install a VPN onto a TemplateVM anyway.
There is documentation on how to set up VPNs:

I will try to summarize it from what I understand, but I haven’t tried setting up a VPN myself. There are basically three options, setting up the VPN globally (all connections will go through the VPN), setting up the VPN for a specific AppVM, and setting up a ProxyVM that will provide the VPN connection to specific AppVMs.
If you want to set up the VPN globally, you can follow the installation instructions from NordVPN by running the sh command provided there inside of the sys-net VM’s terminal, then following the instructions to set it up from there.
If you just want to provide the VPN connection for a single AppVM, you can do the same thing, but inside of the AppVM’s terminal.
The third option of creating a ProxyVM requires creating a new VM with Create Qubes VM, choosing the preferred Template (fedora-32 or fedora-33 should work fine), setting Networking to sys-firewall, then checking the box for ‘provides network’. Then follow the same steps for the other two options in the new VM’s terminal.
If you need any further help, you can let us know. There are probably some things I didn’t cover, but they can be found in the documentation.
Also, note that copying files between qubes is not inherently insecure, but I would generally not recommend copying anything to the TemplateVMs specifically as they are usually more trusted.

Ok, thanks! I managed to install some stuff using the dnf search <package> command you gave me. No Qube file transfers for that part! So I guess I’m on a slow, but right path.

The NordVPN link was the first thing I tried. But at the time, I don’t think I understood some of what was going on so that’s probably why it failed. I will give that a shot again and I’ll read the first link as well as from a glance, that seems to look like the better way to do it.

I’m having the same doubt.

My applications such as Standard Notes and Veracrypt and Signal Messenger are not available using dnf search so I opened a disposable Qube and downloaded the installation files straight from the source website. Checked the checksum manually etc.

Now I don’t know how to continue.

I tried to copy the by me trusted file into the template but it does not seem to appear anywhere. It seems I cannot copy the file to the Fedora Template or it does not work the same way as when I copy a file from one Qube to another.

Any best practices on the topic of installing packages from third parties?

I saw some posts on using third party repositories but I do not trust those, I rather download the file directly from the source and verify the checksum after.

I would like to start by reiterating: It’s not advisable to enable networking in the template.

Regarding installing Signal messenger in a Debian template, see:

It’s easy and straighforward (copy/pasting the commands from the that webpage to the terminal in the template).

Regarding installing software that does not exist in any repository, for example, Zoom, MS Teams (or Standard Notes and Veracrypt as mentioned), here’s how I do it:

  1. First, check if software can be installed and if it persists in the Qube / AppVM (work, vault, etc.) instead of the Template. Some applications do persist.
  2. Second, if it does not persist in the Qube / AppVM, download the installation file in a Qube, then copy to the template. Make sure that the installer corresponds to the Template. Debians take .deb files. Fedora i think .rpm files. Then run “sudo dnf install [the downloaded package]” or “sudo apt install [the downloaded package]”. The downloaded packaged would be in a folder in QubesIncoming. You can drag and drop it to the terminal after you type the sudo apt install / sudo dnf install. (I saw in some cases the use of sudo dpkg -i [package] but I don’t know the difference with install command. Maybe Linux experts can explain this?).

I hope this helps.

1 Like

Are you sure about that? Where did you look for them? Those files should show up in /home/user/QubesIncoming/, which is the same as when copying files to any qube.

Once you have the program installer in your template (and you’re sure you trust it), you can often install it there just like you would in the baremetal upstream OS.