@Sven your solution is good.
But…
Script requires to be copied over to dom0 (which needs complicated qvm-run commands from dom0 to have written copy-pasted script passed over qube to dom0), which is also not so desirable and implies running code on dom0.
This is why I reacted so much.
I am dozing out of my suggestion, really do not like the idea of giving internet access to even untrusted templates, but I agree with you: this might be to contain user errors who needs security the most, while I agree with @fsflover that wget-proxy would require from the user to convert upstream instructions everytime it fails(I liked that error/learning approach).
Where giving internet access to Template may be the easiest solution and should maybe be simply better documented in the core (@adw ) documentation, as Qubes documentation (which is the referecne for all users) was not current.
Edit: was done by @adw : awesome.
Meanwhile, I will simply deploy wget-proxy and curl-proxy to limit the flood in my support box. Ping me again if the idea of a better, upstreamed solution to deal with daily, real-users facing problems of wanting to add a trusted repository should be done in a non-duplicated, untrusted template (which duplicates network bandwith as well for updates, still today, and is not a luxury all end-users have).