@marmarek @unman @patrick.whonix (you are not here?) @fepitre @Demi :
Then, I am questionning, really, current Qubes Template approach with proxy, and would love to see what it was before, what changed and where it is now.
Following the reaction of a lot of current thread participants, it seems that the proxy logic permitting dnf/apt was pure magic, where once exposed, caused a strong reaction from them. Now they know that a wide internet access from TemplateVM is available from
http://127.0.0.1:8082 blew their mind, now seeing that this principle was, if we abuse language, security by obscurity.
Some are looking to close it down more (@sven) while others are disappointed from the fact that some scripts might just use be using it now. My attempt being to facilite this usage exposed its existence, which @unman pointed to some past disagreement in changes in the past I cannot directly point back to. The fact persists. That proxy is currently effective, people are against using it directly for better UX because it would make it more easy to use by following official software installation guides, because some random script could be using it, targeting a proxy that is available in all Q4.0/Q4.1 TemplateVMs to permit dnf/apt updates from default, currently Qubes trusted, repositories.
This dichotomy is making me uncomfortable, personally. The information is available. If we prohibit users from using curl/wget because scripts would too easily use such binaries, its just a matter of time and or intense research to find some scripts which are using http://127.0.0.1:8082 for scripts tageting Qubes users into bypassing TemplateVM security measures. Yet, we do not want to facilitate UX by having wrappers to pause external downloads, while being aware that such scripts might exist and that some Qubes users might have ran into it to compromise their Templates already.
We now fallback into desiring to implement MOTD to educate users of TemplateVM limitations/security properties limiting them to be able to use such applications directly, while I now agree with @Sven (multiple stances) and @laurel.straddle :
That such proxy exposure, if not facilitated, still exists, and as of now is more like a security by obscurity measure then anything else.
Please point to the PR/Issues that made the changes happen upstream. I would like to see what were the reasonings of hiding its usage more then securing it. Or understand why proxy was decided over fw rules. Understand before/after such discussions and technical/UX justifications/considerations that made the change happen.