Hello everyone,
I wanted to ask about something that wasn’t clear to me. According to the documentation, in Debian templates/virtual machines, for example, it’s not possible to use the apt command to install/update from the command line without breaking the qube’s isolation, but is it possible to use it to modify a template from a terminal in dom0?
Would you please provide the link to the mentioned documentation? While updating via apt is not recommended, installing new software via apt should be OK.
Okay, starting with the discussion in that post:
The exact documentation is here, and the statement is a bit vague regarding software installation; it simply says something like “it should be fine.”
And then I find threads where the complete opposite is done.
I’m not objectively sure if using apt install is okay, but does that mean I can also add third-party repositories to templates to install programs that use independent maintainers? Like importing the key and everything, as in Ubuntu? And wouldn’t that break the template?
It literally says that it “is fine”, not “should be fine”.
The thread you found is not about updating, it is about doing an in-place upgrade.
You can do everything you want inside the templates, it is up to you. But you have to understand the consequences of your decisions.
It’s okay to install, you just shouldn’t update.
Warning: Updating with direct commands such as dnf update and apt update is not recommended, since these bypass built-in Qubes OS update security measures. Instead, we strongly recommend using the Qubes Update tool or its command-line equivalents, as described below. (By contrast, installing packages using direct package manager commands is fine.)
thanks 4 your support
I’m not sure, that’s why I’m asking, to better understand the situation. Greetings. I like your little bird picture (?)
Do you think that the docs could be written in a different way making it more clear?
In my final opinion, yes, I believe all the documentation should be significantly updated with the release of version 4.3. However, I think I’ll have to write directly to the development team for a more precise explanation, as I see no reason to avoid exposing the system when connecting to the repository to install a program with apt install.
However, updating template packages (not just Qubes OS’s built-in packages) using traditional methods puts the system at risk. That’s why the recommendation to use Whonix is so strong.
Therefore, I believe essential information for understanding the design of Qubes OS subsystems is missing. Regards.
Confirmed: I like the little bird in your profile picture xd
I was only talking about this comment:
I don’t understand the rest of your post. Maybe you can take a look at those links?