My advice for pip (and perhaps other repositories) would be to install them on as user programs on the AppVM. Not in Templates
For development purposes, I think it’s better to have these installed on the AppVM user space than enabling network access to install packages with pip for example. Also because ideally you don’t run any other programs than the package manager on the TemplateVM.
But I’d like to hear concerns about the security of this approach.
warning: With any of these methods it’s likely you’ll forget to update software since the auto updater for Qubes will not be able to help you. So you might miss out on important security updates.
Installing Python Packages
Through Package Manager
Debian has quite a lot of packaged python packages, you can find them under the python-
name space (apt search python3-
)
Through PIP
For example, for pip you can look into virtual environements. What I do is
-
On Template Qube you install
python3-pip
andvirtualenvwrapper
or equivalent -
Add the following to the end of
~.bashrc
and reopen the terminalsource /usr/share/virtualenvwrapper/virtualenvwrapper.sh
-
And then on the AppVM you create a profile where you can install python modules that will persist across rebots (they will be installed under
~/.virtualenvs
mkvirtualenv -p /usr/bin/python3 [project] # [project] is a plceholder pip install newspaper # or whatever python modules you want
Then everytime you open a new terminal and want to access that virtual environement you do
workon project
And then a little
(project)
will show up in the terminal showing you are now on that virtual environment and as such you have access to all the packages installed.
Snap packages
There is a small discussion about this here: Qubes os and cryptocurrency wallets bu
AppImages
I do have a program that I have to install as an AppImage since it’s not available in packaged form. What I do in this case is drop it on the template under /opt/
, create a shortcut icon under /usr/share/applications
and only start it on the AppVM.