For network connected apps like browsers, what gives the most security? Installing the native app in the template, or installing the Flatpak version in the qube, and locking it down with Flatseal?
The biggest problem I can see is there must be a delay in updates before they hit the Flatpak version? And/or trusting the devs behind the Flatpak version?
If my priority is security, what is the best choice?
I don’t know if it’s flatpack but there’s that one where you have to do wget and curl because there’s some “key” you can’t work without connecting your template directly to the internet. A pox on that.
I always find it extremely odd/frustrating that Qubes team as yet to address to ability to gpg --recv-keys when preparing TemplateVMs (I understand the issue is with gpg wanting to DNS) thus, leaving: A) “dirty” fetch + verify post install or B) manually including the key.
Leveraging split-gpg for TemplateVMs feels too excessive. Is that even a “thing”?
I definitely it better than the other options listed above and, I’d certainly it if it were available as a package in the qubes repo.
I’m fully aware of how over the top this would be for such a simple script but, it’s a long night/day & I just don’t see the smoothest workflow (manually adding it to the most commonly used TemplateVMs?).