What are the pros and cons of using either Gnome Software or Qube Apps (Qube Apps: a Flatpak-based app store for each qube | Micah Lee) for Flatpak management? Which one is recommended and why?
It’s different use case.
If you install a program in a template, it uses the disk space once and all AppVM can run it, and you have a single area where you need to update it, so it uses less bandwidth.
If you install a program in a single AppVM, it won’t be available to other AppVM.
The only benefit I can think on installing in an AppVM is when you want to not disclose that you use this software in case another qube gets compromised. I can’t think of anything else.
On my Qubes OS, I have a single template with everything installed in it, that works fine for me, but this may not be what everyone’s want.
Thank you, I do understand the difference between template AppVM qubes. However, what are the pros and cons between these two package managers?
- Gnome Software (GNOME Software - Wikipedia)
- Qube Apps (Qube Apps: a Flatpak-based app store for each qube | Micah Lee)
GNOME Software is only a program that will install programs with the package manager or flatpak.
Flatpak is only for flatpak programs, they are sandboxed and everyone can publish on flathub (with a system to verify if the maintainer is actually in the team producing the software), while on Fedora/Debian repositories, it’s maybe a hundred of people taking care of updating packages and it’s hard to join that team. Flatpak are “distro-agnostic”, this mean if a program is packaged with flatpak, you can install it on any linux distribution, this avoids duplicated effort bringing a package into each repository (and damn, it’s so much work!!). Flatpak programs may be updated more often as they have individual pipelines that may automatically check every hour when a new release is done, build it and offer it to flatpak users.
It’s a long debate between distro package manager vs flatpak. I personally love flatpak because it gives more control due to sandboxing, and push updates faster, but it may integrates a bit less well in the desktop environment (that’s barely an issue on Qubes OS to be honest as it’s already pretty raw 
)
I represent the opposite extreme here.
But even at your end of the “how compartmentalized are you” spectrum, one thing I would suggest you might want to do (if you haven’t already) is to get your system qubes set up based on a different, minimal template. There’s simply no reason to run LibreOffice or Keepass or Thunderbird or even firefox in sys-firewall or sys-net, so having them available to anyone who tries to hack in can only be a security minus. This is one place I think an objective (not personal taste or extreme paranoia) argument can be made that people should compartmentalize more than the default setup.
The qubes you use as a user (Work, Personal, etc., any others you’ve created) can certainly all come from one template; it’s oftentimes easier that way.
it’s easy enough to download a binary to run them locally for an attacker that I don’t mind having it ready in the template 
That’s another story for suid programs though.
For installation of flatpak or gnome, etc-programs; I did a clone of each Deb/Fed-Template (they are original).On the clone templates I can install any software for working or testing, keeping in that way my templates always on the safe side.
You’re assuming they can get into the system in the first place, then use the program.
What if the program had to be there for them to get in? Why install a potential doorway?
If the program is not running, it can’t be exploited.
I think too @SteveC .
If my first language is Croatian (my first language is not English, so my English text is unnaturally, but my true first language is not Croatian), so I set Croatian as system language of Template, it is serious attack surface.
But if I don’t understand English, if I don’t set Croatian to Qubes OS and single system template, I very likely mistake system setting, and broken myself default security and privacy setting, so my game is end too.
So using single template is high risk of VM fingerprint, but if I separate between system template and work or personal template, danger is little less.
Because user should compartmentalize to templates, I think it be willing to guard user privacy from threats.
See also: How to hide the fact that I'm Qubes OS from Telegram (only for users with Trust Level 2 or higher unfortunately).
To my mind, fingerprinting is actually more of a privacy issue than a security one. You don’t need to be hacked to be leaving fingerprints everywhere; it’s often being done by design (even if it’s not your design), in fact.
There’s a lot of overlap between the two (and in some cases I don’t think people using the same word have the same thing in mind), but to me security is a matter of keeping people from taking control of your system or pulling data off you aren’t intentionally exposing. Privacy can be violated, of course, if someone manages to nab your photographs, so that’s both a security and privacy issue.
Qubes is actually intended for security, not privacy, but since there is overlap between the two it represents a good start on privacy (and having tor/Whonix added on gets you much closer). As far as fingerprinting goes, I count it as a small victory every time I open a browser disposable and sites like youtube apparently have no idea what I want to see, and map sites show me the wrong pace on starting up.
But if your access site blocked Tor, and you hope hide your true IP, you must use VPN.
Because your IP is your biggest fingerprint.
So you hope to guard yourself privacy, approach to separating template and using disp-vm are not enough.
And privacy great threat for example Google is can not know your accurate data, but if you frequently access YouTube and Google map, Google can make your fingerprint using your system language and your seen video and your miss spell of search and other.
So using only one template is danger privacy, user should separate exclusive template, but it is still not enough.
If first language of user is English, this is not big problem of threat model, but user of first language is not English, this problem is very danger.
So system template and work or personal template should be separate.
Actually I’ve had success with this. At least I think so.
I created a disposable Firefox qube that has been Arkenfoxed (that’s basically applying a bunch of anti-fingerprinting settings before Firefox runs for the first time). So, in essence every time I run that qube, I get a fresh (but pre-customized) copy of Firefox.
Once that browser closes, the disposable goes away, never to be seen again. Any profile google has built from it is basically useless to them.
It’s enough that YouTube has no idea what I watched the last time, on a different disposable instance based on the same TemplateVM (and disposable template).
Yes, Qubes facilitates this by allowing you to create a disposable template. They created disposables for security reasons, more than for privacy reasons. But firefox is not set up that way by default. (In fact the default is to have firefox run in a regular AppVM, so it will be remembered the next time by sites you visit.)
This is why I say Qubes is primarily about security but with a bit of work it can be quite a good privacy engine as well. And it does come with Whonix (which is not really part of QubesOS, but the two teams do cooperate) which in itself is very privacy-oriented.
If you want to try something like this (without diving into Arkenfox right away), you can install Firefox in a template…but do not run it. Base an AppVM on that template, then go into its settings and mark it as template for disposables.
You should be able to start the AppVM but have a qube named disp1234 (the numbers will be different) start up. That’s an absolutely fresh Firefox install, including the extra tab page full of lies about how they value your privacy. Go to YouTube, watch a few videos. Close it. disp1234 will shut down. Start it up again, this time it’s disp4321 (a different number). And firefox is a fresh install again, with a different Mozilla id number. Youtube has no idea you’re the same person; you shouldn’t see suggestions pushed to you based on what you watched last time. A really clever system might realize this “new” browser is configured just like that “other” new browser and possibly conclude you’re the same person, but that’s what Arkenfox is intended to address–that’s step 2.
My think is same as you.
Setting of default FireFox is not safety, it can not guard user privacy.
If I use it, Google can make my fingerprint.
However Qubes os installed default FireFox, this reason is threat model of Qubes os is security, not privacy.
So if Tor Browser is blocked, I would install LibleWolf or Mullvad Browser on not system template Qube, and run either one on disp-VM.
Because concept of LibleWolf and Mullvad Browser are difference, so them use case is difference too.
LibreWolf is hardened setting of security and privacy default, this design is self-contained itself.
So I run LibreWolf on AppVM(this is not having network!), I install addon for example LibRedirect and change default search engine after shutdown, their settings are saving on AppVM.
And I delete files on AppVM without setting files, keep only minimal files.
After I make Disp-VM from it, I run LibreWolf of saved my setting beforehand.
LibreWolf is safety default, If I install it into template, I don’t have to use profile of Arkenfox every time run it.
And design of LibreWolf is self-contained itself, so if I can use VPN, it can guard my privacy from Google and other threats.
Google can know only to my using browser is LibreWolf.
Concept of Mullvad Browser is to hide user fingerprint into user land of many using VPN users.
This concept is like to Tor Browser, Tor Browser hides user fingerprint through onion servers,but Mullvad Browser hides into many users of using VPN servers.
Security and privacy of Tor Browser becomes to harden enough increase of Tor users, Mullvad Browser too becomes to harden enough increase VPN users.
So if I run Mullbad Browser with VPN, Google can not make my fingerprint.
Google misunderstands to my using browser as FireFox, many threats can not know to I use Mullvad Browser.
Concept of two browser is difference, approach of Mullvad Browser is harder than LibreWolf as privacy.
Mullvad Browser can install on AppVM(This is default design), and I run it from disp-VM with VPN, it is most secure expect for Tor Browser.
Your approach(Profile sets before run) is rather suitable for Brave Browser.
Unfortunately services of blocking FireFox based browsers are existing, I must use Chromium based browser in this case.
Brave is not trusty, but if I must use Brave Browser, I use your approach.
If user changed setting as security and privacy, Brave restore default setting without user permission(This is one reasons of don’t trust to Brave) with update, but I saved minimal setting files(It needs to only three files) on AppVM, better settings of Brave Browser is kept.
And Brave Browser runs only on disp-VM, it is better in this case.