@unman From my tests, to have all qubes being able to install applications (since there repo definitions changed per cacher deployment)
It is required to
- have the AppVM policy statement to be able use RPC calls to cacher
[user@dom0 ~]$ cat /etc/qubes/policy.d/30-user.policy
#qubes.UpdatesProxy * @tag:whonix-updatevm @default allow target=sys-whonix
qubes.UpdatesProxy * @type:AppVM @default allow target=cacher
qubes.UpdatesProxy * @type:TemplateVM @default allow target=cacher
(Note that in above case, I am able to use cacher for tor+https use cacher since I have modifed userinfo.html content in template-cacher so that it exposes its proxy as enforcing tor. That is ok for my use case, since I have cacher use sys-whonix as netvm. This is discussed under https://github.com/unman/shaker/issues/10 and more concisely for implementation details under https://github.com/unman/shaker/issues/12).
- have all qubes wanting to install software until reboot to have the
qubes-proxy-setupservice activated, otherwise repository definitions containinghttp://HTTPS///are simply failing from app-qubes (normal afterall).
@enmus does that answer your question?
@unman : I will not open a cacher issue as of now, but this is an issue. I think all app qubes should use the RPC call as the templates do for software install. After all, users might install a software inside of a qube/dispvm first to see if it behaves correctly, and the dispvm template will be derived from the templatevm which is configured to use cacher as well. I do not see any case where not having qubes-proxy-setup feature activated.
Thoughts?