It’s generally acknowledged that installing software like the driver of a printer into your Qubes OS requires a copy of the templateVM.
However, sometimes I think it is more convenient to directly install a program into the AppVM, which saves disk space. It’s just a concept, and hasn’t been proved by myself.
I know that only /home, /usr/local and /rw are persistent through AppVM’s reboot. And most packages install themselves into /usr/bin or so.
Monitoring the changes of the filesystem, we can copy the new-installed program (keeping its files’ directory structure) to /home and reinstall it using symbolic links during the next boot process.
The reinstalling process can be accomplished by executing a script indicating what symbolic links are to be created.
For example, if you install fcitx in a AppVM, and find that /usr/bin/fcitx as well as many other files were created during the installation process, you can copy these files into your /home while maintaining their directory structure (/home/root/usr/bin/fcitx), and you can run
“ln -s /home/root/usr/bin/fcitx /usr/bin/fcitx” after rebooting the AppVM to re-install the program. Other files are operated similarly.
There are some questions that I’m unsure:
Most significantly, is there any error in the process I described above?
Does this process break the security of this AppVM?
Is “find” command adequate to track the changes?
May the existing “bind-dir” command (mentioned in Qubes OS documentation) be helpful?
For security reasons, should the script be kept in dom0?