Yes, exactly. The options you have in Qubes Global Settings only apply to templates (and standalones if you add them manually).
If the qubes you are using are attached to sys-whonix, they will use Tor to check for updates. You can exclude those that use clearnet netvms by adding the “qubes-update-check” service in the settings and unchecking it (to disable it).
Templates use a proxy service (tinyproxy) to be able to update/install packages without having a netvm attached. If you have selected sys-whonix, it will be used.
You mean if sys-whonix is selected as qube for updates then it also will download packages during the procedure of installing in template some new applications, like the mat2 for example?
So is the ISP able to see that I’m using Qubes OS looking at those packages that go during that update checking if it was going through clearnet?
It will for templates, yes. Selecting sys-whonix in Qubes Global Settings will use it to update and install packages inside templates. For all app qubes, the package manager will check for updates using the netvm it is attached to.
Yes it can, since you are pulling package information from Qubes repository.
If I disabled networking in all non-whonix qubes, except sys-firewall, chosen sys-whonix as updates qube, is there any clearnet traffic left that can be identified as traffic going from Qubes OS?
I installed these two applications and they appeared in applications menu, have their own GUI, but they didn’t appear in context menu (mouse right-click). Does it need only Gnome environment for this? Or there is some way to add them in context menu? I couldn’t find any related settings yet.
You can exclude checking for updates for specific qubes in Qubes OS Global Settings.
You can also change clearnet repositories to onion repositories in all your templates. This way the checking for updates won’t be leaked (at least for debian, not sure about fedora), because default apt policy forbids to resolve onion links directly without proxy.
If only sys-whonix is used as netvm for app qubes, then yes. The other qubes without a netvm will no longer use clearnet to check for updates.
I am not sure if they offer actions ootb. You may need to add them manually from the custom actions menu. If you look in the “Edit” menu on xfce thunar, you will see a “Configure custom actions” option where you can create actions associated with them.
For GtkHash, for example, you can create a new action with the command /usr/bin/gtkhash %F and with appearance for everything except directories.
Not sure if I understand right what exactly did you write that sentence for. What means “yes”? Question was: “is there any clearnet traffic left that can be identified as traffic going from Qubes OS?”
In Qubes Global Configs, in “Updates” section, I found paragraph “disable checking for updates for all existing qubes” and added exception for anon-whonix and whonix-workstation-17-dvm. Is this it? Is this the “official” way to prohibit certain qubes from performance updates checking? If so, will the rest of two excluded qubes check updates for non-whonix templates too?
Sorry, I understood it differently. Other than the repo for updates, I don’t think there’s anything else.
Yes, that is one way to do it. If you disable it, you’ll need to include all qubes that will do the update checks. It will also mark templates that need to be updated when their related qubes find something, so you don’t need to add them to the list. If you have chosen to exclude some qubes (enabled instead of disabled), then they will stop checking for updates, and the other ones will continue (in your case, the ones attached to sys-whonix). Note that this is not a default setting. If you create a new qube and it’s attached to a clearnet netvm, it will not be included in the list. You’ll have to add it each time.
Yes, but question was also “will anon-whonix and whonix-workstation-17-dvm perform updates checking for other Templates, like Debian and Fedora or only for their own Templates?” If qubes perform checking only for their own Templates then Templates with offline qubes (Debian and Fedora in my case) will be left without updates checking. Then I have somehow to find the way to check updates for them that doesn’t include using clearnet traffic for this. Of course I always can check for updates manually, using their (Templates) terminals, using command sudo apt update, but I will have do this manually, probably each Qubes session. Of course it would be better if this process was automated.
Did you count these “separate questions”? How many topics do you think I would already create if I did what you said? It would be better if this forum had some section like FAQ where users could ask common questions or there maybe is an other way: when I feel satisfied with all the answers, I can categorize them and then create a similar section about which I spoke.
There are indeed very many topics already for almost all imaginable questions, including at least some of yours. They do not clutter the forum, but long discussions like this unfortunately do…
Category User Support (this one) is already such section.
Thanks. It worked. But what command to write when I need some speciffic command and not the default one? I mean, for mat2 its default command is mat2, but it also has mat2 --show that shows file’s metadata without deleting it. Is there a way to add such commands to context manu too or is it just a terminal command that works only in terminal?
One theoretical question: if you clone app vm that was compromised, will be its clone compromised too?
And the second: if to make app vm as a vault vm, will be there big difference between vm based on Debian and vm based on Whonix, if it anyway will be offline vm? I mean, the security difference. Or, except for the question of the Internet, whatever OS vm is based, in Qubes OS all vms are protected from threats the same, no matter what OS they are based on?
I promise, when I’m done, I will collect all answers here and create special topic where present them in short and understandable form, in a logical sequence, so all new users will benefit from this. Some kind of FAQ section.
Only qubes can check for updates and will mark their respective templates (anon-whonix will), so if you want to check for updates for some specific templates that only have qubes without a netvm, you’ll have to manually check for updates in each template, or create new qubes based on those templates with sys-whonix as netvm so that they check for updates automatically without going on clearnet.
If mat2 doesn’t have a GUI, I don’t think it will show anything with this option. You’ll be able to see the metadata by running the command yourself in a terminal.
It will if the compromised files are on the private volume. The root volume comes from the template and is reset at each reboot.
Not really. In this case, it doesn’t matter if it’s offline.
How many topics do you think I would already create if I did what you said? 
It would be better if this forum had some section like FAQ where users could ask common questions or there maybe is an other way: when I feel satisfied with all the answers, I can categorize them and then create a similar section about which I spoke. 