I appreciate the vote of confidence, guys, but I’m not a technical authority. I’m basically just a user/enthusiast who has been using Qubes for a decently long time and who happens to work on the project as community manager and volunteer website and doc maintainer. There are many folks here who are far more knowledgeable than I am about technical matters. Also, when I don’t comment on something, that shouldn’t be taken as an indication of anything. It probably just means I don’t know about it, didn’t see it, or have no opinion on it.
I don’t know the details of the new system in Qubes 4.1, but my understanding is that these three rules, in this order, in /etc/qubes-rpc/policy/qubes.UpdatesProxy, in Qubes 4.0, are sufficient to ensure that all Whonix VMs are updated through sys-whonix and only through sys-whonix:
@type:TemplateVM @default allow,target=sys-whonix
@tag:whonix-updatevm @default allow,target=sys-whonix
@tag:whonix-updatevm @anyvm deny
I don’t see why the same wouldn’t hold in Qubes 4.1 in the new unified policy file, but I can’t say with certainty that it does.
As already explained above, both types of syntax are supposed to be compatible in Qubes 4.1. As stated here:
In all client tools,
$will still be automatically translated into@, so you don’t have to change any existing scripts. However, we highly recommend using only@. Legacy support for$will continue throughout the Qubes 4.x series and end in Qubes 5.0.
All I know is what’s stated here:
One of the new policy files is
35-compat.policy. It loads the old policy files and parses them in a way compatible with the new policy format.
I interpret this as meaning that the answer to your question is “yes.” At any rate, I can’t see how it would hurt to ensure that the rules in the new and old policy files match.