Recommended secure way to install sofware not included in package manager

e.g. snapd packages, discord, etc.

I understand that running any sort of script in the template VM can render the whole template VM malicious if the script was evil.

Don’t want to fork templateVMs excessively due to the need to update them simultaneously (bandwidth+storage requirements).

Haven’t seen documentation on best practices for this, would appreciate any input.

apart from template cloning you could run a script that installs the the things on VM boot in an AppVM…


I’d say verify if you can, otherwise make a “disposable” template. For example, I have a few programs that I don’t trust. I made a debian-untrusted template and installed every program there. Now those untrusted and potentially compromised programs can enjoy each others company and my private applications stay safe. You’d just have to take care not to have anything you’d consider more than useless data on any vm from this template. As for installing it onto your regular work/personal vm, I’d say it’s good enough if the program is verified and you somewhat trust the developers. For highly trusted/critical vms I’d recommend you don’t install anything that isn’t strictly and irreplacably important. Those would (probably) be your vault vm, gui vm and dom0.

1 Like

I had a related question about installing an appimage via a bash script.

Remember that if you can audit the script itself, then it’s fine to run it in a TemplateVM. What the script might download or install might still be malicious, or may be compromised in the future.

I like running the script on AppVM boot rather than installing to TemplateVM. I only trust the distro’s package manager.

On that point, it would be useful to disable the snapd service in the TemplateVM and only enable it on boot in certain AppVMs.

For apps not available in package managers:

  • Create separate disposable download qube
  • curl binary file, like AppImage
  • Considering any curl/http exploits, only download will be compromised
  • Copy binary to template via Qubes IPC
  • Do not execute the binary file in template
  • Now, worst case scenario, only app qube is exploited, not template itself
  • You can schedule app downloads and updates via qrexec-client-vm, triggering from the template. This will save you the manual qvm-copy step

You can install snaps on the AppVMs themselves. Always refer to the documentation first…