e.g. snapd packages, discord, etc.
I understand that running any sort of script in the template VM can render the whole template VM malicious if the script was evil.
Don’t want to fork templateVMs excessively due to the need to update them simultaneously (bandwidth+storage requirements).
Haven’t seen documentation on best practices for this, would appreciate any input.
apart from template cloning you could run a script that installs the the things on VM boot in an AppVM…
I’d say verify if you can, otherwise make a “disposable” template. For example, I have a few programs that I don’t trust. I made a debian-untrusted template and installed every program there. Now those untrusted and potentially compromised programs can enjoy each others company and my private applications stay safe. You’d just have to take care not to have anything you’d consider more than useless data on any vm from this template. As for installing it onto your regular work/personal vm, I’d say it’s good enough if the program is verified and you somewhat trust the developers. For highly trusted/critical vms I’d recommend you don’t install anything that isn’t strictly and irreplacably important. Those would (probably) be your vault vm, gui vm and dom0.
I had a related question about installing an appimage via a bash script.
Remember that if you can audit the script itself, then it’s fine to run it in a TemplateVM. What the script might download or install might still be malicious, or may be compromised in the future.
I like running the script on AppVM boot rather than installing to TemplateVM. I only trust the distro’s package manager.
On that point, it would be useful to disable the snapd service in the TemplateVM and only enable it on boot in certain AppVMs.
For apps not available in package managers:
download qubecurl binary file, like AppImagedownload will be compromisedqrexec-client-vm, triggering from the template. This will save you the manual qvm-copy stepYou can install snaps on the AppVMs themselves. Always refer to the documentation first…