Updated Bookworm, Parrot, and Arch templates

If any one is interested I’ve posted some updated templates for
Debian-12, archlinux-minimal, and Parrot-pwn. I think they work
reasonable well.
Instructions are here

Bookworm based templates cant be updated using the GUI tool, because
there’s no salt-ssh package as yet. We are aware of this, but expect it
to be fixed by the time bookworm is released.

I have a new Kali template and a black arch - I need to finalise and
rebuild, then I’ll put these up.

The prebuilt Ubuntu templates are quite old - there’s an open issue about
building jammy, which I have not resolved to my satisfaction. Once I do I
will rebuild jammy and post it as well as a Vera Mint.
These are, of course, unofficial builds so you are trusting me to do the
right thing ™

I’ve posted before a guide to customising the existing template builds

  • you can read it here

Remember that you might like the look of (e.g) a Mint desktop, but you
wont get that from a template. Some people do not understand this.
Also, using any bookworm based distro, or any rolling distro, is
a) insecure, and b) likely to generate a large amount of update traffic.

Always happy to look at other templates or new flavours. (Please don’t
suggest *BSD - it pains me as it is.)

I never presume to speak for the Qubes team. When I comment in the Forum or in the mailing lists I speak for myself.

I recently started exploring the possibility of building an Alpine template, but haven’t gotten around to it yet.

Should you decide to make one available, I’d be willing to test it out.


May be something going on with the bookworm build and/or not functional from qubes console update?

/etc/apt/sources.list reads:

deb http://HTTPS///deb.debian.org/debian bookworm main contrib non-free


deb http://deb.debian.org/debian bookworm main contrib non-free

Have you seen this:
@unman I really like to have a prebuild Alpinelinux template

1 Like

That’s apt-cacher-ng syntax in place of a https:// … I know @unman uses it, so this might be a little oversight. Thanks for reporting it!

1 Like

@unman, why are rolling distributions unsafe? Please explain. The only reason I can think of is the possible breakage of qubes-specific packages when upgrading. What else?

Re: bookworm-minimal template

  1. There’s the aforementioned apt-cacher-ng syntax
  2. Entries in /etc/apt/sources.list.d/qubes-r4.list are using r4.2 as opposed to r4.1

I found no love with the above template nor the classic in-place upgrade but, found this allows me salt/GUI Update functionality.

That was a trial from 4 months ago - I should pull it.

On the `apt-cacher-ng syntax, I will include this depending on the target
If a template is primarily aimed at users who will be using
apt-cacher-ng, then I bake it in.
@Insurgo has suggested that I modify the system so that new templates
will be installed and modified if cacher is installed.This is a good
idea, but I have little time to do this, and it is a major intervention
for an unofficial project, I think.

@unman if we are referring to Deploy inotifywait script to modify repo definitions when they change · Issue #17 · unman/shaker · GitHub the idea was to deploy a service in cacher enabled templates so that those templates (and qubes based on them) could have their repo definitions automatically adapted to point to cacher, rewriting repo files as soon as touched.

I can only emphasise again that debian-12 pushes for extrepo, and that this project seems to be an easy solution to resolve the problem of deploying new repo+software from qubes users. Thinking of building blocks here and trying to get advanced users to chime in to one day have what users need and reducing complexity. We are still far from the day users will point and click to install Signal into their personal qube without having to know the template it is based on, but with those building blocks slowly getting traction, we will get there.

Cacher is amazing. Kept track of the changes I had to apply to have things cached and cleaned as I need it to be, but for cacher, the problem is still present. We can either leave the templates repo definition intact so that software can be deployed onto qubes not talking to cacher, or have everything passing through cacher. And having inotifywait could seal the deal here if template/qube is instructed to use the update proxy. That inotifywait service could be applied conditionally of the update proxy service running+cacher being deployed, and listen and apply changes transparently.

1 Like