It’s exciting to see this discussion here. After last September’s Qubes OS Summit, I analyzed the current beta version of the SecureDrop Workstation in terms of the so-called “twelve-factor methodology” for server applications, in order to test how applicable these high-level architectural concepts from the server and “cloud-native” worlds might be to a multi-VM application on Qubes. I also speculated about what it might mean for an application to be affirmatively “Qubes-native”, beyond being merely compatible with running inside a Qubes VM.
I’ve made this working paper available as a GitHub gist for review and comment: