Basically, the argument that led to the change was about complications of doing some mitm proxy to be able to translate https to http (inspect url in proxy) to https(egress from proxy).
So the logic applied was about blocking firefox in template, basically, and nothing else.
This goes back to cache-proxy idea, for which funding would probably be available. A practical, no user based manual translation, resukting in a drop in workable solution, without hacks (apt-cache like, but transparent to user) would probably resolve the problem, while bonus of having it by default, could cache templates package downloads to be reused across cloned templates.
Reminder: apt-cache-ng is currently for advanced users. We cannot ask from users to rewrite their repositories definitions…
Edit: this is the interesting post by @unman, followed by @marmarek who likes it: [Contribution] qubes-updates-cache · Issue #1957 · QubesOS/qubes-issues · GitHub
Same problem applies though. How to get the @%#%#$&# GPG keys in templatevm so new repositories can be added by users without compromising Template, and get rid of tinyproxy once and for all?
Maybe the wrapper needs to be around gpg keys download then. Having a tool for qubes to download armored/binary gpg keys loaded per gpg --homedir=/tpm/$(mktemp), list key, have the user confirm… Should be the wrapper using apt-cache-proxy logic?
@unman said in referred issue here that salt could be applied to sed the repositories deployed in templatevm on second run from dom0. So maybe this is what we really want?
Edit2: @sven: you seem to be the most active user of apt-cache-ng! Just finished reading issue 1957. Maybe you want to relaunch the discussion there on what is missing to be included? What the salt script should do? Collaborate with @unman for that to replace tinyproxy?
And the main question, sorry to be a bummer… How to properly wrap around a gpg public key download/verification wrapper so that the user can confirm long fingerprint prior of the whole shebang being written and trusted from user command?