apt-cacher-ng qube and sys-whonix - Stream Isolation?

To save traffic on template updates I have a dedicated apt-cacher-ng qube based on unman’s cacher qube. I’m planning to move this qube behind sys-whonix and thinking through the Tor hygiene of this move.

My understanding is that as the apt-cacher-ng service is in its own qube it will be stream isolated from applications in other qubes that route through sys-whonix. However, because it is not using the uwt wrapper or a similar mechanism, it isn’t stream isolated from potential other network processes on its host qube. Or stream isolated from its prior selves across multiple invocations.

Does that all sound correct? If so, I think that’s probably fine. I think I just want to confirm my understanding.

Behind / before is ambiguous. Please write down connection scheme such as.

sys-whonix → sys-firewall → sys-net


It would be directly behind sys-whonix with no mediating vm, like this:

cacher → sys-whonix → sys-firewall → sys-net

Documented here just now:
Qubes UpdatesProxy Stream Isolation

1 Like

Thank you for the new documentation. And for all the Whonix documentation, which is both very helpful and suitably intimidating in representing the complexity of online privacy and security. And well, thank you for all your work in guiding this important project.