apt-cacher-ng qube and sys-whonix - Stream Isolation?

Euwiiwueir · June 5, 2024, 8:27pm

To save traffic on template updates I have a dedicated apt-cacher-ng qube based on unman’s cacher qube. I’m planning to move this qube behind sys-whonix and thinking through the Tor hygiene of this move.

My understanding is that as the apt-cacher-ng service is in its own qube it will be stream isolated from applications in other qubes that route through sys-whonix. However, because it is not using the uwt wrapper or a similar mechanism, it isn’t stream isolated from potential other network processes on its host qube. Or stream isolated from its prior selves across multiple invocations.

Does that all sound correct? If so, I think that’s probably fine. I think I just want to confirm my understanding.

Patrick · June 6, 2024, 1:17pm

Behind / before is ambiguous. Please write down connection scheme such as.

sys-whonix → sys-firewall → sys-net

etc.

Euwiiwueir · June 6, 2024, 2:56pm

It would be directly behind sys-whonix with no mediating vm, like this:

cacher → sys-whonix → sys-firewall → sys-net

Patrick · June 7, 2024, 2:42pm

Documented here just now:
Qubes UpdatesProxy Stream Isolation

Euwiiwueir · June 7, 2024, 4:37pm

Thank you for the new documentation. And for all the Whonix documentation, which is both very helpful and suitably intimidating in representing the complexity of online privacy and security. And well, thank you for all your work in guiding this important project.