I have both of the Qubes repos disabled from the command line. Qubes still shows them as having updates, though. Do I need to do more to clear those? Not used to Debian systems.
The documentation does not list a Qubes compile target. Do I just want to compile for qcow2?
Other than that. How should I approach keeping my compile environment secure? Download source code to a Qube, and then copy it over to the Whonix compile environment, which does not have networking?
After I finish compilation I just overwrite the Whonix Qubes VMs?
I am not sure what you want to do, but try doing this for Debian templates first.
This is sufficient:
What Qubes dom0 is saying in the graphical user interface (GUI) could be a bug. Often you can trust the command line interface (CLI) tool output more. GUI is mostly just showing what it can gather from CLI. Hence more vulnerable to such kind of bugs.
I’m trying to compile my Qubes Whonix template from source, rather than using the repo provided. I don’t see a target for Xen in the documentation. I want to verify the source code prior to building.
That answers it more or less. If Whonix switched to Gentoo. I think it would be a solution for the difficult parts. But, that might break everything else.
In terms of building the Qubes template I managed to get to the point of verifying the signed tag. However, I cannot verify tag 19a3a1517d9703ea45bf9a6da05a7ca501e31a37. I added your key to my pgp keyring, and gave it ultimate signing authority. But, I’m still failing on that tag. I also believe I have all of the required Qubes developer signatures imported.