I want to understand whether the deb or flatpak is preferable in regards to Stream Isolation and any other factors, and if any additional configuration is required.
For both Element / Signal-desktop, the deb approach is official: https://www.signal.org/download/linux/ , https://element.io/download#linux-details . My approach until today has been to clone the whonix-ws-16 template, and to follow these instructions in the cloned template. I don’t understand onion-grater enough to say - is this stream isolated?
A guide for installing both applications on Tails, which I know also has an onion-grater implementation, uses the flatpak and exports variables for the Tor connection: 0xacab.org/about.privacy/messengers-on-tails-os/-/wikis/HowTo
Another approach I’ve seen (again for Tails) is to use torsocks --isolate.
So my question is, what is the most secure way of installing Signal-desktop and Element desktop in a Whonix Workstation app qube? My understanding is that Whonix Gateway will take care of stream isolation, so the official deb approach is fine, but I just want to verify…
Relatedly, is there are reason that Element desktop isn’t installed by default in Whonix workstation? It has been audited: https://matrix.org/blog/2022/05/16/independent-public-audit-of-vodozemac-a-native-rust-reference-implementation-of-matrix-end-to-end-encryption
When using flatpak, that could be even harder as torsocks might not support flatpak because is using its own sandbox which might quite conceivably break torsocks.
Stream isolation isn’t a simple yes/no thing. Multiple different Whonix-Workstation are stream isolated from each other but not every custom installed application inside Whonix-Workstation can be automatically stream isolated.
This is unrelated to apt, deb, manual installation or flatpak.
It’s a complex topic.
related:
1 blocker without considering further for now:
element is not available from packages.debian.org. related:
In regards to torsocks interaction with Flatpak, you’ll notice that About.Privacy tutorial linked above launches Element Desktop with flatpak run im.riot.Riot --proxy-server=socks5://127.0.0.1:9050.
I think that a Matrix client which supports e2ee being a default application in Whonix Workstation would be very relevant to many users. It is of course subjective, but I see this as having a high demand. I would argue it’s use case is not currently being met by existing default software - Element is much more user-friendly than XMPP, with secure defaults.
In regards to the Whonix Default Application Policy, Element Desktop is only available as a third party deb package repository, from what I understand (official AppImage support discussion here https://github.com/vector-im/element-desktop/issues/657). However, the fork SchildiChat Desktop also has an AppImage, which I understand to be preferred by the Default Application Policy. https://schildi.chat/desktop/
The changelog clearly notes which updates contain security fixes https://github.com/SchildiChat/schildichat-desktop/releases