- That bug looks ugly, almost as bad as Heartbleed for us. Please give me what commands I can use to build apt from source to mitigate [DSA 3031-1] apt security update
A terrible idea IMHO, now we are extending the trusted computing base to include more (apt components) on the gateway. Increasing any access to the workstation is a bad idea in general whether that access is configurable or not.
Sounds better on paper, but I doubt most inexperienced users would know how or go thru the process. It would be encouraging if there is an example tutorial to be written up for it and should be recommended only for critical packages. A whonix-news event concerning this would link to the tutorial and recommended that packages be downloaded some other way outside pt itself, using TBB for example.
Always Up to Date Builds
The best option and is what most major distros do. Testing is not that critical if all that is done is updating the concerned packages based on the last releasd stable build. Whonix-news would simply recommend to download the latest point release.
What are the critical packages?
(only ones on gateway)
-Tor and any related component that communicates with the network.
(the last two don't apply if user disabled their components. whonix development is moving in the direction of hardening components that communicate with the network and using pinned websites)
-Use Whonix-News as a way to notify users if any of the critical packages have had a serious security hole discovered in them between the time they dowloaded and initial runtime. It should tell them to download an updated version of whonix immediately.