But these two programs are designed with secure auto-update in mind.
Verification is a hurdle for many beginners who would then risk running the binaries without checking at all. Including them in Whonix while updating in sync with newer releases upstream, is a better solution.
Implementation:
Making them a part of an independent package that drops the binary at some location in the home folder. In Freenet’s case, all deps are self-contained except openjdk which we can include the small headless version of in the base packages. I can check/download/verify new releases and update the jar in the Whonix package. That shouldn’t be too much overhead since the releases are infrequent.
As for cryptocat, my main goal was to provide something with offline messaging for now until Gajim or CoyIM are ready, but it may be unnecessary.