Could someone please explain why this wiki page says that update-torbrowser should not be used inside a disposable whonix template?
To me, it seems equivalent to running it inside a whonix app qube (which is ok according to that page): the Torbrowser inside the home directory would be updated, and any disposables launched afterwards would be able to use the new version.
The alternative seems to be: running update-torbrowser in the whonix-workstation template → creating a new disposable template → launching disposables from the new disposable template. It’s a bit more convoluted, so why is it preferable over the first approach?
After more reading around the wiki, I found this other page, which says:
The reason is because Tor Browser is stored in folder /var/cache/tb-binary which is non-persistent in Qubes’ Disposable Template (whonix-workstation-18-dvm)
So it seems that, unlike anon-whonix, the whonix-workstation-18-dvm does not create a copy of torbrowser in its home folder when it first launches; instead it relies on the copy in /var/cache/tb-binary, inherited from the template.
To put things into context, I wasn’t even using whonix-workstation-18-dvm myself. I just manually created a disposable template from the workstation template, through the usual Qubes way. I didn’t realise there was special configuration in the default whonix-workstation-18-dvm. Now I wonder what other unusual configuration it has.
On the other hand, I guess my logic in the first post holds, now that I clarified I had in mind a disposable template that I created manually?
If you install Tor Browser into the home folder of whonix-workstation-18-dvm, it will now be in the home directory that all DispVMs inherit. That means that when Tor Browser in a Whonix template updates, none of your disposables will inherit it; they will be stuck with the version in the disposable template’s home folder. You will usually launch disposable VMs, not disposable templates; disposable templates are generally used in a “set-and-forget” manner, only booted if you have to change some configuration for DispVMs persistently. This both increases the effort of updating Tor Browser, and increases the chances that you’ll forget and end up in some corner of the Internet with an outdated and vulnerable browser (which is very bad for security for obvious reasons).
If you don’t use update-torbrowser in a disposable template, your DispVMs will be able to copy the system-wide Tor Browser copy into the home directory before launching it, and thus your DispVMs will inherit Tor Browser directly from the “master” template (not the disposable template). That makes updates easier and keeps you more secure.
In theory, tb-starter (torbrowser) by Whonix developers, when starting in a Disposable, could check which Tor Browser version is newer. The one in the home folder (inherited by the Disposable Template) or the one in /var/cache/tb-binary. However, the source code would become more and more complex with more and more code paths to test and more opportunities for bugs. For stability, reduction of complexity and Maintainability, things are designed as they are.