1. Build an experimental stretch template from source.
2. Clone a `debian-8` template and then modify in the cloned template `/etc/apt/sources.list` and `/etc/apt/sources.list.d/qubes-r3.list` to pull from stretch repos rather than jessie repos.
Simply replace all instances of "jessie" with "stretch".
After that, an `apt-get dist-upgrade` followed by a reboot should "just work".
Unused packages will have to be removed or else it will conflict with the upgrade.
The Debian way (generally) is to start daemons if they are installed.
This means that if you install (say) ssh-server in a template, *all* the qubes that use that template will run a ssh server when they start. (They will, naturally, all have the same server key.) This may not be what you want.
So be very careful when installing software in Templates - if the daemon spawns outbound connections then there is a serious security risk.
In general, a reasonable approach would be, (using ssh as example):
- Install the ssh service.
- systemctl stop ssh
- systemctl disable ssh
- systemctl mask ssh
- Close down template
Now the ssh service will **NOT** start in qubes based on this template.
Where you **DO** want the service to run, put this in /rw/config/rc.local:
By default, templates in 4.0 only have a loopback interface.
Some packages will thow an error on installation in this situation. For example, Samba expects to be configured using a network interface post installation.
One solution is to add a dummy interface to allow the package to install correctly: