After updating the TemplateVM, at least newly created AppVMs based on the updated TemplateVM should come with an up to date version of Tor Browser.
Updating existing installations of Tor Browser in existing AppVMs. [Economically impossible in the absence of The Tor Project maintaining a proper Debian package while preserving user data (bookmarks, etc.).] Those still have to be updated with Tor Browser's internal updater. If further discussion on this non-goal is required, a separate discussion should be opened.
Alternative technical task title:
ship Tor Browser tarballs in Qubes TemplateVMs in /var/cache/tb-binary and extract in AppVMs at boot time to user's home folder
- in tb-updater postinst / update-torbrowser
Create a package tb-binary, that ships a folder /var/cache/tb-binary that includes the Tor Browser tarball tor-browser-linux64-x.x_en-US.tar.xz as well as signature tor-browser-linux64-x.x_en-US.tar.xz.asc. During boot of AppVMs, a script should check if Tor Browser is already installed in user's home folder. And if not, verify [reusing tb-updater code] and extract Tor Browser from /var/cache/tb-binary to user's home folder. [The verification makes shipping malicious files in the tb-binary package less attractive.]
Configurable through /etc/torbrowser.d folder (can be turned off). Questions: Is there any more appropriate folder than /var/cache/tb-binary as per FHS?