Use Debian-based templates for all VMs

[redshiftzero]

We need to decide which VMs on the workstation will be using Fedora and which will be using Debian. Both OSs are supported by Qubes, so we can have a mixed architecture. @kushaldas, @emkll and I were discussing this and came up with the following list of pros/cons:

Debian

Pros

• Can reuse packages e.g. MAT which are already packaged for Tails (and are not packaged for Fedora)
• Longer LTS time: we need to have a story for users migrating to new templates, likely this will involve admin intervention (this is basically the equivalent of the manual tails upgrade process). The shorter the LTS time, the higher the burden on users/admins, and probability is higher that users will not do the update and will be running on VMs based on EOLed templates.
• We build tons of deb packages already, can reuse this work

Cons

• Older (stable) packages (though fully patched for CVEs)

Fedora

Pros

• Can potentially leverage community connection through Kushal for packaging work
• Updates regularly to latest packages from upstream
• Default choice for Qubes

Cons

• Shorter LTS time (1 year)
• Less experience on existing team doing rpm packaging
• Some packages that we want are not yet packaged for Fedora, including paxctld, so we would need to do this work

[redshiftzero]

In order to benefit from the LTS time of Debian, we need to migrate all VMs - including the NetVM and FirewallVM to Debian. In addition, we need Debian-based templates for all custom VMs (sd-gpg, sd-svs, etc.).

[conorsch]

With a small tweak to the integration tests, the switch to Debian 9 works well. Submissions can be downloaded and viewed. The only issue was that the Qubes menu entry for sd-svs no longer had a Files choice. After installing nautilus in the debian-9 TemplateVM and syncing the app menus, file viewing worked as expected. Will try to automate that fix and flag in the PR test plan.

[eloquence]

Cross-linking WIP PR for discoverability:
#155

[eloquence]

As discussed in sprint planning today, switching out the Fedora base template for the system-level Debian base template has caused significant problems in review, as even small changes to that template on developer machines can cause errors. The PR for this issue, #155, has been instructive on a number of fronts, but @conorsch has said that he intends to close it in favor of work on #156 and #131. Consistent with that approach, I am closing this issue.