debian: disable timer-based apt-get

Debian stretch in default configuration calls apt-get update every 24h.
And additionally, have automatic unattended security updates enabled.
Generally it would be good thing on standalone system, but in AppVM
which loose its rootfs changes after restart it is a waste of resources.
Especially when it kicks in on multiple VMs simultaneously, while on
battery (apt-daily.service have ConditionACPower=true, but VM don't have
that information...).

It would make some sense on TemplateVM/StandaloneVM, but then it kicks
in just at VM startup. Which conflicts with starting the update manually
then (by clicking "update VM" button in manager for example, or using
salt).

So, disable this feature completely.

The actual solution is based on pkg-manager-no-autoupdate by @adrelanos.

Fixes QubesOS/qubes-issues#2621

Makefile

@@ -326,6 +326,7 @@ install-deb: install-common install-systemd install-systemd-dropins
 	install -d $(DESTDIR)/etc/needrestart/conf.d
 	install -D -m 0644 misc/50_qubes.conf $(DESTDIR)/etc/needrestart/conf.d/50_qubes.conf
 	install -D -m 0644 misc/grub.qubes $(DESTDIR)/etc/default/grub.d/30-qubes.cfg
+	install -D -m 0644 misc/apt-conf-70no-unattended $(DESTDIR)/etc/apt/apt.conf.d/70no-unattended
 
 	mkdir -p $(DESTDIR)/etc/systemd/system/
 	install -m 0644 vm-systemd/haveged.service  $(DESTDIR)/etc/systemd/system/

debian/qubes-core-agent.install

@@ -1,5 +1,6 @@
 etc/X11/xorg-preload-apps.conf
 etc/apt/apt.conf.d/00notify-hook
+etc/apt/apt.conf.d/70no-unattended
 etc/apt/sources.list.d/qubes-r4.list
 etc/apt/trusted.gpg.d/qubes-archive-keyring.gpg
 etc/default/grub.d/30-qubes.cfg

misc/apt-conf-70no-unattended

@@ -0,0 +1,26 @@
+## Based on pkg-manager-no-autoupdate by Patrick Schleizer <adrelanos@riseup.net>
+## https://github.com/Whonix/pkg-manager-no-autoupdate
+
+## Disable automatic update check APT::Periodic::Update-Package-Lists
+## which is the Debian default in /etc/apt/apt.conf.d/10periodic.
+##
+## The execution time would be too predictable, thus make us fingerprintable.
+##
+## 20noperiodic comes after 10periodic in alphabet so it takes precedence.
+##
+## Quoted from the Debian Handbook
+## http://debian-handbook.info/browse/wheezy/sect.apt-get.html
+##
+## "[...] Each directory represents a configuration file which is split over multiple
+## files. In this sense, all of the files in /etc/apt/apt.conf.d/ are instructions
+## for the configuration of APT. APT includes them in alphabetical order, so that the
+## last ones can modify a configuration element defined in one of the first ones. [...]
+##
+## That changes take effect can be verified using:
+## apt-config dump
+
+APT::Periodic::Update-Package-Lists "0";
+APT::Periodic::Download-Upgradeable-Packages "0";
+APT::Periodic::AutocleanInterval "0";
+APT::Periodic::Unattended-Upgrade "0";
+APT::Periodic::Enable "0";