Updater: use Qubes Updater's "stale-detection" functionality and replace VM updatedness checks

[deeplow]

• [x] I have searched for duplicates or related issues

Description

Recently the Qubes updater started conditionally targeting templates based on how long ago they had their updates checked and reported as having updates. So we should consider dropping the --force-update flag introduced by https://github.com/freedomofpress/securedrop-workstation/issues/1140 and move to an --update-if-stale 1.

This requires:

• dropping the requirement for updates every 8 hours and instead use 24h. Given a regular work day is 8h, that may make sense. If that is not acceptable, we can ask upstream if --update-if-stale could be made to accept float.
• changing the notifier timer because it would bug the user to update probably sooner than there are updates.

The end result will be that sometimes the updater will have no template to update. So it's kind of a shortcut to always having to update all the templates.

How will this impact SecureDrop/SecureDrop Workstation users?

Not much, since all templates are updated at the same time, anyways.

How would this affect the SecureDrop Workstation threat model?

It shouldn't.

User Stories

As an SDW developer, I'd like to have less code and delegate functionality to Qubes features that have superseded our own implementation.

[deeplow]

Copy-pasting some support for this from another thread as not to loose track of it.

@rocodes says:

[...] Briefly I'd be in favour of moving to every 24h and update-if-stale 1 and the GUI updater after this release [1.0.0] [...]