Thank you all for the vigorous response. As many of you suggested, I had the thought of an internal mirror, but didn’t really know how that worked. @kieran’s flow chart helped me visualize the process and the automated plugin-sync is intriguing.
It is true that our accreditation process does allow binaries to cross the air-gap, but they must be tested/certified. In cases where this has not been done or would take too long, we have been known to rarely compile from source after automated (HP Fortify or similar) and manual review of the code. We don’t have the manpower to compile everything, even if we had the source.
As @Gavaudan suggests, security patches in our truly air-gapped environment are superfluous at best, douch-baggery at worst. I’ve made the argument, but if you have ever read Catch-22, you know what I am up against.
@Skalman is correct that we have a lot users and a lot of (virtual) computers, but when we do allow users on the system, they will not be allow to move data across the air-gap – only a limited number of transfer agents will be allowed to do so, and then we may have to enforce 2-person integrity for each transfer. The system will be used for test data analysis, so lots of data will go in, and only a little data will go out (mostly test reports).
I suspect the solution lies in syncing an internet-connected mirror with an internal mirror via sneakernet as several of you have suggested. The devil is in the details, which I will have to learn. If I had a decent internet connection (I don’t), I would setup a mirror at home to iron things out. To test it at work, I might have to setup a system that does not connect to our enterprise network. There will be a significant regulatory hurdle to overcome there, but if I can do that, it would become the outside mirror for the production system. Did I say that, for the time being, I am essentially one deep? My head is spinning!
As an aside, I also need a way to maintain configuration control. My engineer/users write a fair amount of code for their own data analysis purposes and have asked for a Git repository. I don’t grok Git, but it occurs to me that if I setup a repository to track the configuration of my server and desktop images, I would soon grok in fullness. Hopefully, I wouldn’t be such and idiot when it came to administering the repository for the engineers!