Whonix 15 has been released

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Dear Qubes Community,

The Whonix Project [1] announced the release of Whonix 15 today. [2]
Project lead Patrick Schleizer [3] wrote:

> After approximately one year of development, the Whonix Project is
> proud to announce the release of Whonix 15.
>
> Whonix 15 is based on the Debian buster (Debian 10) distribution.
> This means users have access to many new software packages in
> concert with existing packages, such as a modern branch of GNuPG,
> and more.

For a list of major new features and further details, please see the
official announcement. [2]

Please note that, according to the Whonix Support Schedule [4], Whonix
14 will reach end-of-life (EOL) in one month.
Therefore, all current Whonix users are urged to upgrade from Whonix
14 to Whonix 15 [5] within the next month.


[1] https://www.whonix.org/
[2] https://forums.whonix.org/t/whonix-15-has-been-released/7616
[3] https://www.qubes-os.org/team/#patrick-schleizer
[4] https://www.whonix.org/wiki/About#Support_Schedule
[5] https://www.whonix.org/wiki/Upgrading_Whonix_14_to_Whonix_15

This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2019/07/01/whonix-15-has-been-released/

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl0axvkACgkQ203TvDlQ
MDA1bQ/6ArxTBwZFUDs/Y8tAafPkKNcDbYOfUg0r4zxEeq2+rh/LCrN9CihmWPyt
Wao5nbIDC7JSNzy6I/F2bpTzJcRROKKOqB4L4AWJefXM7DC1ZpnK5U6aX686wZvP
BvfqgU7qOEXM0hwFfDveesiPbC5EDUPP7vJdmOPVv7kUzbMvls1hXwl9y2FFF1o6
3Ch0+2QJz3nlFyoVHbce6SiA9sFd/6HP2Beicnr78UoqLg955Dnx87plJ7fIJqxR
uS488L79dn7JqBk2mWOEuHKcChiRPT02KGO14NDG1WXbaIHWT8qGLdF2Fad+PKsg
6ogdT5Zoi8zq/Mn1NOzQvkskSE/4BzhWKyEG+/IGYgWyefC9UZJzpVqyI/HO9nQM
cbJvaIihMI55tck2F8wF0+ZrOL7rEaaN9BuiKy6Qf1TiQQ83OzB2d0We9mWTQ9tb
s2mgtaBIwAJWjDsYRdbwWVPzkfQ+0xu0N5FZhsfMxTGgTjXFiYeUr7LaUlO0q+Xr
wH9uocgJqWpUf0Y8rTIp/IKyisxrTGKFnvpeBqq+HkFofuJINM7DWEMGgT4pr3JJ
nbJ+LZswYIwTu2+78cm3T2p4XIkqTjeVZUMAQSyHqlC61dACTuWTvz9/LFmYf3Oa
zCcxzKTsO4axhgqEV4BWmEmcnfdp4a4jBL7WlpfkKMYu6b7f1sc=
=DXvV
-----END PGP SIGNATURE-----

[haaber]

> Dear Qubes Community,
>
> The Whonix Project [1] announced the release of Whonix 15 today. [2]
> Project lead Patrick Schleizer [3] wrote:
>
>> After approximately one year of development, the Whonix Project is
>> proud to announce the release of Whonix 15.
>

> Please note that, according to the Whonix Support Schedule [4], Whonix
> 14 will reach end-of-life (EOL) in one month.
> Therefore, all current Whonix users are urged to upgrade from Whonix
> 14 to Whonix 15 [5] within the next month.

The "instructions" on the whonix webpage are more than confusing. There
are 3 alternative "ways" suggested. Which one is best /advised?

I got the impression that a complete reinstall requires (a) a fedora
appvm (I have none), (b) does *not* work over TOR, since the AppVM's
based on whonix must be removed (or set to dummy template) before
removing the whonix-14-templates. Then sys-whonix is gone, right?
That seems awkward asprocedure. Can someone explain, please? Why can't I
install whonix-gw-15 and whonix-ws-15 via dnf in dom0 and THEN remove
the *-14-* ones? Cheers, Bernhard

[dro...@gmail.com]

Honestly, I'm surprised whonix went ahead and released a major upgrade, on a new Debian version that is still frozen, and hasn't been released yet. Maybe they jumped the gun. I would have waited.

Unless you want to join the testing efforts, I would wait until Qubes releases official whonix templates, before trying to install the new version.

[Daniil Travnikov]

On Wednesday, July 3, 2019 at 5:43:26 PM UTC+3, dro...@gmail.com wrote:
> Unless you want to join the testing efforts, I would wait until Qubes releases official whonix templates, before trying to install the new version.

What do you mean? I thought 15 version of Whonix already official in Qubes. Or I am missing something?

[Daniil Travnikov]

On Wednesday, July 3, 2019 at 4:24:01 AM UTC+3, haaber wrote:
> The "instructions" on the whonix webpage are more than confusing. There
> are 3 alternative "ways" suggested. Which one is best /advised?
>
> I got the impression that a complete reinstall requires (a) a fedora
> appvm (I have none), (b) does *not* work over TOR, since the AppVM's
> based on whonix must be removed (or set to dummy template) before
> removing the whonix-14-templates. Then sys-whonix is gone, right?
> That seems awkward asprocedure. Can someone explain, please? Why can't I
> install whonix-gw-15 and whonix-ws-15 via dnf in dom0 and THEN remove
> the *-14-* ones? Cheers, Bernhard

Thank you for your post, I thought that I am alone, but I think the same.

I don't understand why in Qubes we can't install Whonix Templates of any version from Dom0 like we usually do when we want to install Fedora,
for example:

sudo qubes-dom0-update qubes-template-fedora-XX

[trichel]

> > Dear Qubes Community,
> > The Whonix Project [1] announced the release of Whonix 15 today. [2]
> > Project lead Patrick Schleizer [3] wrote:
> >
> > > After approximately one year of development, the Whonix Project is
> > > proud to announce the release of Whonix 15.
>
> > Please note that, according to the Whonix Support Schedule [4], Whonix
> > 14 will reach end-of-life (EOL) in one month.
> > Therefore, all current Whonix users are urged to upgrade from Whonix
> > 14 to Whonix 15 [5] within the next month.
>
> The "instructions" on the whonix webpage are more than confusing. There
> are 3 alternative "ways" suggested. Which one is best /advised?
>
> I got the impression that a complete reinstall requires (a) a fedora

> appvm (I have none), (b) does not work over TOR, since the AppVM's

> based on whonix must be removed (or set to dummy template) before
> removing the whonix-14-templates. Then sys-whonix is gone, right?
> That seems awkward asprocedure. Can someone explain, please? Why can't I
> install whonix-gw-15 and whonix-ws-15 via dnf in dom0 and THEN remove

> the -14- ones? Cheers, Bernhard

After botching the whonix-14 template with an unsuccessful upgrade attempt I reinstalled it by entering sudo qubes-dom0-update --enablerepo=qubes-templates-community --action=reinstall qubes-template-whonix-gw-14 as explained at https://www.whonix.org/wiki/Qubes/Reinstall

Because this page gives 'sudo qubesctl state.sls qvm.anon-whonix' as a mandatory step I executed that after the reinstall. This installed 2 new templates whonix-gw-15, whonix-ws-15 and a whonix-ws-15-dvm, with all the old stuff still present. I deleted the Whonix 14 templates with dnf and all seems fine now.

So, apparently just entering sudo qubesctl state.sls qvm.anon-whonix is the easiest way to install new Whonix 15 templates. I didn't create a special update VM for this. Probably it is best to remove the old ones first even though it also works if you don't, apparently. If you need to *upgrade* for some reason (instead of simply replacing the templates with new ones) then you should *NOT* follow this procedure, of course.
Also see: https://www.whonix.org/wiki/Qubes/Install

I find it pretty confusing too ... Maybe an expert can give some additional info :)

[dro...@gmail.com]

No, it was officially released by WHONIX, not by Qubes. I'm sure the Qubes engineers are working on an official template as we speak.

[Daniil Travnikov]

Tell me please where did you find official Whonix template released by Qubes engineers? I mean for example if I have now the 13 version of Whonix, where could I get the 14 version from?

[awokd]

Daniil Travnikov:

I don't see why you couldn't, but you should possibly recreate
sys-whonix and anon-whonix. Not sure it's safe to re-use them. You
should try to use the Salt commands to do this, once you have the -15
templates installed and the -14 and sys/anon-whonix removed. Make sure
you're on mgmt-salt-dom0-virtual-machines v4.0.16 or higher. If you are
doing it manually, you should review everything the scripts do to make
sure you've run the appropriate qvm-features commands, etc. Not
following all the same steps as the Salt scripts could result in
unexpected traffic disclosures. Haven't upgraded these myself yet; I'll
let the early adopters work out the bugs first. ;)

See https://github.com/QubesOS/qubes-issues/issues/3765 and
https://github.com/QubesOS/qubes-issues/issues/3447 for a longer
discussion of why the upgrade procedure is the way it is. If you can
write smarter Salt scripts, I suspect the Whonix team would be appreciative.

[awokd]

Daniil Travnikov:

Please see https://www.whonix.org/wiki/Qubes/Install to upgrade your
Whonix qubes. 13 is out of date and unsupported. 15 is the new version.

Whonix templates are developed and maintained by the Whonix team. They
are available from the Qubes "community" repo. Following the linked
procedure will result in them getting downloaded from there. Unless
there have been some recent developments, they are not technically Qubes
official templates- those are located in the templates-itl repo.

In other words, Qubes-Whonix 15 is as official as it's going to get. :)
Looks like Qubes 4.0.2 is on the way which will include the updated
templates too, but it could be a couple months:
https://github.com/QubesOS/qubes-issues/issues/5108.

[Jon deps]

besides the script if you don't change the "jinja" file, you won't get
-15 installed

re: removing old anon-whonix TBA-AppVMs
I believe Patrick said: you can either remove sys-whonix (on my machine
sys-whonix-14) before new install or just leave it (and presumably
have it set to 'dummy template' -- not sure why can't just set it to any
other template temporarily )

so presumably that goes for anon-whonix and its just like any other
template upgrade , reassigning to the new upgraded Template


PS : how would I check I'm on the correct mgmt-salt-dom0-virtual-machine

[awokd]

Jon deps:

> besides the script if you don't change the "jinja" file, you won't get
> -15  installed

The version of mgmt-salt-dom0-virtual-machine I mentioned should cover that.

> re: removing old anon-whonix TBA-AppVMs
> I believe Patrick said:  you can either remove sys-whonix (on my machine
> sys-whonix-14)  before   new install  or just leave it (and presumably
> have it set to 'dummy template' -- not sure why can't just set it to any
> other template temporarily )
>
> so presumably that goes for anon-whonix  and its just like any other
> template  upgrade ,  reassigning to the new upgraded Template

Thanks, wasn't sure!

> PS :  how would I check  I'm on the correct  mgmt-salt-dom0-virtual-machine

dom0: dnf list installed

[dro...@gmail.com]

Followed the instructions, removed ALL whonix stuff.

To install new version, you run:

sudo qubesctl state.sls qvm.anon-whonix

All that did was re-install all of the whonix-14 stuff I just removed. Back to where I started.

[Jon deps]

On 7/3/19 8:33 PM, 'awokd' via qubes-users wrote:
> Jon deps:
>
>> besides the script if you don't change the "jinja" file, you won't get
>> -15  installed

Well it's in his docs for New Install , added after the other elements
were, apparently

>
> The version of mgmt-salt-dom0-virtual-machine I mentioned should cover that.
>
>> re: removing old anon-whonix TBA-AppVMs
>> I believe Patrick said:  you can either remove sys-whonix (on my machine
>> sys-whonix-14)  before   new install  or just leave it (and presumably
>> have it set to 'dummy template' -- not sure why can't just set it to any
>> other template temporarily )
>>
>> so presumably that goes for anon-whonix  and its just like any other
>> template  upgrade ,  reassigning to the new upgraded Template
>
> Thanks, wasn't sure!

He just made the remark re: sys-whonix so its just a presumption

>
>> PS :  how would I check  I'm on the correct  mgmt-salt-dom0-virtual-machine


>
> dom0: dnf list installed

well this doesn't show the version all the other qubes-mgmt-salt show
versions but Not

qubes-mgmt-salt-dom0-virtual-machines.noarch






dom0 ~]$ dnf list -v installed|grep mgmt
qubes-mgmt-salt.noarch 4.0.18-1.fc25
@qubes-dom0-cached
qubes-mgmt-salt-admin-tools.noarch 4.0.18-1.fc25
@qubes-dom0-cached
qubes-mgmt-salt-base.noarch 4.0.3-1.fc25
@qubes-dom0-cached
qubes-mgmt-salt-base-config.noarch 4.0.1-1.fc25
@qubes-dom0-cached
qubes-mgmt-salt-base-overrides.noarch 4.0.2-1.fc25
@qubes-dom0-cached
qubes-mgmt-salt-base-overrides-libs.noarch
qubes-mgmt-salt-base-topd.noarch 4.0.1-1.fc25
@qubes-dom0-cached
qubes-mgmt-salt-config.noarch 4.0.18-1.fc25
@qubes-dom0-cached
qubes-mgmt-salt-dom0.noarch 4.0.18-1.fc25
@qubes-dom0-cached
qubes-mgmt-salt-dom0-qvm.noarch 4.0.8-1.fc25
@qubes-dom0-cached
qubes-mgmt-salt-dom0-update.noarch 4.0.8-1.fc25
@qubes-dom0-cached
qubes-mgmt-salt-dom0-virtual-machines.noarch

[awokd]

dro...@gmail.com:

> Followed the instructions, removed ALL whonix stuff.
>
> To install new version, you run:
>
> sudo qubesctl state.sls qvm.anon-whonix
>
> All that did was re-install all of the whonix-14 stuff I just removed. Back to where I started.

Well, huh. Here's the merge to master that should have set it to pull
-15 instead. Try updating that jinja file manually per Jon's suggestion?

[awokd]

Jon deps:

> On 7/3/19 8:33 PM, 'awokd' via qubes-users wrote:

>> dom0: dnf list installed
>
> well this doesn't show the version  all the other qubes-mgmt-salt  show
> versions but Not
>
> qubes-mgmt-salt-dom0-virtual-machines.noarch

Try dnf info then.

[dimi]

I think the whonix upgrade guide is missing how to handle the a) renaming of the now upgraded templates or b) deleting them. I tried renaming 14 to 15 and ended up with new templates having the upgraded name with 15 in them. Maybe this is just a problem with Qubes Manager.

Please advice how to proceed, delete the new 15 templates and manually rename the 14 ones to 15 or manually delete the upgraded 14 templates?

[dro...@gmail.com]

Actually, I found an easier way. The way it should be, really.

From dom0 terminal:

sudo qubes-dom0-update --enablerepo=qubes-templates-community --action=install qubes-template-whonix-gw-15

sudo qubes-dom0-update --enablerepo=qubes-templates-community --action=install qubes-template-whonix-ws-15

Works fine here. Can't upgrade from Qube Manager, but can upgrade manually from a terminal:

sudo apt-get-update-plus dist-upgrade

When a new template comes out, should be easy to upgrade to, or at a minimum, just remove, then install new one. I'll stick with these for now. Works.

[Jon deps]

On 7/4/19 4:14 AM, dimi wrote:
> I think the whonix upgrade guide is missing how to handle the a) renaming of the now upgraded templates or b) deleting them. I tried renaming 14 to 15 and ended up with new templates having the upgraded name with 15 in them. Maybe this is just a problem with Qubes Manager.
>
> Please advice how to proceed, delete the new 15 templates and manually rename the 14 ones to 15 or manually delete the upgraded 14 templates?
>

they usually want you to ask Whonix questions on the Qubes-Whonix forum
fwiw

https://forums.whonix.org/c/qubes-whonix

[Jon deps]

ah ok so
$dnf info says

I'm on
Installed Packages
Name : qubes-mgmt-salt-dom0-virtual-machines
Arch : noarch
Epoch : 0
Version : 4.0.15
Release : 1.fc25


not 4.0.16
and
$sudo qubes-dom0-update
says no updates


so, is one supposed to be updating dom0 some other way ?

I do note that whonix-15 seems to be installed , but maybe with 4.0.16
one would not have had to chage the "jinja" settings from 14 -> 15 ?

[Michał "rysiek" Woźniak]

Hey,

On 7/3/19 4:44 PM, 'trichel' via qubes-users wrote:
>> I got the impression that a complete reinstall requires (a) a fedora
>> appvm (I have none), (b) does not work over TOR, since the AppVM's
>> based on whonix must be removed (or set to dummy template) before
>> removing the whonix-14-templates. Then sys-whonix is gone, right?
>> That seems awkward asprocedure. Can someone explain, please? Why can't I
>> install whonix-gw-15 and whonix-ws-15 via dnf in dom0 and THEN remove
>> the -14- ones? Cheers, Bernhard
>
> After botching the whonix-14 template with an unsuccessful upgrade attempt I reinstalled it by entering sudo qubes-dom0-update --enablerepo=qubes-templates-community --action=reinstall qubes-template-whonix-gw-14 as explained at https://www.whonix.org/wiki/Qubes/Reinstall
>
> Because this page gives 'sudo qubesctl state.sls qvm.anon-whonix' as a mandatory step I executed that after the reinstall. This installed 2 new templates whonix-gw-15, whonix-ws-15 and a whonix-ws-15-dvm, with all the old stuff still present. I deleted the Whonix 14 templates with dnf and all seems fine now.
>
> So, apparently just entering sudo qubesctl state.sls qvm.anon-whonix is the easiest way to install new Whonix 15 templates. I didn't create a special update VM for this. Probably it is best to remove the old ones first even though it also works if you don't, apparently. If you need to *upgrade* for some reason (instead of simply replacing the templates with new ones) then you should *NOT* follow this procedure, of course.
> Also see: https://www.whonix.org/wiki/Qubes/Install
>
> I find it pretty confusing too ... Maybe an expert can give some additional info :)

No expert here, but tested stuff on a QubesOS R4.0 with a working Whonix
14 installation.

Running `sudo qubesctl state.sls qvm.anon-whonix` alone would *not*
install Whonix 15 for me, it would just note that all relevant VMs exist
already and call it quits.


What worked for me was:


1. Install the Whonix 15 templates:

sudo qubes-dom0-update \
--enablerepo=qubes-templates-community \
--action=install \
qubes-template-whonix-gw-15 \
qubes-template-whonix-gw-15


2. Using Qube Manager, change the templates for relevant qubes
(sys-whonix, anon-whonix, whonix-ws-14-dvm) to relevant Whonix 15 templates.

Restart any modified qubes afterwards, of course, and test stuff works.


3. Remove the unneeded Whonix 14 templates:

sudo dnf remove \
qubes-template-whonix-gw-14 \
qubes-template-whonix-gw-14



So far so good.

--
Regards,
rysiek

[qtpie]

The new template is out. The way to install it is with:
sudo qubesctl state.sls qvm.anon-whonix

If you previously had Whonix 14 installed, change 14 to 15 with:
sudo vim /srv/formulas/base/virtual-machines-formula/qvm/whonix.jinja

I found this last info on the whonix site but cant find it right now

[Jon deps]

On 7/3/19 6:54 PM, 'awokd' via qubes-users wrote:
> Make sure
> you're on mgmt-salt-dom0-virtual-machines v4.0.16 or higher. If you are
> doing it manually, you should review everything the scripts do to make
> sure you've run the appropriate qvm-features commands, etc. Not
> following all the same steps as the Salt scripts could result in
> unexpected traffic disclosures.

so for the record as far as I can tell v4.0.15 is the "latest" please
tell me if it makes some difference.

if I'm going to need to 'review salt scripts' probably time to move on

appreciate the Qubes devs, but I sort of don't want to know what salt is
and does beyond the very basics :)

[unman]

Yes, the release has not been well co-ordinated.
4.0.16 is in testing - you can install it from there by using :
qubes-dom0-update --best --enablerepo=qubes-dom0-current-testing mgmt-salt-dom0-virtual-machines