Fetching updates after disabling qubes-update-check in clearnet qubes
26 views
Skip to first unread message
fiftyfour...@gmail.com
Jul 14, 2020, 1:07:13 AM7/14/20
to qubes-users
I came across this reply by unman while reading through the Qubes Whonix security page:
>It is the qubes that perform update checks and then notify dom0
accordingly. So if you have a qube connected to clearnet it will check
over clearnet.
>You can disable this in clearnet connected qubes - it's the
qubes-update-check service.
>Or you can disable globally in qubes-global-settings.
While the Whonix Wiki maintainer thinks its enough of an issue to include on the Whonix security page, Marek doesn't think time-based correlation is an issue ("When you actually download and install those updates (over Tor) in the template is up to you, it isn't immediately after checking if something is available, so time based correlation isn't really an issue here").
Though it's not clear to me whether this is actually an issue, I figured I'd do it anyways. My question is, if I wanted to disable qubes-update-check service, how would I go about updating my templates over tor? Do I create debian and fedora templates linked to sys-whonix just to get updates?
haaber
Jul 14, 2020, 5:00:38 AM7/14/20
to qubes...@googlegroups.com
> <<--snip-->>
run e.g. "apt-get update" on your debian-10 template, this connection
goes over tor. However, the notification about updates to run (yellow
update wheel widget in the right top corner) goes by standard over
the AppVM and so, most of the time over the clear (as your clock, that
updates over sys-net).
Since user-action is required (by running the update widget, or, as me,
doing it all by hand), the notification is rather uncorrelated to the
download action, I second Marek here.
It is, as always, a convenience-vs-security question. You may uninstall
the qubes-update-check service and run (checks for) updates by hand (or
script) periodically in your template-VMs. The gain is small, the pain
is high, so most people don't do it. That is my pov, maybe there is some
contradicting one?
> Though it's not clear to me whether this is actually an issue, I figured
> I'd do it anyways. My question is, if I wanted to disable
> qubes-update-check service, how would I go about updating my templates
> over tor? Do I create debian and fedora templates linked to sys-whonix
> just to get updates?
AFAIK the updates themselves run over sys-whonix by default. So, if you
> I'd do it anyways. My question is, if I wanted to disable
> qubes-update-check service, how would I go about updating my templates
> over tor? Do I create debian and fedora templates linked to sys-whonix
> just to get updates?
run e.g. "apt-get update" on your debian-10 template, this connection
goes over tor. However, the notification about updates to run (yellow
update wheel widget in the right top corner) goes by standard over
the AppVM and so, most of the time over the clear (as your clock, that
updates over sys-net).
Since user-action is required (by running the update widget, or, as me,
doing it all by hand), the notification is rather uncorrelated to the
download action, I second Marek here.
It is, as always, a convenience-vs-security question. You may uninstall
the qubes-update-check service and run (checks for) updates by hand (or
script) periodically in your template-VMs. The gain is small, the pain
is high, so most people don't do it. That is my pov, maybe there is some
contradicting one?
awokd
Jul 14, 2020, 5:10:30 PM7/14/20
to qubes...@googlegroups.com
haaber:
In either case, don't forget to have a line in
/etc/qubes-rpc/policy/qubes.UpdatesProxy like:
$type:TemplateVM $default allow,target=sys-whonix
.
--
- don't top post
Mailing list etiquette:
- trim quoted reply to only relevant portions
- when possible, copy and paste text instead of screenshots
/etc/qubes-rpc/policy/qubes.UpdatesProxy like:
$type:TemplateVM $default allow,target=sys-whonix
.
--
- don't top post
Mailing list etiquette:
- trim quoted reply to only relevant portions
- when possible, copy and paste text instead of screenshots
fiftyfour...@gmail.com
Jul 15, 2020, 12:01:06 AM7/15/20
to qubes-users
On Wednesday, 15 July 2020 05:10:30 UTC+8, awokd wrote:
In either case, don't forget to have a line in
/etc/qubes-rpc/policy/qubes.UpdatesProxy like:
$type:TemplateVM $default allow,target=sys-whonix
I didn't know about this, so this helps haaber's comment make a lot more sense. Thank you both
Reply all
Reply to author
Forward
0 new messages