Whonix update error??

[22...@tutamail.com]

I am not sure what the issue is but I am struggling to update my whonix templates via the GUI, update icon(star icon) or manually??

I get an error similar to this:

Ign:1 http://ftp.us.debian.org/debian stretch InRelease
Hit:2 http://deb.qubes-os.org/r4.0/vm stretch InRelease
...
Err:12 tor+http://sgvtcaew4bxjd7ln.onion stretch/updates Release
Connection failed
Reading package lists... Done
E: The repository 'tor+http://sgvtcaew4bxjd7ln.onion stretch/updates Release' does no longer have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
Done.

I copied this from this link(https://www.whonix.org/wiki/Qubes/Update) but my error is very similar...sometimes the error is:

Err:7
Err:8

The link(https://www.whonix.org/wiki/Qubes/Update) states this is likely a Whonix error but I am unsure...I tried to update this yesterday and got the same error.

Is there anything else I should do? Should I just wait another day? My Qubes manager is stating the template needs to be updated (Green arrow).

Other notes:
* I open tor-control-panel and it shows I am using TOR(Green)
* I look in the tor-control-panel log and the only flag is the following:

Feb 17 23:13... [warn] Socks version 71 not recognized. (This port is not an HTTP proxy; did you want to use HTTPTunnelPort?)

However it still appears to reconnect
*I do a whonix check when connecting via an Appvm and it states: ! "Could not check for software updates" this seems like a common error that I have seen before, however it never seemed to inhibit the template update

Any help would be appreciated...

[Xaver]

Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On Sunday, February 17, 2019 11:36 PM, <22...@tutamail.com> wrote:

> I am not sure what the issue is but I am struggling to update my whonix templates via the GUI, update icon(star icon) or manually??
>
> I get an error similar to this:
>
> Ign:1 http://ftp.us.debian.org/debian stretch InRelease
> Hit:2 http://deb.qubes-os.org/r4.0/vm stretch InRelease
> ...
> Err:12 tor+http://sgvtcaew4bxjd7ln.onion stretch/updates Release
> Connection failed
> Reading package lists... Done
> E: The repository 'tor+http://sgvtcaew4bxjd7ln.onion stretch/updates Release' does no longer have a Release file.
> N: Updating from such a repository can't be done securely, and is therefore disabled by default.
> N: See apt-secure(8) manpage for repository creation and user configuration details.
> Done.
>
> I copied this from this link(https://www.whonix.org/wiki/Qubes/Update) but my error is very similar...sometimes the error is:
>
> Err:7
> Err:8
>
> The link(https://www.whonix.org/wiki/Qubes/Update) states this is likely a Whonix error but I am unsure...I tried to update this yesterday and got the same error.
>
> Is there anything else I should do? Should I just wait another day? My Qubes manager is stating the template needs to be updated (Green arrow).
>
> Other notes:
>

> - I open tor-control-panel and it shows I am using TOR(Green)
> - I look in the tor-control-panel log and the only flag is the following:

>
> Feb 17 23:13... [warn] Socks version 71 not recognized. (This port is not an HTTP proxy; did you want to use HTTPTunnelPort?)
>
> However it still appears to reconnect
> *I do a whonix check when connecting via an Appvm and it states: ! "Could not check for software updates" this seems like a common error that I have seen before, however it never seemed to inhibit the template update
>
> Any help would be appreciated...

You can point Whonix towerd http://URI (clearnet) repositories.

https://www.whonix.org/wiki/Operating_System_Software_and_Updates#Non-functional_Onion_Services

[22...@tutamail.com]

Thx...

That did it but if I just waited would it correct itself? Seems not so secure to update via http?

Is one generally better off waiting for it to maybe correct itself vs updates via http?

[awokd]

22...@tutamail.com:

> Thx...
>
> That did it but if I just waited would it correct itself?

Most likely.

> Seems not so secure to update via http?
>
> Is one generally better off waiting for it to maybe correct itself vs updates via http?
>

It's a risk management decision. Which do you feel is the greater risk:
being behind on patches a couple days, or possibly being more vulnerable
to a MITM attack during an update cycle? With properly signed packages,
MITM shouldn't be an issue but there's not a single right answer, and it
could change if there's an active exploit circulating that the patches
address.

Personally, I'll usually wait a day or two to see if the onion sites
work unless there's an active, Qubes impacting exploit going around.

[22...@tutamail.com]

Mus be the Australian government and the five eyes!

I tried it on a clone and it update no issues...tried it on my main templates as-is/no change to http(fromhttps) and they happened to work fine.

Next time I will consider the option of waiting...

Xaver&awoked...you rock! Thx...

[cooloutac]

Yes you are targeted way more with MITM attacks when updating with tor I've learned. You really have to pay attention to any notifications before hitting Yes. Such as invalid signature, etc... But even the best of us can hit y by accident.

Sometimes when I have issues updating. I will update from qubes-manager, or I will update manually from console, which sometimes will give different results. For examplesometimes will notice a notification on one but not the other.

I think this is the biggest way to attack qubes users. Through updates. Its what Spengler threatened Joanna with. Especially dom0 updates you need to be extra careful. Most of us have hardware thats already screwed, imo.