Updates, security

[haxy]

Going back to the first post.

"Qubes repository will allow changing the
"http" to "https" in the qubes entry /etc/apt/sources.list.d/."

How would one implement that on a qubes-fedora template?

Looking at Installing and updating software in VMs
"http://qubesosmamapaxpa.onion/doc/software-update-vm/"

It looks like https mirrors are used for fedora and that other entries in
yum.repos.d including qubes-*.repo could be changed from http to https.

Would that work?
Although onion service would be preferred, might be a bit better than
clearnet after exit node.

[haxy]

Sorry, thought this would merge with the previous Updates, security post.

Link here:
https://groups.google.com/forum/?_escaped_fragment_=topic/qubes-users/MZ4Lnene4FM#!topic/qubes-users/MZ4Lnene4FM

[Unman]

Yes, that will work as you think. The benefits are marginal.

[haxy]

Thanks Unman.
A marginal benefit is still a benefit. Especially if easily done.
Would be nice if the devs could make that change in an upcoming update, at
least until onion service repos are implemented.

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Qubes onion repos have just been implemented. Minimal documentation
available here:

https://www.qubes-os.org/doc/hidden-service-repos/

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJYe2LFAAoJENtN07w5UDAw0VcP/0Qgpe1KvjrG2pYs80Eia1u/
D7+eJSA0bT3WiUcUVNgwGglO08QRccdMaPEvENk4L32QvROXKyVbn8LQrGn+8Lvh
/zV414BkjpdL9PkZmHb0zujV324VdidU+EymWr6/p0MsTIrux/Ht+oLcleH9WUuc
nJwQaTsNLiGImip0smGuEZGTQPlQOPTnGU0x1mH8dArft5WOp5v76/Llll3QY9PQ
JbQt1+9iAGq0umYrMKD9RiWgBNMj6TaHbvtda9CJ2pUznP09nNGsLhAdUpowChA/
7G/ccgYdtBCo+RMIai4+zIrL8SGDOrnm4QKFV9wF4/ljkifqp7YvCu4ff8YbS4q0
0LJit4Hhw2NAQzzsuOujXTDehOzd3STRV5LdQqT7Jc97PczjdXxYGDuH2V4rLzqZ
mYjDvbiAHuN7LJee0P+EL2/loiE12vHZwTvHlWtandluOJ1Zo6kPwLtCdwA9cM3o
W/hiSoUfhOBbkFZ+hOFN2hz8Va3fbgmJMPkV8IBoivjNel2ar3itPt2JZitu4Od8
bWjmiz6jxiDit4k5rIBEDYkeXwk2bjk6pLjIJBfIMAkrZKYZiWC9UNG7Knovw+RF
5jNxFMwu/MO5TV8yrQna9kJf3WL6zUCsTajZG5VewdWrRbMp97ZsEdk73IHqRNXB
gYUH7foKfjmmEVEJZite
=r6qK
-----END PGP SIGNATURE-----

[haxy]

First of all, thanks for making the onion repos available!

Following directions to onionize repositories I made a mistake inputting
the onion address. Re-running the commands, dom0 example,
"sudo sed -i 's/yum.qubes-os.org/qubes-yum.kkkkkkkkkk63ava6.onion/'
/etc/yum.repos.d/qubes-dom0.repo && cat /etc/yum.repos.d/qubes-dom0.repo"
has no effect. Cat still shows the input made with the incorrect onion
repo. Tried using
"sudo sed -i 's/yum.qubes-os.org/yum.qubesos4rrrrz6n4.onion/'
/etc/yum.repos.d/qubes-dom0.repo && cat /etc/yum.repos.d/qubes-dom0.repo"
with the same results.'

(Noticed the command from the whonix wiki differs slightly from the qubes
wiki command. "qubes-yum" vice "yum" before the onion address.)

Was able to get the debian and fedora repos functioning by manually
inputting the correct onion address in their respective files but am
unable to do that in Dom0.
How can I correct this issue in Dom0?

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2017-01-16 13:22, haxy wrote:
> On 2017-01-14 20:04, haxy wrote:
>>>>> On Sat, Jan 14, 2017 at 12:08:25AM -0000, haxy wrote:
>>>>>> Going back to the first post.
>>>>>>
>>>>>> "Qubes repository will allow changing the "http" to
>>>>>> "https" in the qubes entry /etc/apt/sources.list.d/."
>>>>>>
>>>>>> How would one implement that on a qubes-fedora template?
>>>>>>
>>>>>> Looking at Installing and updating software in VMs
>>>>>> "http://qubesosmamapaxpa.onion/doc/software-update-vm/"
>>>>>>
>>>>>> It looks like https mirrors are used for fedora and that
>>>>>> other entries in yum.repos.d including qubes-*.repo could
>>>>>> be changed from http to https.
>>>>>>
>>>>>> Would that work? Although onion service would be
>>>>>> preferred, might be a bit better than clearnet after exit
>>>>>> node.
>>>>>>
>>>>>>
>>>>> Yes, that will work as you think. The benefits are
>>>>> marginal.
>>>>>
>>>>>
>>>>>
>>>> Thanks Unman. A marginal benefit is still a benefit.
>>>> Especially if easily done. Would be nice if the devs could
>>>> make that change in an upcoming update, at least until onion
>>>> service repos are implemented.
>>>>
>
> Qubes onion repos have just been implemented. Minimal
> documentation available here:
>
> https://www.qubes-os.org/doc/hidden-service-repos/
>
>>
>>

> First of all, thanks for making the onion repos available!
>
> Following directions to onionize repositories I made a mistake
> inputting the onion address. Re-running the commands, dom0
> example, "sudo sed -i
> 's/yum.qubes-os.org/qubes-yum.kkkkkkkkkk63ava6.onion/'
> /etc/yum.repos.d/qubes-dom0.repo && cat
> /etc/yum.repos.d/qubes-dom0.repo" has no effect. Cat still shows
> the input made with the incorrect onion repo. Tried using "sudo
> sed -i 's/yum.qubes-os.org/yum.qubesos4rrrrz6n4.onion/'
> /etc/yum.repos.d/qubes-dom0.repo && cat
> /etc/yum.repos.d/qubes-dom0.repo" with the same results.'
>
> (Noticed the command from the whonix wiki differs slightly from the
> qubes wiki command. "qubes-yum" vice "yum" before the onion
> address.)
>
> Was able to get the debian and fedora repos functioning by
> manually inputting the correct onion address in their respective
> files but am unable to do that in Dom0. How can I correct this
> issue in Dom0?
>

You can do it the same way in dom0: by manually editing the file.

For example:

$ sudo vim /etc/yum.repos.d/qubes-dom0.repo
(Edit the file, save, and close.)

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJYfiA1AAoJENtN07w5UDAwjqgQAM167NqJu3SsyrI5BnkQBzg4
g5/O1TI0lT/z0HUmMB6130I21hMpYUb7OJQjpo/M7Cfh/3G2D/7EzIXD/jebgexH
gUgEdoPaa7zMWXOAETFeD+AT4rdj8DSARsAZhtWV897IvPaT7GitOpPay6a8+v4+
UYYIf3Wb/EQjaDB1SuEXAdT3cXYyIKhlTtLRHOF0WSPdF91BOUgjNVKaKthXTH0D
HmZbGlpPjAQL3kVzFGIqulPTPWI+KM6Dg5MC5aiNokzMrm6o2buN0Ig2w6OWYug9
ys/Hmlxb4GI4VGMcZ9gk4U30ARXieMDgwVD1Vrgx4qcN7i71hXPJtmQDCKmipae7
KlPdQKM2QN4XiEqBXIFpb9zy9uuqoxPEgl0wAzmjz0QrZedAzHrMBnhx2sQj4BXB
T6NlvuIpSRrRMCJV54lw0OhStDPyJVO9MQJLaHdb83Pg1/u6y+gplQIP4440gLay
mgymvV6aVBBafJ3CB0RFRePjQpPhhx6LxLRlDkK52deXRIwFJcQDzc3tuMQw9b/4
cC93aivanCdGOtEYis0pOciST7eRw6g+ObTBvV3y1fk/fQYjSNpxYIsty/64UsvY
C4bJ/BjV4h07IlJq48RQsI5zRtf5fPNW4mudrFCig07Y4ongpnJsX7zoP0bP0M1O
MjkWAImlnvdFfLwosh6U
=gdX0
-----END PGP SIGNATURE-----

[haxy]

Thanks Andrew. Using vim worked. :)

Do you know why re-running the command,

"sudo sed -i 's/yum.qubes-os.org/yum.qubesos4rrrrz6n4.onion/'
/etc/yum.repos.d/qubes-dom0.repo && cat /etc/yum.repos.d/qubes-dom0.repo"

did not work to overwrite the first incorrect address entry? Curious if
it's reproducible or something on my end only?

Also, a couple of other questions.

1. Seems there are 2 distinct onion addresses that can be used for the
qubes repos, "qubesos4rrrrz6n4.onion" or "whonix kkkkkkkkkk63ava6.onion".
Is there any reason to prefer one over the other?

2. Which onion address should be used for Qubes website access?
"http://qubesos4rrrrz6n4.onion/" or "http://qubesosmamapaxpa.onion/"?
Looks like the "qubesosmamapaxpa" site is not up to date.

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2017-01-18 18:00, haxy wrote:
> On 2017-01-16 13:22, haxy wrote:

>>>> On 2017-01-14 20:04, haxy wrote: Qubes onion repos have just

> Thanks Andrew. Using vim worked. :)
>
> Do you know why re-running the command, "sudo sed -i
> 's/yum.qubes-os.org/yum.qubesos4rrrrz6n4.onion/'
> /etc/yum.repos.d/qubes-dom0.repo && cat
> /etc/yum.repos.d/qubes-dom0.repo" did not work to overwrite the
> first incorrect address entry? Curious if it's reproducible or
> something on my end only?
>

It's possible that 'yum.qubes-os.org' was no longer present in the
text and therefore couldn't be found in order to be replaced.

> Also, a couple of other questions.
>
> 1. Seems there are 2 distinct onion addresses that can be used for
> the qubes repos, "qubesos4rrrrz6n4.onion" or "whonix
> kkkkkkkkkk63ava6.onion". Is there any reason to prefer one over
> the other?
>

No, both point to the same server.

> 2. Which onion address should be used for Qubes website access?
> "http://qubesos4rrrrz6n4.onion/" or
> "http://qubesosmamapaxpa.onion/"? Looks like the
> "qubesosmamapaxpa" site is not up to date.
>

http://qubesos4rrrrz6n4.onion/ should be used. We don't have any
control over http://qubesosmamapaxpa.onion/ (it appears to be updated
only infrequently).

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJYgCMuAAoJENtN07w5UDAwGMsQAJ/eqXk4yOOssNyYvokwkJs+
zvFR4xaX4LillkIceHroYy3yDhl7o7QergoDUPkUZqLhBrl+zakabJjWrPw9jDMV
LWgmldy2vq4mM/1jlU5wfHM9aja/497lpm7kgkMfYSZRHdgeY2eX96h/v3qg6Sqa
L9Xe3K9w5PMMpN4e2QeqNtPj1OMNGF96xx06Z4Kd0kN5fuVDEmf9t5UIjYp21nUD
DtPBS/nJzCcempxPKFsDbKWHrDvNV/kB+hXfzc7OyqlnM69aJPrNyxjsGKQTF7j6
0wQGtDUY3/1dRq4QZgOblMvRUO8KhixnHxgbXg2qXd39WEqPvlc0f5GsNIhaNlYK
6OhrbnABPjOCb7qWLCNDudSjVlBORb+kYHF67R5mwXK09P7on87sbz6pjrTCgZuv
oYR1mPIB+k0xbZc1/+L4fDmvUjg3jLSvY5qvZpG77xzOJhklS1aEpJL69z43Hpkq
nxWynqKGuvpoq1+oeAlICwiaC3pQXPWgPdmcKJLQ7kKDZixF9UL1D5Pq21jnrT0/
nrKNRYDwCVNLbs7oYbIdXTnY9TSR6JLkzQmgXLG17uYRMFRf1yEquCdOgH2cecZx
7+mvxlQBWALcerfe3py5/qYcd9srnaO+eNDadYnNc7AN5p9B1XXrvBMy5ZWtTh27
QuwsQhFCJ0laMXPz0rOP
=BU76
-----END PGP SIGNATURE-----

[haxy]

I'm not sure what you mean by this.
Why would "yum.qubes-os.org" not have been present in the text? I re-ran
the command several times using both onion addresses with the same result.

>> 1. Seems there are 2 distinct onion addresses that can be used for
>> the qubes repos, "qubesos4rrrrz6n4.onion" or "whonix
>> kkkkkkkkkk63ava6.onion". Is there any reason to prefer one over
>> the other?
>>
> No, both point to the same server.

Thanks!

>> 2. Which onion address should be used for Qubes website access?
>> "http://qubesos4rrrrz6n4.onion/" or
>> "http://qubesosmamapaxpa.onion/"? Looks like the
>> "qubesosmamapaxpa" site is not up to date.
>>
> http://qubesos4rrrrz6n4.onion/ should be used. We don't have any
> control over http://qubesosmamapaxpa.onion/ (it appears to be updated
> only infrequently).

That's strange. I thought that was the original qubes onion address? If
you (meaning qubes admin/dev) don't have control over
"http://qubesosmamapaxpa.onion/", who does?

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

>>> Do you know why re-running the command, "sudo sed -i
>>> 's/yum.qubes-os.org/yum.qubesos4rrrrz6n4.onion/'
>>> /etc/yum.repos.d/qubes-dom0.repo && cat
>>> /etc/yum.repos.d/qubes-dom0.repo" did not work to overwrite
>>> the first incorrect address entry? Curious if it's
>>> reproducible or something on my end only?
>>>
>> It's possible that 'yum.qubes-os.org' was no longer present in
>> the text and therefore couldn't be found in order to be
>> replaced.
>
> I'm not sure what you mean by this. Why would "yum.qubes-os.org"
> not have been present in the text? I re-ran the command several
> times using both onion addresses with the same result.
>

Above, you wrote, "Following directions to onionize repositories I
made a mistake inputting the onion address." You didn't specify your
mistake, so as far as I know, it's possible that your mistake altered
the content of the file such that "yum.qubes-os.org" was no longer
present in the text.

>
>>> 1. Seems there are 2 distinct onion addresses that can be used
>>> for the qubes repos, "qubesos4rrrrz6n4.onion" or "whonix
>>> kkkkkkkkkk63ava6.onion". Is there any reason to prefer one
>>> over the other?
>>>
>> No, both point to the same server.
>
> Thanks!
>
>
>>> 2. Which onion address should be used for Qubes website
>>> access? "http://qubesos4rrrrz6n4.onion/" or
>>> "http://qubesosmamapaxpa.onion/"? Looks like the
>>> "qubesosmamapaxpa" site is not up to date.
>>>
>> http://qubesos4rrrrz6n4.onion/ should be used. We don't have any
>> control over http://qubesosmamapaxpa.onion/ (it appears to be
>> updated only infrequently).
>
> That's strange. I thought that was the original qubes onion
> address? If you (meaning qubes admin/dev) don't have control over
> "http://qubesosmamapaxpa.onion/", who does?
>

Yes, it was initially set up by a Qubes contributor named "Hakisho
Nukama," who suddenly disappeared a long time ago. (I hope you're
still ok out there, Nukama!)

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJYgaK7AAoJENtN07w5UDAwgE8P/39dg47TtaoMc5lw1U7WF/Yp
7w5Sg4YtZArwGoI04IH4eXxJRvy8odPclId+gIweL+XSSKT457jgDwTWPRv+4opp
Ki/MPz9SrpmF6YrP5KbPAi5s7ZQ1CQQJvRR7HhKiccwh9WmQIIuOgdOTO7cfdeKa
iS/P27tp58LL3W5vbVrpnx1htcgHu1IgDscoQprhqdNGqjk0JxQA+pkavMLfhxvW
cahAC3TkPwilNfYRl2R6B0PoHZt3++Apy9CR7rsXQYizgFmvUyJUcWsQBwac1F09
+TqjnVQrI+g3zPgQ+Ua1DY2PXIdnbsZXlwBrC9BX698bZq8+g2tHndTwx3ZraqXC
nUSvIJVS1kugAUaHvl4smsuKRfoRYTV/1VWwpwvn1MQQqZJQjkwm2JvE7p2IZ2oe
pkUEPDCuk95AhSJsSQEHNWQ2zESKktPAUHKzNyzDOx9z2vH7QDwwWsgbWeuaIOXq
jnQeJTzjPjhN9xMRtqyVN20xPntyXuwPEJSMuvBsGrvz2glKoyDoXLrwslO89ZIX
+7gjHpi1eAm7iz+moFzgNHb3qlr7uaxB7U08iG23h0XdtfdaUwMFvHGKE7IoZ7rx
Sj/Q6byH+V6Zuwy4JudW2eFoe32QfuJH3scjyOEjC5qd7tYG5Ajl8fv+k/Cp/ijW
woQxFZt5Ebt8PCd7+zyh
=gpSH
-----END PGP SIGNATURE-----

[haxy]

Original mistake was inputting 9 vice 10 (k)s in the whonix onion address.
"kkkkkkkkk63ava6.onion" instead of "kkkkkkkkkk63ava6.onion".

Thought at first that after re-running the command;

"sudo sed -i 's/yum.qubes-os.org/qubes-yum.kkkkkkkkkk63ava6.onion/'
/etc/yum.repos.d/qubes-dom0.repo && cat /etc/yum.repos.d/qubes-dom0.repo"

the extra k was not recognized.

Then tried using "sudo sed -i 's/yum.qubes-os.org

/yum.qubesos4rrrrz6n4.onion/' /etc/yum.repos.d/qubes-dom0.repo && cat
/etc/yum.repos.d/qubes-dom0.repo" with the same results.'

Can you verify that re-running the correct command overwrites an earlier
input? If so, that would indicate a problem on my end.

>>> http://qubesos4rrrrz6n4.onion/ should be used. We don't have any
>>> control over http://qubesosmamapaxpa.onion/ (it appears to be
>>> updated only infrequently).
>>
>> That's strange. I thought that was the original qubes onion
>> address? If you (meaning qubes admin/dev) don't have control over
>> "http://qubesosmamapaxpa.onion/", who does?
>>
>
> Yes, it was initially set up by a Qubes contributor named "Hakisho
> Nukama," who suddenly disappeared a long time ago. (I hope you're
> still ok out there, Nukama!)

Thanks for the explanation. All the best to Hakisho Nakuma.

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

(Please stop duplicating quoted messages. It's very confusing.)

>
>
>>>> It's possible that 'yum.qubes-os.org' was no longer present in
>>>> the text and therefore couldn't be found in order to be
>>>> replaced.
>>>
>>> I'm not sure what you mean by this. Why would "yum.qubes-os.org"
>>> not have been present in the text? I re-ran the command several
>>> times using both onion addresses with the same result.
>>>
>>
>> Above, you wrote, "Following directions to onionize repositories I
>> made a mistake inputting the onion address." You didn't specify your
>> mistake, so as far as I know, it's possible that your mistake altered
>> the content of the file such that "yum.qubes-os.org" was no longer
>> present in the text.
>
>
> Original mistake was inputting 9 vice 10 (k)s in the whonix onion address.
> "kkkkkkkkk63ava6.onion" instead of "kkkkkkkkkk63ava6.onion".
>
> Thought at first that after re-running the command;
>
> "sudo sed -i 's/yum.qubes-os.org/qubes-yum.kkkkkkkkkk63ava6.onion/'
> /etc/yum.repos.d/qubes-dom0.repo && cat /etc/yum.repos.d/qubes-dom0.repo"
>
> the extra k was not recognized.
>
> Then tried using "sudo sed -i 's/yum.qubes-os.org
> /yum.qubesos4rrrrz6n4.onion/' /etc/yum.repos.d/qubes-dom0.repo && cat
> /etc/yum.repos.d/qubes-dom0.repo" with the same results.'
>
> Can you verify that re-running the correct command overwrites an earlier
> input? If so, that would indicate a problem on my end.
>

That sed command is an in-place substitution (aka "find and replace")
command. It finds every instance of the first term and replaces it
with the second term.

When you ran the first command, you replaced every instance of
"yum.qubes-os.org" with "kkkkkkkkk63ava6.onion". When you ran the
second command, sed searched for "yum.qubes-os.org" but did not find
any instances of it (because you had already replaced them all with
"kkkkkkkkk63ava6.onion"). Thus, the second command had no effect.

>>>> http://qubesos4rrrrz6n4.onion/ should be used. We don't have any
>>>> control over http://qubesosmamapaxpa.onion/ (it appears to be
>>>> updated only infrequently).
>>>
>>> That's strange. I thought that was the original qubes onion
>>> address? If you (meaning qubes admin/dev) don't have control over
>>> "http://qubesosmamapaxpa.onion/", who does?
>>>
>>
>> Yes, it was initially set up by a Qubes contributor named "Hakisho
>> Nukama," who suddenly disappeared a long time ago. (I hope you're
>> still ok out there, Nukama!)
>
> Thanks for the explanation. All the best to Hakisho Nakuma.
>
>
>

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJYguLnAAoJENtN07w5UDAw1HQP/iBmni2c8u600qQMb/tyDesi
z5MtE6jHEG0UdYVcvIvPf2rZlghUIr5Y7chWgFd4Qkqp64gQIFwat2l6GF9vNvx4
AHgdTgY0sIgIzjsFVb/phDJKXJmmqF13YAT+/suxZ3U3U3JPxQ7sjVMRhmDz9EYI
D0Xdn0q4XSVwmq6jcae/5EnhzdDWddzqiVxsQiaT9Ps12wzSyfSOb4xPJC5qD6w3
OKnLwu7R+qWGZS6pHnp330wRXeGr3xtX7ZwCR8f6i4wi7ST6msL+7+v8I0ONKC2O
SgJRd+67c2xdLmCocOH4Oq+XldssBLh+xM9CBdddIwRBznqUKE0QNc78UvjnYLtr
Z5chXbQgJwv2RcLXoHw4gks0zc4qBJaOJg2WYGQGuFVKLHRL9PWKfghvUmj9ZmFV
iShiRxiXdKwMfCbD2QPlsVoxu1bfl/OFgRWPZfHSCRswLAcNm8FC38+Ql1NAUZDf
Vyq6mFCsIxWGktCUVq41izzD9j8jNoNlE/uI7bnWILzTrvcHx8E2uG+VdSrguRBq
NDGkhXfIX09eK/cDeNNj4KcKuhc7BNWu3BPh3MOO08z6T5Zo54KUxBEXyo5kANZv
XduvC7sRW4BA7LKAaEVJXo48E6ZqFxKNUPuISZAd7LeIyn4asap+2xRt2GyQf+r1
Pp/eR9Q1nXYfmOxCB5G/
=Iipf
-----END PGP SIGNATURE-----

[haxy]

Apologies for the confusing quotes and many thanks for the help!

[FWM]

Interesting, why would one want to hide their updates through the onion network?

To hide from ISP/Gov they are using Qubes OS?

when i installed Qubes i decided to let whonix update not using TOR.
Is this a poor choice?
Where can i change that setting?

[haxy]

Updating over Tor is the better choice and via onion better yet.

Some good reasons to update via onion.

From:
"http://forums.kkkkkkkkkk63ava6.onion/t/onionizing-qubes-whonix-repositories/3265"

"The benefits include:
protection against MITM attacks due to the use of end-end encryption;
protection against downgrade attacks; and
reducing the load on exit relays in the Tor network."

More discussion of this can be found at the link below.

http://forums.kkkkkkkkkk63ava6.onion/t/hardening-qubes-whonix/3221/49

Guides can be found at:

http://qubesos4rrrrz6n4.onion/doc/hidden-service-repos/

http://kkkkkkkkkk63ava6.onion/wiki/Security_Guide#Onionizing_Repositories

If you are not using Tor, the discussion and guides can also be found on
the non-onion whonix and qubes websites.

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2017-01-22 02:50, FWM wrote:
> Interesting, why would one want to hide their updates through the
> onion network?
>
> To hide from ISP/Gov they are using Qubes OS?
>

Two of the main benefits are:

1. Network attackers can't target you with malicious updates or
selectively block you from receiving certain updates. Instead,
they're forced to either block everyone or serve everyone with the
same malicious update in the hope that you're among those affected.
This makes it much more likely that someone will spot the attack.

2. Downloading all updates through Tor preserves your privacy, since it
prevents your ISP and package repositories from tracking which
packages you install.

> when i installed Qubes i decided to let whonix update not using
> TOR. Is this a poor choice? Where can i change that setting?
>

You can set any TemplateVM to update over Tor by setting that
TemplateVM's NetVM to sys-whonix. If you don't have a sys-whonix
ProxyVM, then follow the instructions here to get one:

https://www.qubes-os.org/doc/whonix/

Once you do that, you can (optionally) use the Qubes onion service
repos by following these instructions:

https://www.qubes-os.org/doc/onion-service-repos/

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJYhf3mAAoJENtN07w5UDAwfDQQAKrU74lzDt+oDm/E8uLfAXa2
HqsOymJzUvUY2d6e7uuqrS71nP3C7Azvgb7hNNQU3h9OnysmcwOeByO5QoJKuFp7
1RpBDZlSr+CAmI+fgkARz5EYTMyxlfXjciP6Dj/uArTww8yBA0OYtE3SiDuIJYIg
lw0XOdavgMfWC6UtwKI5Mjp56X7FtBv+lEFZMCX9wWbv7MmV3aD+UhLFViuKOJXi
ZSaiLyY3qt8MREQAO6WNUKPzug1lNOTNnMUjqybLnWY6miRlczHxKnc9Tj4kWC3S
WLQxE/6K/wgBg25mGXHvDLlKmG+jXLfAFOeJ6atm1vphrRTQ0MZ/vOvproI9/smg
3mQ6G24u/bAcQM/5II5XYDmRkrEEjarIBgXTayTVoXoyEyr6FKB/YbrG2ysyX3Ld
nFF9Z4LQ2nrJmdktAhOKqAArGx5dufVt4UIw7X+k2WhGcqgEhZt3UZPbkzzMWLpe
48kZdSXioxP9uSahTUmNMLeIkHZIYR7k/K9vtUYCzSsyg+H+YOIbUByjqRXMDCCA
K0LH7A8GbGRQvPiakR+/sGMNejb5uMNOzvUXqe9K5bjcsI1LcegpREeTjWryA5Oe
coJgirrkMIRKxTHwPZvNO74R2v7aJfnZ0fAMszGovMUNCUZTEE1ndpqu2J7ztAkm
FWHuQU5hMkJ9hY+LzJfR
=tLfv
-----END PGP SIGNATURE-----