On new installs, is exotic procedure still needed to cure debian apt bug or can we simply update/apt-upgrade from deb template?

[Jeffersonian American]

I need to re-install Qubes and last time I installed, maybe around Feb 2019, there was an advisory about an apt-bug which required a fix. Is that now taken care of automatically in the deb-9 template or is that procedure still required?

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This email is confidential to the recipient named in the original. If you
receive and are not the named recipient *please delete and notify sender*
thank you in advance for your adherence.

[FenderBender]

Not sure if this is still an issue on the current ISO or if the updater takes care of it:  https://www.qubes-os.org/news/2019/01/23/qsb-46/

 

[awokd]

Jeffersonian American:

> I need to re-install Qubes and last time I installed, maybe around Feb
> 2019, there was an advisory about an apt-bug which required a fix. Is that
> now taken care of automatically in the deb-9 template or is that procedure
> still required?

Should be already addressed in 4.02, but if you're reinstalling 4.01 use
the Qubes Updater (sun icon) to update dom0 first, reboot, then use it
to update the templates. It handles the apt fix.

[American Qubist 001]

On Sunday, August 18, 2019 at 10:39:38 AM UTC-7, American Qubist 001 wrote:

will make sure to use the lhe latest,  but I thought 4.02 was still in beta.

Also, the instructions in the QSB are much more complex than simply updating through the gui.Why do you think a regular update would work when the QSB or Qubes documentation advises a much more complex, completely different proceure?

Somethhing is not right here. It is inconsisitent. If all you needto do is a regulsr simple update, the documentation should reflect thatand not send users through a much more elaboraate templace replacement process.

ALSO the QSB says that the bug is actually inthe update process of apt itself, so it stands to reason that if there has been a malicious code injection, merely updating will not suffice.

So, are we sure we are on the saame page here??

[Chris Laprise]

On new installs of 4.0 and 4.0.1, you can use this procedure:

qubes-dom0-update
qubes-dom0-update --action=upgrade qubes-template-debian-9


This will first update dom0, then perform an 'upgrade' on the template
as a whole (without using apt). Finally, do a regular apt-based update
in the template.

Alternately, you could skip Debian 9 and install Debian 10 (its in
testing but is working fine):

qubes-dom0-update --enablerepo=qubes*testing qubes-template-debian-10


--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886

[awokd]

American Qubist 001:

Can't tell if you're replying to my message. Anyways, believe the
documentation & QSB covers how to safely replace templates that may be
compromised. Since you have known good templates in the 4.01 installer,
additional steps aren't necessary. Also, the apt fix in Qubes Updater
was added after those were written. Might not hurt to submit an update
to the documentation.