Are older versions of fedora more secure? Qubes 4.0.4.. Stable

anon42456682 · January 10, 2022, 10:31pm

Is Qubes 4.0.4 more secure then 4.1? Even older versions of debian and fedora? Like debian 10 and fedora 32…
So when using stable qubes… Should you not update the templates then at all? And just update dom0 in the manager, and then just use the launch updater, and download what comes?

Is whonix 15 more secure then 16 and so on? Just wondering how you update 4.0.4 yourselves… Do you switch up some templates or just use the default updating tool?
I prefer to use the updating tool if it is most secure and stable of-course.

" Security updates

Security updates are an extremely important part of keeping your Qubes installation secure. When there is an important security issue, we will issue a Qubes Security Bulletin (QSB) via the Qubes Security Pack ( qubes-secpack ). It is very important to read each new QSB and follow any user instructions it contains. Most of the time, simply updating your system normally will be sufficient to obtain security updates. However, in some cases, special action may be required on your part, which will be explained in the QSB."

So would you guys just update Qubes stable with the normal tools? or would you update templates and so on…
I can download everything normal… But the progress with qibes and other stuff is fast, so i can’t really keep up with the progress…
What settings do you usually add after a fresh Qubes 4.0.4 install?

edit: whonix 15 can’t even update… So that’s an issue… gonna try again though. Should work.

I’m also a beginner. How do i update qubes 4.0.4 now again? It’s better to ask. the right commands and so on… Should i use whonix 16?
I think i found the right answer:

Perhaps Qubes 4.0 should be re-released including whonix 16 instead as default… And that normal updates just work? Just a suggestion…
Otherwise that command works.

fsflover · January 10, 2022, 11:36pm

You are right, you should not use the EOL templates. You should upgrade/replace them all. We can expect a new release of Qubes 4.0.x (point release), but the developers have not enough resources to make it quickly. You however can find in the docs and in the news how to update all templates:

anon42456682 · January 11, 2022, 12:44am

Thanks… yes a point release would be nice…
because i have to manually update stuff, and then it’s not really a stable release…

edit:
What am i doing wrong here?
Trying to update whonix 16 and i get:

"Updating whonix-ws-16

Error on updating whonix-ws-16: Command ‘[‘sudo’, ‘qubesctl’, ‘–skip-dom0’, ‘–targets=whonix-ws-16’, ‘–show-output’, ‘state.sls’, ‘update.qubes-vm’]’ returned non-zero exit status 20
whonix-ws-16:
----------
_error:
Failed to return clean data
retcode:
1
stderr:
Traceback (most recent call last):
File “/var/tmp/.root_dd8a91_salt/salt-call”, line 27, in
salt_call()
File “/var/tmp/.root_dd8a91_salt/pyall/salt/scripts.py”, line 445, in salt_call
client.run()
File “/var/tmp/.root_dd8a91_salt/pyall/salt/cli/call.py”, line 48, in run
caller = salt.cli.caller.Caller.factory(self.config)
File “/var/tmp/.root_dd8a91_salt/pyall/salt/cli/caller.py”, line 64, in factory
return ZeroMQCaller(opts, **kwargs)
File “/var/tmp/.root_dd8a91_salt/pyall/salt/cli/caller.py”, line 329, in init
super(ZeroMQCaller, self).init(opts)
File “/var/tmp/.root_dd8a91_salt/pyall/salt/cli/caller.py”, line 89, in init
self.minion = salt.minion.SMinion(opts)
File “/var/tmp/.root_dd8a91_salt/pyall/salt/minion.py”, line 912, in init
opts[“grains”] = salt.loader.grains(opts)
File “/var/tmp/.root_dd8a91_salt/pyall/salt/loader.py”, line 825, in grains
ret = funcskey
File “/var/tmp/.root_dd8a91_salt/pyall/salt/grains/core.py”, line 2384, in ip_fqdn
ret[“ipv6”] = salt.utils.network.ip_addrs6(include_loopback=True)
File “/var/tmp/.root_dd8a91_salt/pyall/salt/utils/network.py”, line 1353, in ip_addrs6
return _ip_addrs(interface, include_loopback, interface_data, “inet6”)
File “/var/tmp/.root_dd8a91_salt/pyall/salt/utils/network.py”, line 1333, in _ip_addrs
ret.add(addr)
File “/usr/lib/python3.9/ipaddress.py”, line 1920, in hash
return hash((self._ip, self._scope_id))
AttributeError: _scope_id
stdout:
"

What do i do?
And which templates should i change from 15 to 16?
If you or anyone knows…
I used this command to download whonix 16
sudo qubes-dom0-update --enablerepo=qubes-templates-community qubes-template-whonix-gw-16 qubes-template-whonix-ws-16

ok, found the answer here:

fedora 33 it is…
yeah i mean… a point release would be nice… Just an updated working 4.0 version without updating issues. that’s stable in that way. With updates. Stable updates… In my opinion updates is an important function with OS:es… If updates work without issues, then that’s great. I still think Qubes is great, but you know what i mean.
Most OS have updating issues… Maybe not stable linux dists like linux mint, debian and so on.

fsflover · January 11, 2022, 9:30am

It’s harder to manage upgrades on Qubes, because it deals with whole several operating systems inside. The developers are currently busy releasing a new version 4.1. If you are comfortable with almost final (but still testing) version, you can try 4.1rc3 where everything is updated.

anon42456682 · January 11, 2022, 4:09pm

Yeah i get that. I would use it! Does updates work if i use fedora instead of debian then?
I want to use 4.1 instead… i rather use that one… Yeah look good it’s perhaps almost stable:

2022-01-11	current-testing freeze before 4.1.0-rc4
2022-01-18	4.1.0-rc4 release
2022-01-31	decide whether 4.1.0-rc4 is the final 4.1

If i use fedora updates might work… Debian might crash the updates…
One suggestion if updates crash are if they put links or the right commands to update qubes correct straight away so the users can see that, if it’s not possible through the updater system… Qubes update tool. or like a link where to read up about how to update Qubes in the right way.
Not having to search up and find an update solution would be nice… If possible. But i understand Qubes has allot of variables. A complicated OS.
I bet it’s very hard to create an updater tool that does not show any errors with all the different cubes and stuff by default… That taḱes care of many commands all-together…
But if one such tool worked, there would just be a click of a button for the users and that would of-course be nice… But i understand it’s hard to create and maintain with many different systems and so on! Plus that fedora has EOL. New versions very fast… that is also messing up the update system and showing errors…

anon42456682 · January 11, 2022, 7:44pm

I may install qubes 4.1 with fedora… But what are the recommended update techniques for 4.1 rc3?
The goal is to have a machine that updates and works for many years later on with working updates. I can’t re-install qubes again… this might be the last time, or i might use another OS, i’m not sure. I will try and use the qubes update tool. anything else i have missed after a fresh install of qubes 4.1 rc3? thanks

fsflover · January 11, 2022, 9:20pm

The update tool should work fine on 4.1rc3. Both Fedora and Debian seem to be working flawlessly, too. No significant changes are expected before the final release, which means you can expect many years of updates. For more peace of mind, you can also wait for rc4.

unman · January 12, 2022, 4:27pm

Currently there are 4 critical (most mislabelled imo) bugs for 4.1, and
76 major bugs. 355 in total. (This doesn’t account for the large number of
4.0 bugs that may be resolved in 4.1.)
I think major bugs are the backup/restore issues - it would surely be a
mistake to release a new version without having a stable and working
backup tool.

I never presume to speak for the Qubes team.
When I comment in the Forum or in the mailing lists I speak for myself.

adw · January 13, 2022, 4:55pm

Are older versions of fedora more secure?

Not necessarily.

In the case of Fedora 32 and Whonix 15, definitely not, since they have reached EOL and therefore no longer receive security updates!

Absolutely not! As the how to update page clearly states, you should update both dom0 and templates (and standalones, if you have any).

As explained on the how to update page, the Qubes Update tool is indeed the recommended way to update Qubes OS.

This pair of questions implies a false dichotomy. You should regularly update your stable Qubes OS installation, and part of doing so is regularly updating your templates (and standalones). You can use the Qubes Update tool to update all three — dom0, templates, and standalones (unless you’re using certain exotic templates). You should also upgrade everything before it reaches EOL, as explained here.

There’s an issue for that here:

github.com/QubesOS/qubes-issues

Consider creating 4.0.5 iso

opened 01:05PM - 29 Dec 21 UTC

closed 06:24PM - 02 Jun 22 UTC

unman

C: installer P: major T: task

[How to file a helpful issue](https://www.qubes-os.org/doc/issue-tracking/) ###… Brief summary The 4.0.4 iso ships with outdated templates: Fedora, Debian and Whonix all have later major releases. In addition there are many patches and updated packages available in dom0 and templates. Unless 4.1 is *imminent*, there would be value in releasing an updated iso for 4.0.5, so that new installs have the latest supported versions. - [x] update references to included templates (installer, salt) - [ ] build new ISO - [ ] release for testing - [ ] release (upload to mirrors, announce)

This is a misconception about what the term “stable release” means. “Stable” is contrasted with developer and testing releases, such as alphas, betas, and release candidates (RCs). “Stable” basically means that the code has been reasonably well-tested and that updates won’t contain crazy new experimental stuff that has a high chance of breaking existing installations. It doesn’t mean you don’t have to run any updates or upgrade/replace any EOL templates.

Well, Qubes is basically like that. For example, the Qubes 4.0 stable release was on 2018-03-28. Many of us installed it on that day and have been using it until now. So, we’ve been using the same stable Qubes release for almost four years without having to reinstall. Similarly, the previous stable release (3.2) was supported for around 2.5 years.

As a team member and major contributor, your input on issue priority is highly valued! Please feel free to comment on such issues with your reasoning when you feel that the priority label should be changed. In some cases, other devs may disagree, but in many cases, it could be that I was simply making a best-effort provisional guess to anticipate your and other devs’ views (with the intention of saving y’all some work) fully expecting my initial labels to be updated/replaced later after the issue received new information, further consideration, or expert attention.

fsflover · January 13, 2022, 5:17pm

But today Qubes OS 4.0 is not like that. AFAIK it will be EOL half a year after the release of 4.1, i.e., in less than a year. Granted that reinstallation of Qubes is usually much easier than that for the other operating systems, because you can backup/restore all VMs with their configurations.

adw · January 15, 2022, 3:17pm

Correct, which is why I said “Qubes is basically like that” rather than “Qubes 4.0 is basically like that.” In other words: If you’re looking for an OS where you can install it and not have to re-install again for years, then Qubes allows for that, so long as you only (re)install around the time a new major or minor release comes out.

anon42456682 · January 15, 2022, 5:24pm

Thanks! Well, all the respect to you coders and developers. I love Qubes and all of your work! So many thanks. I just need to learn the OS better, that’s all…
To update it right, which i often do. But then i try some experimental stuff, or learning and mess up some stuff sometimes, so i have re-installed it quite some times now!
That’s all… I need to learn linux better and stuff.

I like the OS! I will use 4.1 instead with fedora as templates. Thanks for the detailed answer.

anon42456682 · January 15, 2022, 5:26pm

Alright, thanks… Sounds like Qubes need more open source developers then… Bigger teamwork, more coders.
Great OS! Might have some bugs as you mentioned, but it’s a great OS. Or if the bugs get solved in time… Open source is great in that many linux coders can contribute with code, and fix bugs together like that.

anon42456682 · January 15, 2022, 5:51pm

Yes that sounds good… I mean. It’s my own fault because i experiment with stuff i don’t know anything about and learning also… So it’s not for nothing.
I have learnt some more from when installing it for the first time for sure! I just sometimes loose my patience you know with technology and whine online sometimes because i don’t understand stuff. I hope you all understand that… technology sometimes overall… It’s not always easy for everyone, far from it.
hehe
peace out

anon42456682 · January 15, 2022, 7:33pm

Ok qubes experts! It’s better if i just ask…
I have a fresh install of qubes 4.1 and when i update i get this whonix message. Systemcheck…
INFO: Whonix APT Repository: Enabled. When the Whonix team releases BULLSEYE updates, they will be AUTOMATICALLY installed (when you run apt-get dist-upgrade) along with updated packages from the Debian team. Please read Placing Trust in Whonix ™ to understand the risk. If you want to change this, use:
dom0 → Start Menu → Template: whonix-gw-16 → Whonix Repository
WARNING: Debian Package Update Check Result: apt-get reports that packages can be updated.
Please update your ‘whonix-gw-16’ TemplateVM.

Open a TemplateVM terminal. (dom0 → Start Menu → Template: whonix-gw-16 → Terminal)
Update.
upgrade-nonroot
Shutdown your TemplateVM. (dom0 → Qubes VM Manager → right click ‘whonix-gw-16’ → Shutdown VM)
Shutdown and restart this TemplateBased ProxyVM. (dom0 → Qubes VM Manager → right click ‘sys-whonix’ → Shutdown VM)

…
Should i do that or just press ok?
What upgrade steps do i need to do to be at the level qubes is at now which is rc4… ?
Thanks again!

edit: I will just use the update tool to be safe… The best way to not screw up anything.

adw · January 17, 2022, 11:57pm

No worries. That’s a normal part of the learning process for many of us. I’ve been there many times.