Cannot change default update proxy

User Support General
1

Hi,

When I installed Qubes 4.1 a long time ago, I remember that I explicitly selected “Enable system and template updates over the Tor anonymity network using Whonix” and have not touched this in any way.

I have been doing in-place upgrades since then, and I rarely look at Qubes OS Global Config. Today (running 4.2.4 and intending to upgrade), I had a look though, and in “Updates” I noticed:

Dom0 update proxy: sys-whonix
Default update proxy: sys-net (unexpected surprise!)
Whonix update proxy: sys-whonix

The unexpected surprise is quite confusing. Why sys-net? That’s not even sys-firewall! Very confusing.

Trying to change the default update proxy to sys-whonix (as initially intended), and clicking Apply, I am getting an error dialog box, saying:

The following error occurred: Command ‘[’/usr/lib/qubes/qubes-rpc-multiplexer’, ‘policy.Replace+50-config-updates’, ‘dom0’]’ returned non-error exit status 2.

So, I cannot change that to anything (not even to sys-firewall).

Can someone please explain:

  • How come the default update proxy is sys-net (and not sys-whonix)?
  • Why the error?
  • How can I achieve what I need?
2

I dont have time to consider other questions now.
Directly edit /etc/qubes/policy.d/50-config-updates ?

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.

3

I was also perplexed by this a few years ago but my research on here confirmed that sys-net is correct (instead of sys-firewall). I also did a fresh install without sys-whonix for updates checked, and the default install made updates over sys-net

4

@unman

I already had a look at the config files, including the one you mention, but it seems 50-config-updates already has the proper setting:

root@dom0:~ # grep -r UpdatesProxy /etc/qubes/policy.d/
/etc/qubes/policy.d/90-default.policy:#qubes.UpdatesProxy     *    @type:TemplateVM        @default    allow target=sys-whonix
/etc/qubes/policy.d/90-default.policy:qubes.UpdatesProxy      *   @tag:whonix-updatevm    @default    allow target=sys-whonix
/etc/qubes/policy.d/90-default.policy:# Deny Whonix TemplateVMs using UpdatesProxy of any other VM.
/etc/qubes/policy.d/90-default.policy:qubes.UpdatesProxy      *   @tag:whonix-updatevm    @anyvm      deny
/etc/qubes/policy.d/90-default.policy:qubes.UpdatesProxy      *   @type:TemplateVM        @default    allow target=sys-net
/etc/qubes/policy.d/90-default.policy:qubes.UpdatesProxy      *   @anyvm                  @anyvm      deny
/etc/qubes/policy.d/50-config-updates.policy:qubes.UpdatesProxy * @tag:whonix-updatevm @default allow target=sys-whonix
/etc/qubes/policy.d/50-config-updates.policy:qubes.UpdatesProxy * @tag:whonix-updatevm @anyvm deny
/etc/qubes/policy.d/50-config-updates.policy:qubes.UpdatesProxy	*	@type:TemplateVM	@default	allow target=sys-whonix

I even tried editing 90-default.policy (which has the sys-net setting) but even after that a restarted Qubes OS Global Config still shows sys-net as default update proxy.

5

@corny

I was also perplexed by this a few years ago but my research on here confirmed that sys-net is correct (instead of sys-firewall). I also did a fresh install without sys-whonix for updates checked, and the default install made updates over sys-net

How can this be correct, considering:

  • it doesn’t match the setting (sys-whonix or sys-firewall)
  • sys-net is distrusted (and obviously not firewalled)

?

6

There’s a thread on this forum (can’t find it now) where it is explained. I agree it contradicts the general approach. But if you do a new install and don’t check the Tor/sys-whonix checkbox, those updates will be sys-net in global settings

1 Like
7

I hope you find this thread as that still makes no sense.

8

After further research, I think this is a UI bug: