Downloading Qubes updates from a hostile network. How secure?

Hello, I’m connected to a wifi with malicious computers. I normally use a VPN however I downloaded and installed an update for the Debian template using the built-in updater tool. From my understanding, the updater tool connects to sys-net by default, which is super bad because it’s vulnerable to MITM attacks.

How does qubes defend agaist MITM attacks? Does qubes check for signatures for template updates similar to dom0 updates? Do I have to reformat my computer again?

You can check what vm is used with qubes-prefs updatevm.

If you want to be safer, you always have the option to route your updates through your vpn or through tor. All you need to do is select a vm that has one of those two as netvm. Or directly select sys-vpn or sys-whonix.

To change update vm:

qubes-prefs updatevm NEW_VM
1 Like

All packages in debian are signed, so unless you get a warning saying that there’s a GPG mismatch all your installed packages were fine.

That said there are definitely exploits against apt (debian’s package manager). One way to remedy this threat is to use onion services for package downloads, since with onion services you have end-to-end authentication in addition to end-to-end encryption. Whonix has a very good guide on how to onionize your repositories:


(If you’re in a country that blocks Tor I wouldn’t recommend setting it up unless you’re familiar with troubleshooting Tor and pluggable transports)

1 Like

Or you can try bridges like obfs4 or meek-azure (the latter is supposed to be working in China).

Although research is always encouraged, I wouldn’t straight up discourage people from using tor.

Sorry for not being precise, I was only discouraging people from using Tor as the UpdateVM if they’re in a country that blocks Tor, not from using Tor which I encourage everyone to do for all activities that don’t require personally identifiable information (like e-banking). Using obfs4 should be fine most of the time, but the other options (meek-azure/snowflake) absolutely suck for speed and reliability (download fails halfway) so it shouldn’t be used as the UpdateVM unless one is patient and knows how to deal with Tor and PTs well enough.

1 Like

Packages in Debian generally aren’t signed - it is the repository data
that is signed.
So the repo has a list of hashes of packages , and that list is signed.

In Fedora, it’s the opposite. Packages are signed, but repository data
isn’t signed.(generally)

Either way, if you use a package manager you have some guarantee that
the package you download is the one that was placed on the repository by
the maintainer.