adw
January 22, 2025, 8:54pm
31
That already exists as an easy one-click option in the installer (and has for a long time now). However, it doesn’t apply to update checks , only to updates themselves, hence:
opened 02:38AM - 15 Aug 24 UTC
T: bug
C: installer
P: major
ux
privacy
C: Whonix
needs diagnosis
C: updates
affects-4.2
[How to file a helpful issue](https://www.qubes-os.org/doc/issue-tracking/)
#… ## Qubes OS release
4.2
### Brief summary
In the installer, there's an option to "Enable system and template updates over the Tor anonymity network using Whonix." Some users mistakenly understand this to mean that all update *checks* will also be done over Tor (via `sys-whonix`), when in reality only actual updates are done over Tor.
### Steps to reproduce
During Qubes OS installation, select the option to "Enable system and template updates over the Tor anonymity network using Whonix."
### Expected behavior
Some users expect that update *checks* will go over Tor, not just the actual updates themselves.
Examples:
- https://forum.qubes-os.org/t/24325
- https://forum.qubes-os.org/t/28235
- https://forum.qubes-os.org/t/974
### Actual behavior
Only the actual update happens over Tor.
### Possible solutions
- Make it so that selecting "Enable system and template updates over the Tor anonymity network using Whonix" also causes all update *checks* to go over Tor.
- Preserve the current behavior, but update the software UX and documentation to make it clear how things actually work and why. Also, implement https://github.com/QubesOS/qubes-issues/issues/7586 so that users who desire the expected behavior can configure their own systems to achieve it.
Part of the reason some users have this mistaken expectation is because they believe that the only purpose of routing updates over Tor is for privacy (e.g., trying to hide the fact that they're using Qubes OS from their ISP, government, or others). From their perspective, it makes no sense to route updates over Tor while routing update checks over clearnet. They're not aware that there are [specific security benefits](https://forum.qubes-os.org/t/update-check-without-sys-whonix/974/4) to updating over Tor independent of any privacy benefits and that running update checks over clearnet doesn't detract from these security benefits. They're not aware that these security benefits (and not any purported privacy benefits) were the primary motivation for the implementation of this feature, which is why it currently works the way it does. If the current behavior isn't changed, then the software UX and documentation should be updated to help users to understand why it's implemented this way and thereby better set users' expectations.
This is primarily a UX bug, but the resolution need not be purely a UX solution.
2 Likes