Kerckhoff’s principle, also known as Kerckhoff’s law, is a principle in cryptography that states that a cryptographic system should be secure even if everything about the system, except for the key, is public knowledge. This principle is also sometimes referred to as “security through obscurity is not security.”
I think it is safe to consider it as a privacy issue for people who checked “update through Tor” at installation, but it is not a security issue.
I partially agree with you and opensoucre is to some extent a guarantee of security, but on the other hand, if everyone sees the mechanism, then it is more likely to find a vulnerability in it. Let’s look at the facts, not the laws and assumptions. Last year there was an interview with Pavel Durov and he said that when he wanted to settle in the United States, his brother was persuaded by the special services to make various concessions, namely, ATTENTION - to use open libraries. I didn’t take it out of context, Paul said so.
The Qubes developers have gone out of their way to avoid collecting user data:
This conclusion doesn’t follow logically from anything you’ve said or anything in this thread.
You may not be aware of it, but this is an age-old debate about the merits of open-source versus closed-source software. You are retreading old ground here. The usual rebuttal to your argument is that if no one can “see the mechanism” (because it’s closed source), then it’s more likely that there are exploitable vulnerabilities, because no one who is motivated to find vulnerabilities has been allowed to examine it. (For example, the creators of the thing don’t have any incentive to find flaws in their own design, nor do they have any incentive to allow anyone who doesn’t share their bias to examine it.)
This anecdote demonstrates nothing.
“Going all out” means not allowing direct connections to Qubes servers.
But this has not been done, although this is an obvious condition of the privacy policy. If developers try to follow the privacy policy, the installer should have the “check update and update via tor” checkbox checked by default.
The conclusion is quite logical. If an attacker knows which distribution you have, they will know which distribution to look for vulnerabilities in. Ignoring such obvious things is like an ostrich burying its head in the sand. Stop acting like a cheap amateur
I did not offer a closed code, this was said as an example and you decided to argue your behavior with something, but it was unsuccessful. read the previous message, perhaps the second time you will understand why you cannot disclose details about your OS.
No connections to the Qubes servers means no software updates. No software updates means no security patches for vulnerabilities, no bug fixes, and no features.
It’s not feasible for most OSes, including Qubes, to effectively hide this information. It’s also a form of security through obscurity, which is not real security at all, as already explained above.
Ad hominem. Blocked.
You stated a common criticism of open-source software in an age-old debate about the merits of open source versus closed source. I merely pointed this out and provided the usual rejoinder, since you did not seem to be aware that you were retreading old ground.
I have no idea what you are trying to say here, sorry.
I think this got lost in the heat and I obviously cannot speak for the OP, but there is a distinction between direct and tunneled connectivity for updates. My impression of the OP and this thread is that users want a user friendly way to ensure all update traffic out-of-the-box is tunneled (through Tor), not that all connectivity should be blocked.
Does some of the thought of this about “Anonymity?” Whereas Qubes is about not allowing the propagation, continuation of malware on my computer. That being the method for Qubes Security.
Thinking, that is, It would be great if someone started a Wiki somewhere about Qubes and how to be more Anonymous. What not to do. Good Techniques for how to use Whonix. I guess.
Or how to mess up using Whonix, as sometimes that is more useful.
As OP started, how not to do things that make my Qubes not anonymous.
How to set up Internet protocols, or mistakes one can make.
Things one needs to set in Qubes before booting it up for the first time.
Using Qubes as an anonymous system being a Subset of the use of Qubes.
this is what happens when you check “update through sys-whonix” 
only the check for updates is done over the qubes’netvms
That already exists as an easy one-click option in the installer (and has for a long time now). However, it doesn’t apply to update checks, only to updates themselves, hence:
Many people believe that a secure OS should have built-in tools against cyber threats (I’m not talking about computer threats)
Qubes makes it easy to use different online adapetras, and many law-abiding citizens who do not commit crimes, want to work from one computer (for convenience) and engage in “gonzo journalism” through a second adapter that is designed to bypass censorship. In a scenario where qubes calmly goes online to check for updates, qubes was useless for such a journalist, even though he expected to split the network connections into two different personalities. We only ask for basic protection against cyber threats, from the collection of telemetry and other identifiers. If Whonix templates are built in by default, it’s pretty obvious that there must be something as simple as we ask.
I would have been very happy to take a ready-made solution, but a dozen similar topics did not provide a solution. I think it’s because commentators are wondering why it’s necessary and how it affects security. Because they don’t think it’s necessary, they don’t offer any solutions. And the solution should be simple, although not traditional, for example, 2-3 lines of code to configure nft (for sys-net) that would limit traffic, or editing the qubes config that would force you to check for updates via sys-whonix. But there are no such solutions, because the commentators want to argue, instead of giving an accurate answer to the exact question
I am once again, seeing a forced distinction of consideration between update checks and update downloads:
To the normal user, there is only updates, and this includes “checking for updates” and “downloading the updates.”
Exactly, and it’s not about ordinary users, and even for experienced users it would be really strange to decide to separate checking and downloading updates. You might think that such a solution saves tor traffic because, as @solene said, checking for updates requires about 80MB. Of course, this is a joke, I think the explanation for this is the speed of checking updates, but in 2025 it makes no sense, the tor works quite fast or not everyone cares about this speed. I’m not in a hurry and let the speed through the tor be 16kb, I’m ready to wait. It seems that the forced collection of IP is disguised as a harmless feature that allows you to check for updates faster.
I’d love to see the developers’ response on this. Why did they decide that it would be better? And even for an advanced user, checking the “update through the tor” checkbox in the installer means the same as checking for updates through the tor. Therefore, it looks like a disguised collection of ip, and not because I am accusing of something. You need to call a spade a spade, and if there is non-standard behavior somewhere, then you need to write about it in bold letters, otherwise it is not open source, but disguised code.
If you need statistics, you can create a questionnaire that is output after installation and it can be sent (via sys-whonix 
) and I am sure that this way you can collect more data and not just an IP. I am not against an anonymous survey and I am ready to share the configuration of my device, as well as the country and the city, but please, ip is not an anonymous survey.
I donate and love Oubes os, but some things really confuse me
Well, we’re just explaining how it actually works right now.
You may prefer to just disable update checks, then. In my experience, that works well as long as you update frequently. There’s not much need to have update checks if you’re already updating daily anyway, for example.