I’ve spent a lot of time reading various issues related to installing updates in Qubes OS, but still have no idea what’s working, what’s not working, whether my system is even getting updates, and what I’m actually supposed to be doing to simply update my Qubes OS v4.1 system. During OS installation, I opted to get my updates through Tor using Whonix and am now wondering whether this was a mistake because Whonix seems to be very flaky on my machine (despite me not doing anything to it).
First, I note that I almost never see updates for dom0 in the Qubes Update tool. I’m not sure I’ve actually seen any since I installed Qubes OS v4.1 ~6 weeks ago, but I may have seen one come through. Is this normal?
I also keep reading that you should update through the Qubes Update tool for security reasons, as opposed to command line, but there may be multiple problems with this tool (e.g. Updating via Salt falsely claims to succeed when it actually fails · Issue #6585 · QubesOS/qubes-issues · GitHub), so what are users supposed to do?
I tried forcing updates to dom0 through the Qubes Update tool (by checking “Enable updates for qubes without known available updates.”), but this didn’t work:
- Ran for ~1 hour and did nothing (just a spinning wheel)
- I tried to cancel it, but this didn’t work either. It showed me a dialog (“Waiting for current qube to finish updating. Updates for remaining qubes have been cancelled”), but wouldn’t do anything, so I had to restart the machine.
I read through (How to update | Qubes OS), but am still confused because the commands described in this page do not reliably work for me:
1st Attempt
- sudo qubesctl --show-output state.sls update.qubes-dom0: This didn’t seem to do anything, so I eventually killed it with Ctrl+C
- sudo qubesctl update.qubes-dom0: I didn’t record the error, but this kept saying something to the effect of dom0 not being available
- I restarted the machine
2nd Attempt
- sudo qubesctl --show-output state.sls update.qubes-dom0: This claimed 4 succeeded and 0 failed, but the output above indicated there was nothing to update (“No changes need to be made”, “No changes need to be made”, “Cache cleaned”, “System is already up-to-date”)
- qubes-dom0-update --clean -y: This failed in a sys-whonix shell stating “Segmentation fault (core dumped). Fetching updates failed with code 139; press Enter to exit.”
- When I restarted and logged back in, I started having major graphical issues that almost made the machine unusable. Another restart seemed to fix this, but now I’m afraid the OS is corrupted.
I should also point out that the Fedora, Whonix, and Debian updates fail ~1/3 of the time in the Qubes Update tool, but I have no idea why. Usually, rebooting and trying again fixes this, but this is very time-consuming. The updates are painfully slow as it is (despite being on a fast system) even when they do succeed, so dealing with all of this nonsense can easily consume more than 1/2 hour per day just trying to get updates installed.
Can anyone tell me how I can simply, securely, reliably update my system? I can’t find a straight answer on this, or any answer that actually works. Is it just me, or should updates be easier and more transparent on a security-focused OS? I have a hard time trusting that this is secure if I can’t even be confident that it’s receiving updates.