How to update Qubes-Whonix 17 on R4.2 officially?

Hello there!

I am relatively new to QubesOS, but dedicated to read and understand the documentation. After asking some people and getting different / unsure responses, I decided to ask here.
On this page is the (old) version of the update tool and you can see that the whonix templates are selected.
However, on this Qubes troubleshooting and this Qubes-Whonix Updates instructions, the commands apt update, dist-upgrade, full-upgrade and also (as stated on Whonix Docs to be a synonym) upgrade-nonroot are used.

Additionally, the Qubes Documentation says:

Warning: Updating with direct commands such as qubes-dom0-update, dnf update, and apt update is not recommended, since these bypass built-in Qubes OS update security measures.

Meanwhile, the Whonix recommendation on this topic seems rather unclear to me:

For similar reasons, it is also discouraged to open a terminal in the Template and run.

… and then an update and full-upgrade command (or upgrade-nonroot) command follows without finishing the rather unnerving warning above.

So my (first) question is:

1. What is the official (and therefore recommended) way of updating the workstation and gateway templates (and therefore qubes) in Qubes-Whonix?

Another question that might be too small for another topic is:
again on this page, its says:

If you plan to use Debian heavily, we highly recommend you install the Whonix templates and use them to update your normal Debian template.

2. Does this mean to update via the onion services with Whonix?
3. And is the missing protection of Tor when not using “Whonix templates to update normal Debian templates” the only drawback or is something different meant with the citation above?

In case my questions sound harsh: I really like QubesOs and I love reading through the documentation and its great concepts and I can’t wait to see more of it! I just want to be sure on such questions and I don’t know if I overlooked / misinterpreted something!
Thanks for reading all this.

Using the Qubes Update tool (or its command-line equivalents), as described here:

I don’t know what that means. My best guess is that it just means to route updates through sys-whonix (Tor) rather than directly through sys-firewall (clearnet). Using onion repos is a separate matter.

Again, I don’t know what was intended, but my guess is that you’re correct. To be honest, I don’t know why that’s stated in bold on that page. It seems misplaced (and, as you point out, inaccurate, since you would not be using a Whonix template to update, but rather sys-whonix).

@adw Thanks for very helpful response! Should I mark that as solved, or wait to maybe get an explanation on 2) and 3) who knows for sure?

@boreas I kinda have the same problem described in your first question, but when i update through the Qubes Updater the whonix-templates always fails and i get spammed with a notification that the whonix templates couldnt pass something to dom0. Does it work for you when you use the Qubes Updater?

I will write back as soon as I am able to try!

@oxygenlast Yes, it worked fine. Do you have sys-whonix enabled when updating?
Otherwise, if there is no topic with your problem, I would create a new topic… Good luck! (I sadly don’t have the experience to give you real feedback and don’t want to tell you sth wrong)

I don’t know whether you’ll get an explanation for (2) and (3) from someone who knows for sure, because your question is fundamentally about the intentions of the author of that sentence. Looking at the Git history, I see that this sentence was added 9 years ago by someone who has not worked on the project in many years, and even then, he was only porting over documentation from the Whonix Project. He was not the original author.

oh alright, thanks! I guess this sentence will remain a mystery forever
at some point someone who knows better will hopefully replace / update it.

I didn’t, but i will try next time i have the time. Thanks for answering.