Issue with updates via tor error in debian 11 disposable vm

So I need a disposable standard debian 11 template.

To do so I created a clone of debian-11 template and named it debian-11-tmp-dvm.
Then I create an AppVM based on that template and configure it as disposable.

In my debian-11-tmp-dvm template the apt source is set on the tor+http address for qubes-r4 list file.
I have already installed the apt-transport-tor packet and I can update normally in the template.

But when I am trying to install software in my disp1234 AppVM I have a timeout error on socks5h…

I always keep debian-11 template as ‘stock’ and never modify them but clone them for each need to modify them.

I found the same issue when using a debian-11-minimal template.

In the scenario of an disposable AppVM based on debian-11-minimal template with Firefox installed the problem seems to be not…in my disp1234 I can install software without this timeout error on qubes tor repo…

I have been searching this issue long enough to come here and ask for help…

If anyone can advise on where to look and what to verify, I will be glad.

Cheers :nerd_face: :pray:

the problem seems not to be consistent… :smiling_face_with_tear:

it was ok for a moment and now I have again the timeout.
this is the exact error message below

user@disp7146:~$ sudo apt update
Hit:1 bullseye InRelease                         
Hit:2 bullseye-security InRelease       
Err:3 tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.0/vm bullseye InRelease
Timed out while waiting to read 'first part of response' from proxy socks5h:// [IP: 9050]

I’d try to set sys-whonix as netvm for dtvm and tbdvm, than disable all onion repositories and enable clear net repositories in the dtvm and would give it a try installing software in tbdvm.

thanks a lot for your answer.

I have try to change my netVM to sys-whonix but it doesn’t help and I still gets timeout most of time…

What do you mean exactly by the terms




Sorry to hear, but it’s not clear from your response if you disabled onion repositories and enabled http only. That helped me when I had such an issue, but your is probably different, it looks.

DTVM stands for Disposable Template Virtual Machine (debian-11-tmp-dvm) and tbdvm Template Based Disposable Virtual Machine (disp1234), apologize for not being clear.

I hope someone else will have a better suggestion.

apt-transport-tor relies on there being a working Tor on the qube.
That’s why you see the reference to port 9050.
You can do this but it is not necessary.
If you want to update over Tor, you don’t need to use tor+http. Just use
sys-whonix as the netVM, so that all traffic runs over Tor. You can
either keep the vanilla https definitions and connect to the standard
repositories, or change to the onion repository.

I never presume to speak for the Qubes team.
When I comment in the Forum or in the mailing lists I speak for myself.


Why it works sometime then ?
Having setting the repo tor+http and without tor installed on the template.

when I update it is the template only that get updated, right ?
my template VM has no NetVM setup since it is a template…

when I update, it seems like a disp-mgmt-my-template-vm start together with my-template-vm and the update happen.

Is the disp-mgmt-my-template-vm based on the configuration in

  • qubes-manager->system->system defaults->Dom0 update VM
  • qubes-manager->system->system defaults->Default disposable template

so in anycase it will be the NetVM defined in the VM setup for those configuration that will be used for the update process ?

if a template does not have the service “qubes-update-check” will it be checked for updates availables still or not ?

Does that service needs to be present in both template VM and appVM ?

I have noticed recently that I do not get notify for updates in my qubes but when I manually check there is update waiting…