Kicksecure qubes defaults to tor updates

http · April 2, 2025, 2:54am

I have a debian qubes which I morphed into kicksecure following the instructions here (Install Kicksecure inside Debian), but when I try to install a program via apt, it is automatically going through tor, which is strange as I didn’t go through with the final step of setting the onionized debian repositories. I don’t want anything going through tor as it is slow. Installing a simple program takes ages and I would prefer it to be on the clear net only. For example, I tried to install spyder (sudo apt install spyder) and this is what it comes back with this:


Ign:1 tor+https://deb.debian.org/debian bookworm/main amd64 libdebuginfod-common all 0.188-2.1
Ign:2 tor+https://deb.debian.org/debian bookworm/main amd64 libqt5positioning5 amd64 5.15.8+dfsg-3+deb12u1
Ign:3 tor+https://deb.debian.org/debian bookworm/main amd64 libqt5printsupport5 amd64 5.15.8+dfsg-11+deb12u2
Ign:4 tor+https://deb.debian.org/debian bookworm/main amd64 libqt5sensors5 amd64 5.15.8-2
Ign:5 tor+https://deb.debian.org/debian bookworm/main amd64 libqt5webchannel5 amd64 5.15.8-2
Ign:6 tor+https://deb.debian.org/debian bookworm/main amd64 libqt5webkit5 amd64 5.212.0~alpha4-30
Ign:7 tor+https://deb.debian.org/debian bookworm/main amd64 python3-mypy-extensions all 0.4.3-4
Ign:8 tor+https://deb.debian.org/debian bookworm/main amd64 python3-pathspec all 0.11.0-1
Ign:9 tor+https://deb.debian.org/debian bookworm/main amd64 python3-platformdirs all 2.6.0-1
Ign:10 tor+https://deb.debian.org/debian bookworm/main amd64 python3-typing-extensions all 4.4.0-1
Ign:11 tor+https://deb.debian.org/debian bookworm/main amd64 black all 23.1.0-1
Ign:12 tor+https://deb.debian.org/debian bookworm/main amd64 libtk8.6 amd64 8.6.13-2
Ign:13 tor+https://deb.debian.org/debian bookworm/main amd64 tk8.6-blt2.5 amd64 2.5.3+dfsg-4.1
Ign:14 tor+https://deb.debian.org/debian bookworm/main amd64 blt amd64 2.5.3+dfsg-4.1
Ign:15 tor+https://deb.debian.org/debian bookworm/main amd64 docutils-common all 0.19+dfsg-6
Ign:16 tor+https://deb.debian.org/debian bookworm/main amd64 fonts-elusive-icons all 2.0.0-4
Ign:17 tor+https://deb.debian.org/debian bookworm/main amd64 fonts-fork-awesome all 1.2.0+ds1-1

It goes on much longer than that but that is the general idea. At the end of each line it says it is connecting to SOCKS5h proxy.

How do I go about making it so that all repositories are clearnet only? I have never really used tor and don’t really have a need for it. I tried the tor browser a few times a few years ago but hardly any websites worked, and when they did it was ridiculously slow. Just to download spyder via apt has taken at least an hour!

unman · April 2, 2025, 10:39am

I haven’t checked so this is likely:
The definitions are in /etc/apt/sources.list and /etc/apt/sources.list.d
If you examine those files then you will see the tor+https definitions.
Comment out those lines and uncomment the lines with https://
definitions.

You’re giving up on the privacy of Tor. Your choice.

http · April 2, 2025, 12:58pm

Thanks for the reply unman. I understand what you mean on tor privacy but I am mainly interested in security. Of course privacy is important but my needs don’t require anything like tor as all my needs are on the clearnet. I mainly wanted kicksecure for its kernel hardening. I checked in the /etc/apt/sources.list.d and the one it reads off is debian.list

here it says:

## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

## This is a default sources.list for Anonymity Linux Distributions,
## which are derivatives of Debian.

## If you want to see the example, which came with the upstream
## distribution, see: /usr/share/doc/apt/examples/sources.list

## Instead of directly editing this file,
## the user is advised to create the following file:
## /etc/apt/sources.list.d/user.list
## This is because when this package gets updated,
## /etc/apt/sources.list.d/debian.list will be overwritten and may receive new
## new default values and comments. The entire folder /etc/apt/sources.list.d/
## gets scanned for additional sources.list files by apt-get.
## The user may keep their settings even after updating this package.
##
## Without graphical user interface, you can use for example:
##    sudoedit /etc/apt/sources.list.d/user.list
## With graphical user interface (Xfce), you can use for example:
##    gsudoedit /etc/apt/sources.list.d/user.list

deb tor+https://deb.debian.org/debian bookworm main contrib non-free non-free-firmware
deb tor+https://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
deb tor+https://deb.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
deb tor+https://deb.debian.org/debian bookworm-backports main contrib non-free non-free-firmware
deb tor+https://fasttrack.debian.net/debian bookworm-fasttrack main contrib non-free

#deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bookworm main contrib non-free non-free-firmware
#deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bookworm-updates main contrib non-free non-free-firmware
#deb tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion/debian-security bookworm-security main contrib non-free non-free-firmware
#deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bookworm-backports main contrib non-free non-free-firmware
## No onion for fasttrack yet: https://salsa.debian.org/fasttrack-team/support/-/issues/27

####

So as it says instead of directly editing this file, the user is advised to create the following file: /etc/apt/sources.list.d/user.list I made a copy of the standard debian qubes list file which is qubes-r4.list and pasted it into a new file /etc/apt/sources.list.d/user.list:

 Main qubes updates repository
deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] https://deb.qubes-os.org/r4.2/vm bookworm main
#deb-src [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] https://deb.qubes-os.org/r4.2/vm bookworm main

# Qubes updates candidates repository
#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg] https://deb.qubes-os.org/r4.2/vm bookworm-testing main
#deb-src  [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ]  https://deb.qubes-os.org/r4.2/vm bookworm-testing main

# Qubes security updates testing repository
#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg] https://deb.qubes-os.org/r4.2/vm bookworm-securitytesting main
#deb-src  [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] https://deb.qubes-os.org/r4.2/vm bookworm-securitytesting main

# Qubes experimental/unstable repository
#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg] https://deb.qubes-os.org/r4.2/vm bookworm-unstable main
#deb-src  [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] https://deb.qubes-os.org/r4.2/vm bookworm-unstable main


# Qubes Tor updates repositories
# Main qubes updates repository
#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm main
#deb-src  [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm main

# Qubes updates candidates repository
#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm-testing main
#deb-src  [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm-testing ma>

# Qubes security updates testing repository
#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm-securitytesting >
#deb-src  [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm-securityte>

# Qubes experimental/unstable repository
#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm-unstable main
#deb-src  [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm-unstable m>

And now I can install things quickly and spyder installed fine and works, but I do get this :

Reading package lists...
W: Target Packages (main/binary-amd64/Packages) is configured multiple times in /etc/apt/sources.list.d/qubes-r4.list:2 and /etc/apt/sources.list.d/user.list:2
W: Target Packages (main/binary-all/Packages) is configured multiple times in /etc/apt/sources.list.d/qubes-r4.list:2 and /etc/apt/sources.list.d/user.list:2
W: Target Packages (main/binary-amd64/Packages) is configured multiple times in /etc/apt/sources.list.d/qubes-r4.list:2 and /etc/apt/sources.list.d/user.list:2
W: Target Packages (main/binary-all/Packages) is configured multiple times in /etc/apt/sources.list.d/qubes-r4.list:2 and /etc/apt/sources.list.d/user.list:2

Another strange thing is that when I sudo apt install something, say emacs, it is still saying tor+https but no mentions of SOCKS5 and everything is fast as I wanted it so I doubt it is actually going through tor:

Do you want to continue? [Y/n] y
Get:1 tor+https://deb.debian.org/debian bookworm/main amd64 install-info amd64 6.8-6+b1 [171 kB]
Get:2 tor+https://deb.debian.org/debian bookworm/main amd64 emacs-el all 1:28.2+1-15+deb12u4 [16.9 MB]
Get:3 tor+https://deb.debian.org/debian bookworm/main amd64 emacs-common all 1:28.2+1-15+deb12u4 [14.0 MB]
Get:4 tor+https://deb.debian.org/debian bookworm/main amd64 emacs-bin-common amd64 1:28.2+1-15+deb12u4 [103 kB]
Get:5 tor+https://deb.debian.org/debian bookworm/main amd64 libgccjit0 amd64 12.2.0-14 [8,783 kB]
Get:6 tor+https://deb.debian.org/debian bookworm/main amd64 libgif7 amd64 5.2.1-2.5 [46.9 kB]
Get:7 tor+https://deb.debian.org/debian bookworm/main amd64 m17n-db all 1.8.0-5 [1,297 kB]
Get:8 tor+https://deb.debian.org/debian bookworm/main amd64 libotf1 amd64 0.9.16-4 [55.5 kB]
Get:9 tor+https://deb.debian.org/debian bookworm/main amd64 libm17n-0 amd64 1.8.0-6 [254 kB]
Get:10 tor+https://deb.debian.org/debian bookworm/main amd64 emacs-gtk amd64 1:28.2+1-15+deb12u4 [5,986 kB]
Get:11 tor+https://deb.debian.org/debian bookworm/main amd64 emacs all 1:28.2+1-15+deb12u4 [16.7 kB]
Get:12 tor+https://deb.debian.org/debian-security bookworm-security/main amd64 exim4-config all 4.96-15+deb12u7 [256 kB]
Get:13 tor+https://deb.debian.org/debian-security bookworm-security/main amd64 exim4-base amd64 4.96-15+deb12u7 [1,118 kB]
Get:14 tor+https://deb.debian.org/debian bookworm/main amd64 libgnutls-dane0 amd64 3.7.9-2+deb12u4 [407 kB]
Get:15 tor+https://deb.debian.org/debian-security bookworm-security/main amd64 exim4-daemon-light amd64 4.96-15+deb12u7 [605 kB]
Get:16 tor+https://deb.debian.org/debian bookworm/main amd64 fonts-noto-color-emoji all 2.042-0+deb12u1 [9,894 kB]
Get:17 tor+https://deb.debian.org/debian bookworm/main amd64 gsasl-common all 2.2.0-1 [182 kB]
Get:18 tor+https://deb.debian.org/debian bookworm/main amd64 guile-3.0-libs amd64 3.0.8-2 [6,645 kB]
Get:19 tor+https://deb.debian.org/debian bookworm/main amd64 libgssglue1 amd64 0.7-1.1 [20.1 kB]
Get:20 tor+https://deb.debian.org/debian bookworm/main amd64 libntlm0 amd64 1.6-4 [84.8 kB]
Get:21 tor+https://deb.debian.org/debian bookworm/main amd64 libgsasl18 amd64 2.2.0-1 [209 kB]
Get:22 tor+https://deb.debian.org/debian bookworm/main amd64 mailutils-common all 1:3.15-4 [781 kB]
Get:23 tor+https://deb.debian.org/debian bookworm/main amd64 mysql-common all 5.8+1.1.0 [6,636 B]
Get:24 tor+https://deb.debian.org/debian bookworm/main amd64 mariadb-common all 1:10.11.11-0+deb12u1 [25.5 kB]
Get:25 tor+https://deb.debian.org/debian bookworm/main amd64 libmariadb3 amd64 1:10.11.11-0+deb12u1 [180 kB]
Get:26 tor+https://deb.debian.org/debian bookworm/main amd64 libpq5 amd64 15.12-0+deb12u2 [192 kB]
Get:27 tor+https://deb.debian.org/debian bookworm/main amd64 libmailutils9 amd64 1:3.15-4 [922 kB]
Get:28 tor+https://deb.debian.org/debian bookworm/main amd64 mailutils amd64 1:3.15-4 [567 kB]
Fetched 69.7 MB in 10s (6,927 kB/s)                                            
Preconfiguring packages ...
Selecting previously unselected package install-info.
(Reading database ... 191442 files and directories currently installed.)
Preparing to unpack .../install-info_6.8-6+b1_amd64.deb ...
Unpacking install-info (6.8-6+b1) ...
Setting up install-info (6.8-6+b1) ...
Selecting previously unselected package emacs-el.
(Reading database ... 191457 files and directories currently installed.)
Preparing to unpack .../00-emacs-el_1%3a28.2+1-15+deb12u4_all.deb ...
Unpacking emacs-el (1:28.2+1-15+deb12u4) ...
Selecting previously unselected package emacs-common.
Preparing to unpack .../01-emacs-common_1%3a28.2+1-15+deb12u4_all.deb ...
Unpacking emacs-common (1:28.2+1-15+deb12u4) ...
Selecting previously unselected package emacs-bin-common.
Preparing to unpack .../02-emacs-bin-common_1%3a28.2+1-15+deb12u4_amd64.deb ...
Unpacking emacs-bin-common (1:28.2+1-15+deb12u4) ...
Selecting previously unselected package libgccjit0:amd64.
Preparing to unpack .../03-libgccjit0_12.2.0-14_amd64.deb ...
Unpacking libgccjit0:amd64 (12.2.0-14) ...
Selecting previously unselected package libgif7:amd64.
Preparing to unpack .../04-libgif7_5.2.1-2.5_amd64.deb ...
Unpacking libgif7:amd64 (5.2.1-2.5) ...
Selecting previously unselected package m17n-db.
Preparing to unpack .../05-m17n-db_1.8.0-5_all.deb ...
Unpacking m17n-db (1.8.0-5) ...
Selecting previously unselected package libotf1:amd64.
Preparing to unpack .../06-libotf1_0.9.16-4_amd64.deb ...
Unpacking libotf1:amd64 (0.9.16-4) ...
Selecting previously unselected package libm17n-0:amd64.
Preparing to unpack .../07-libm17n-0_1.8.0-6_amd64.deb ...
Unpacking libm17n-0:amd64 (1.8.0-6) ...
Selecting previously unselected package emacs-gtk.
Preparing to unpack .../08-emacs-gtk_1%3a28.2+1-15+deb12u4_amd64.deb ...
Unpacking emacs-gtk (1:28.2+1-15+deb12u4) ...
Selecting previously unselected package emacs.
Preparing to unpack .../09-emacs_1%3a28.2+1-15+deb12u4_all.deb ...
Unpacking emacs (1:28.2+1-15+deb12u4) ...
Selecting previously unselected package exim4-config.
Preparing to unpack .../10-exim4-config_4.96-15+deb12u7_all.deb ...
Unpacking exim4-config (4.96-15+deb12u7) ...
Selecting previously unselected package exim4-base.
Preparing to unpack .../11-exim4-base_4.96-15+deb12u7_amd64.deb ...
Unpacking exim4-base (4.96-15+deb12u7) ...
Selecting previously unselected package libgnutls-dane0:amd64.
Preparing to unpack .../12-libgnutls-dane0_3.7.9-2+deb12u4_amd64.deb ...
Unpacking libgnutls-dane0:amd64 (3.7.9-2+deb12u4) ...
Selecting previously unselected package exim4-daemon-light.
Preparing to unpack .../13-exim4-daemon-light_4.96-15+deb12u7_amd64.deb ...
Unpacking exim4-daemon-light (4.96-15+deb12u7) ...
Selecting previously unselected package fonts-noto-color-emoji.
Preparing to unpack .../14-fonts-noto-color-emoji_2.042-0+deb12u1_all.deb ...
Unpacking fonts-noto-color-emoji (2.042-0+deb12u1) ...
Selecting previously unselected package gsasl-common.
Preparing to unpack .../15-gsasl-common_2.2.0-1_all.deb ...
Unpacking gsasl-common (2.2.0-1) ...
Selecting previously unselected package guile-3.0-libs:amd64.
Preparing to unpack .../16-guile-3.0-libs_3.0.8-2_amd64.deb ...
Unpacking guile-3.0-libs:amd64 (3.0.8-2) ...
Selecting previously unselected package libgssglue1:amd64.
Preparing to unpack .../17-libgssglue1_0.7-1.1_amd64.deb ...
Unpacking libgssglue1:amd64 (0.7-1.1) ...
Selecting previously unselected package libntlm0:amd64.
Preparing to unpack .../18-libntlm0_1.6-4_amd64.deb ...
Unpacking libntlm0:amd64 (1.6-4) ...
Selecting previously unselected package libgsasl18:amd64.
Preparing to unpack .../19-libgsasl18_2.2.0-1_amd64.deb ...
Unpacking libgsasl18:amd64 (2.2.0-1) ...
Selecting previously unselected package mailutils-common.
Preparing to unpack .../20-mailutils-common_1%3a3.15-4_all.deb ...
Unpacking mailutils-common (1:3.15-4) ...
Selecting previously unselected package mysql-common.
Preparing to unpack .../21-mysql-common_5.8+1.1.0_all.deb ...
Unpacking mysql-common (5.8+1.1.0) ...
Selecting previously unselected package mariadb-common.
Preparing to unpack .../22-mariadb-common_1%3a10.11.11-0+deb12u1_all.deb ...
Unpacking mariadb-common (1:10.11.11-0+deb12u1) ...
Selecting previously unselected package libmariadb3:amd64.
Preparing to unpack .../23-libmariadb3_1%3a10.11.11-0+deb12u1_amd64.deb ...
Unpacking libmariadb3:amd64 (1:10.11.11-0+deb12u1) ...
Selecting previously unselected package libpq5:amd64.
Preparing to unpack .../24-libpq5_15.12-0+deb12u2_amd64.deb ...
Unpacking libpq5:amd64 (15.12-0+deb12u2) ...
Selecting previously unselected package libmailutils9:amd64.
Preparing to unpack .../25-libmailutils9_1%3a3.15-4_amd64.deb ...
Unpacking libmailutils9:amd64 (1:3.15-4) ...
Selecting previously unselected package mailutils.
Preparing to unpack .../26-mailutils_1%3a3.15-4_amd64.deb ...
Unpacking mailutils (1:3.15-4) ...
Setting up libotf1:amd64 (0.9.16-4) ...
Setting up mysql-common (5.8+1.1.0) ...
update-alternatives: using /etc/mysql/my.cnf.fallback to provide /etc/mysql/my.c
nf (my.cnf) in auto mode
Setting up libgnutls-dane0:amd64 (3.7.9-2+deb12u4) ...
Setting up fonts-noto-color-emoji (2.042-0+deb12u1) ...
Setting up guile-3.0-libs:amd64 (3.0.8-2) ...
Setting up libpq5:amd64 (15.12-0+deb12u2) ...
Setting up m17n-db (1.8.0-5) ...
Setting up libm17n-0:amd64 (1.8.0-6) ...
Setting up mariadb-common (1:10.11.11-0+deb12u1) ...
update-alternatives: using /etc/mysql/mariadb.cnf to provide /etc/mysql/my.cnf (
my.cnf) in auto mode
Setting up libntlm0:amd64 (1.6-4) ...
Setting up mailutils-common (1:3.15-4) ...
Setting up libgssglue1:amd64 (0.7-1.1) ...
Setting up libmariadb3:amd64 (1:10.11.11-0+deb12u1) ...
Setting up libgsasl18:amd64 (2.2.0-1) ...
Setting up libgif7:amd64 (5.2.1-2.5) ...
Setting up exim4-config (4.96-15+deb12u7) ...
Adding system-user for exim (v4)
Setting up gsasl-common (2.2.0-1) ...
Setting up libgccjit0:amd64 (12.2.0-14) ...
Setting up exim4-base (4.96-15+deb12u7) ...
exim: DB upgrade, deleting hints-db
Created symlink /etc/systemd/system/timers.target.wants/exim4-base.timer → /lib/
systemd/system/exim4-base.timer.
exim4-base.service is a disabled or a static unit, not starting it.
Setting up libmailutils9:amd64 (1:3.15-4) ...
Setting up exim4-daemon-light (4.96-15+deb12u7) ...
Setting up mailutils (1:3.15-4) ...
update-alternatives: using /usr/bin/frm.mailutils to provide /usr/bin/frm (frm) 
in auto mode
update-alternatives: using /usr/bin/from.mailutils to provide /usr/bin/from (fro
m) in auto mode
update-alternatives: using /usr/bin/messages.mailutils to provide /usr/bin/messa
ges (messages) in auto mode
update-alternatives: using /usr/bin/movemail.mailutils to provide /usr/bin/movem
ail (movemail) in auto mode
update-alternatives: using /usr/bin/readmsg.mailutils to provide /usr/bin/readms
g (readmsg) in auto mode
update-alternatives: using /usr/bin/dotlock.mailutils to provide /usr/bin/dotloc
k (dotlock) in auto mode
update-alternatives: using /usr/bin/mail.mailutils to provide /usr/bin/mailx (ma
ilx) in auto mode
Setting up emacs-el (1:28.2+1-15+deb12u4) ...
Setting up emacs-common (1:28.2+1-15+deb12u4) ...
Setting up emacs-bin-common (1:28.2+1-15+deb12u4) ...
update-alternatives: using /usr/bin/ctags.emacs to provide /usr/bin/ctags (ctags
) in auto mode
update-alternatives: using /usr/bin/ebrowse.emacs to provide /usr/bin/ebrowse (e
browse) in auto mode
update-alternatives: using /usr/bin/emacsclient.emacs to provide /usr/bin/emacsc
lient (emacsclient) in auto mode
update-alternatives: using /usr/bin/etags.emacs to provide /usr/bin/etags (etags
) in auto mode
Setting up emacs-gtk (1:28.2+1-15+deb12u4) ...
update-alternatives: using /usr/bin/emacs-gtk to provide /usr/bin/emacs (emacs) 
in auto mode
Install emacsen-common for emacs
emacsen-common: Handling install of emacsen flavor emacs
Install dictionaries-common for emacs
install/dictionaries-common: Byte-compiling for emacsen flavour emacs
Setting up emacs (1:28.2+1-15+deb12u4) ...
Processing triggers for desktop-file-utils (0.26-1) ...
Processing triggers for hicolor-icon-theme (0.17-2) ...
Processing triggers for libc-bin (2.36-9+deb12u10) ...
Processing triggers for man-db (2.11.2-2) ...
Processing triggers for qubes-core-agent (4.2.41-1+deb12u1) ...
Processing triggers for security-misc (3:40.9-1) ...
INFO: triggered security-misc: 'security-misc' security-misc DPKG_MAINTSCRIPT_NA
ME: 'postinst' $\@: 'triggered /usr' 2: '/usr'
/usr/libexec/security-misc/mmap-rnd-bits: INFO: Successfully written ASLR map co
nfig file:
/etc/sysctl.d/30_security-misc_aslr-mmap.conf
Running SUID Disabler and Permission Hardener... See also:
https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener
/var/lib/dpkg/info/security-misc.postinst: INFO: running: permission-hardener en
able
permission-hardener: [NOTICE]: Managing (S|G)UID of line:  setgid='true' existin
g_mode='2755' new_mode='744' file='/usr/bin/dotlock.mailutils'
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root 
root 744 /usr/bin/dotlock.mailutils
permission-hardener: [NOTICE]: Managing (S|G)UID of line: setuid='true'  existin
g_mode='4755' new_mode='744' file='/usr/sbin/exim4'
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root 
root 744 /usr/sbin/exim4
permission-hardener: [NOTICE]: To compare the current and previous permission mo
des, install 'meld' (or preferred diff tool) for comparison of file mode changes
:
    sudo apt install --no-install-recommends meld
    meld /var/lib/permission-hardener/existing_mode/statoverride /var/lib/permis
sion-hardener/new_mode/statoverride
/var/lib/dpkg/info/security-misc.postinst: INFO: Permission hardening success.
Processing triggers for install-info (6.8-6+b1) ...
Processing triggers for mailcap (3.70+nmu1) ...
Processing triggers for fontconfig (2.14.1-4) ...
Hit:1 tor+https://deb.debian.org/debian bookworm InRelease
Hit:2 tor+https://deb.debian.org/debian bookworm-updates InRelease
Hit:3 tor+https://deb.debian.org/debian-security bookworm-security InRelease
Hit:4 tor+https://deb.debian.org/debian bookworm-backports InRelease
Hit:5 https://deb.qubes-os.org/r4.2/vm bookworm InRelease
Hit:6 tor+https://deb.kicksecure.com bookworm InRelease
Hit:7 tor+https://fasttrack.debian.net/debian bookworm-fasttrack InRelease
Reading package lists...
W: Target Packages (main/binary-amd64/Packages) is configured multiple times in /etc/apt/sources.list.d/qubes-r4.list:2 and /etc/apt/sources.list.d/user.list:2
W: Target Packages (main/binary-all/Packages) is configured multiple times in /etc/apt/sources.list.d/qubes-r4.list:2 and /etc/apt/sources.list.d/user.list:2
W: Target Packages (main/binary-amd64/Packages) is configured multiple times in /etc/apt/sources.list.d/qubes-r4.list:2 and /etc/apt/sources.list.d/user.list:2
W: Target Packages (main/binary-all/Packages) is configured multiple times in /etc/apt/sources.list.d/qubes-r4.list:2 and /etc/apt/sources.list.d/user.list:2
Reading package lists...
Building dependency tree...
Reading state information...
Calculating upgrade...
The following package was automatically installed and is no longer required:
  libplymouth5
Use 'sudo apt autoremove' to remove it.
The following packages will be upgraded:
  tzdata
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Inst tzdata [2025a-0+deb12u1] (2025b-0+deb12u1 Debian:12-updates/stable-updates [all])
Conf tzdata (2025b-0+deb12u1 Debian:12-updates/stable-updates [all])

So while everything now seems to be perfect as far as functionality goes it still says tor+https (but without saying SOCKS5 proxy, and is very fast just as I wanted it so clearly is not actually going through tor) which is strange, and I get a duplicate sources warning. I thought the user.list was supposed to override the others without any hiccup? It seems to work function wise but I don’t know why it is still saying tor+https and the duplicate warning?

Any advice would be tremendously appreciated!

unman · April 3, 2025, 2:12am

Reading package lists…
W: Target Packages (main/binary-amd64/Packages) is configured multiple times in /etc/apt/sources.list.d/qubes-r4.list:2 and /etc/apt/sources.list.d/user.list:2
W: Target Packages (main/binary-all/Packages) is configured multiple times in /etc/apt/sources.list.d/qubes-r4.list:2 and /etc/apt/sources.list.d/user.list:2
W: Target Packages (main/binary-amd64/Packages) is configured multiple times in /etc/apt/sources.list.d/qubes-r4.list:2 and /etc/apt/sources.list.d/user.list:2
W: Target Packages (main/binary-all/Packages) is configured multiple times in /etc/apt/sources.list.d/qubes-r4.list:2 and /etc/apt/sources.list.d/user.list:2

You have left the definitions in qubes-r4.list active. Comment then out.
You should also comment out the entries in debian.list and have clearnet
connections for debian archives in user.list (or some other file).

Incidentally, a package upgrade should never overwrite user changes to
config files. The kicksecure note suggests that it will - I dont know
why this should be the case.

You have not commented out the tor+https enties in debian.list and
replaced them with vanilla definitions. Absent any evidence, I would say
that these entries are running over Tor.

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.

http · April 3, 2025, 4:10pm

thank you unman. so what I have done here is commented out everything on the debian.list and qubes-r4.list. Then I made a new user.list with this copied into it


deb https://deb.debian.org/debian bookworm main non-free-firmware
#deb-src https://deb.debian.org/debian bookworm main non-free-firmware

deb https://security.debian.org/debian-security bookworm-security main non-free-firmware
#deb-src https://security.debian.org/debian-security bookworm-security main non-free-firmware

deb https://deb.debian.org/debian bookworm-updates main non-free-firmware
#deb-src https://deb.debian.org/debian bookworm-updates main non-free-firmware

Which I got from here https://wiki.debian.org/SourcesList (I commented out the source files as I don’t need them).

The qubes-r4.list file which was used for the updates states that it is signed by a key in /usr/share/keyrings. Obviously these vanilla debian repos are not so is there a security risk in this?

deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] https://deb.qubes-os.org/r4.2/vm bookworm main

Another thing is that the repo from the derivative.list file is also still showing up when I apt update. But I think this is for the kicksecure updates so I am not sure what to do about that, but it is still coming up with tor+https for that one. Here is an example


sudo apt update          
Hit:1 https://deb.debian.org/debian bookworm InRelease
Hit:2 https://deb.debian.org/debian bookworm-updates InRelease                              
Hit:3 https://security.debian.org/debian-security bookworm-security InRelease               
Hit:4 tor+https://deb.kicksecure.com bookworm InRelease                    
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.

The derivative.list file is this

  GNU nano 7.2                           derivative.list                                     
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

## /etc/apt/sources.list.d/derivative.list

## This file has been automatically created by repository-dist.
## If you make manual changes to it, your changes get lost next time you run
## the repository-dist tool.
## You can conveniently manage this file, using the repository-dist tool.
## For any modifications (delete this file, use stable version, use testers
## version or use developers version), please use the repository-dist tool.
## Run:
##    sudo repository-dist
## Leaving source line disabled by default to save some time, it's not useful
## anyway, since it's better to get the source code from the git repository.

deb [signed-by=/usr/share/keyrings/derivative.asc] tor+https://deb.kicksecure.com bookworm m>
#deb-src [signed-by=/usr/share/keyrings/derivative.asc] tor+https://deb.kicksecure.com bookw>

I have read the man page for repository-dist but nothing there seems to explain how edit it to stop tor.

Apart from that, everything seems to be working fine.
Thank you again for your help unman.