One Should Always Update Only Via the "Qubes Update" Tool (For Security Reasons)

Continuing the discussion from Understanding "Qubes Updater":

You should always update via the update manager for security reasons, apparently.

Yes and no, see How to update:

As a temporary mitigation until #6585 is fixed, the following update sequence is recommended (see PR #79 for explanation and discussion):

  1. Update dom0 with Salt.
  2. Update dom0 by direct command.
  3. Update templates and standalones with Salt.
  4. Update templates and standalones by direct commands.

Example using only the command line (all commands with sudo or as root):

  1. In dom0: qubesctl --show-output state.sls update.qubes-dom0
  2. In dom0: qubes-dom0-update --clean -y
  3. In dom0: qubesctl --show-output --skip-dom0 --templates state.sls update.qubes-vm
  4. In dom0: qubesctl --show-output --skip-dom0 --standalones state.sls update.qubes-vm
  5. In every Fedora template and standalone: dnf -y --refresh upgrade
  6. In every Debian template and standalone: apt-get clean && apt-get -y update && apt-get -y dist-upgrade && apt-get clean

Wow! This should be pinned on all front pages…

1 Like