Please extend Whonix16 support by 5 months

fujak2 · January 3, 2024, 4:51am

Hello,

I understand that QubeOS 4.2 was released the 2023-12-18, and that Whonix 16 will reach end-of-life the 2024-01-18. Considering that Whonix 17 can’t be installed on QubesOS 4.1, this gives privacy-dependent users a mere month to upgrade to the new system before being put at risk.

Please consider that some of us use QubesOS in production, and can’t afford the time and/or risks of a full upgrade in such tight delays. A general good practice is to give users at least 6 months for such an upgrade, and I believe it’s been the case with QubesOS in the past.

As I understand it, this situation is the result of an unfortunate mismatch in release schedules. Hovewer, putting QubesOS/Whonix users in such tight spot seems wrong, and arbitrarily punishing. Please consider a workable solution for us, such as extending Whonix16 support by 5 more months, or providing a way to install Whonix17 on QubesOS 4.1.

apparatus · January 3, 2024, 7:14am

github.com/QubesOS/qubes-issues

Qubes-Whonix 16 security support / Qubes R4.2 stable release date

opened 01:29PM - 07 Dec 23 UTC

closed 11:31AM - 08 Dec 23 UTC

adrelanos

T: bug R: not applicable C: Whonix P: default

Debian is not going to fix a Tor vulnerability for Debian 11 (bullseye). http…s://security-tracker.debian.org/tracker/TEMP-0000000-7CC552 That I take by the table on the Debain website marking the Tor version for that Debian release as "end-of-life". Hence Whonix 16 (Debian 11, bullseye based) won't get the fix either by any Debian package upgrade. It seems and more and more that Qubes-Whonix 16 should be deprecated. Backporting the fix to Whonix 16 be a major hassle and I don't see much point in it either staying on outdated bullseye (what Whonix 16 is based on). That seems that worst solution to me. Qubes 4.2 seems to be stuck in RC land. Now at 4.2.0-rc5. "For a full list of open bug reports affecting 4.2, please see here." https://github.com/QubesOS/qubes-issues/issues?q=is%3Aissue+label%3Aaffects-4.2+label%3A%22T%3A+bug%22+is%3Aopen There is 161 bugs there. So I doubt these would all be fixed. Also for previously releases there have been tons of bugs there assigned to that release that after the release were ignored. Long story short, what's the ETA for Qubes 4.2? Days, weeks, moths, years? Maybe I should have stayed on Qubes 4.1 and supported Whonix 17 (Debian 12, bookworm based) on Qubes 4.1 only. I didn't expect that Qubes 4.2 release to go up to rc5. Usually rc3 was the last RC before final release if I am not mistaken. If Qubes 4.2 is going to be stuck in RC land for much more time then perhaps Whonix 17 needs to be released for Qubes 4.1 if that is still worth it? Also something that I would like to avoid because it would be clunky to keep testing everything for two different Qubes releases R4.1 and R4.2. Main things to test: * APT does not break due to dependency conflicts * Tor connectivity does not break (and hopefully does not break in weird ways such as it works but fails to download bigger files as in [Tor 0.4.8.9 broken in combination with vanguards](https://gitlab.torproject.org/tpo/core/tor/-/issues/40892). This would also make future development harder such as Whonix port to nftables. (https://github.com/QubesOS/qubes-issues/issues/8562) This is because then I would have to see if Qubes R.4.1 works with nftables, lead test both, etc. Also something I'd rather avoid. Maybe next time I should stay on Qubes stable longer before switching to Qubes RC. So both solutions seem awful (A), effort spent on security support for Debian 11 bullseye Whonix 16 and B) Qubes-Whonix 17 for maybe soon outdated Qubes R4.1) My favorite solution would be Qubes R4.2 to be blessed stable so a Qubes-Whonix 16 deprecation notice can be released. Update: Debian 11 in Qubes R4.1 has the same issue of a Tor vulnerability that won't be fixed by Debian.

gonzalo-bulnes · January 3, 2024, 11:55am

My understanding from the context given in the link above:

the decision to EOL Whonix-16 has to do with upstream dependencies (namely a patch that won’t make it to Debian 11)
the timing between the release of Qubes OS 4.2 and the EOL of Whonix-16 is unfortunate, but also not something that can be changed
the decision not to release Whonix-17 for Qubes OS 4.1 was made by the Whonix maintainer (not the Qubes OS team)

And (for what is worth) that decision seems well-founded to me, given the current resources available for Whonix developmemt. That’s something best discussed in the Whonix forum though.

cordial · January 3, 2024, 12:05pm

On Qubes 4.1.2 sudo release-upgrade brought the Whonix templates up to version 17 soon after it was released.

deeplow · January 3, 2024, 1:02pm

However since it only supports Qubes 4.2, I suspect that particular upgrade process hasn’t been tested officially. But if it work, it may be a practical solution for some who cannot afford to upgrade to 4.2 in such a tight timeframe

fsflover · January 3, 2024, 1:31pm

Which is why this topic should have been created on the Whonix forums, not here.

Which is why consider donating to Whonix if you can. They are doing an amazing work for the Community.

adrelanos · January 3, 2024, 4:05pm

Confirmed.

Indeed. Just too many combinations for me to keep track of. Needs to be tested and kept tested as packages are upgraded to avoid accidentally breaking R4.1 APT package manager with broken dependencies.

adw · January 4, 2024, 3:53am

To be clear, it is not an accidental timing mismatch. It is an intentional Whonix Project policy:

https://www.whonix.org/wiki/About#Qubes_Hosts

In other words, it is not a coincidence that Whonix 16’s EOL happens to be one month after the release of Qubes 4.2. Rather, the Whonix Project’s support policy intentionally sets Whonix 16’s EOL to be exactly one month after the release of Qubes 4.2.

(This is not a value judgment about the Whonix Project’s policy. It is simply a sharing of facts in an effort to clarify a possible misunderstanding.)

tempmail · January 4, 2024, 5:01pm

While I understand and find changing Whonix policy to a 5 month EOL after new Qubes release legit, I don’t understand reasoning quoted above.

Using Qubes in production will prevent you from upgrading Qubes, not Whonix. Whonix is already there in installation medium.
No matter what upgrade is needed, you have to do it at some point and any given point will cause a delay in a production. So, unavoidable.
Whose production? “Some of us”? Well, this is the last thing the devs would want and like to hear, I imagine.

Conclusion: even legit, suggestion is not justified.

FranklyFlawless · January 4, 2024, 10:07pm

It seems you have been provided with several highly relevant posts, but I will still share my input as a fellow Qubes-Whonix user.

The number one rule with computers is updating your system regularly. For an operating system configuration as important as Qubes-Whonix, updating sooner rather than later is crucial. Therefore, for your sake, I suggest migrating to Qubes 4.2.0 with Whonix 17 as soon as possible, as any previous versions of either operating system are unsupported, or will become so in the near future.

fujak2 · January 5, 2024, 3:38am

If you personaly had to choose between going for the release-upgrade or let it be outdated, which one would you go for?

As far as I understand, the unfixed issue in Debian 11 Tor is a denial of service, not something that’d break anonymity. However if they stop patching that could lead to that.

(Thanks to everyone sharing helpful/informative answers)

deeplow · January 16, 2024, 8:35am

@fujak2 there is some momentum for Whonix 17 being available on Qubes.

barto · January 29, 2024, 1:00pm

Any updates on this issue? I see, in the qubes-templates-community-testing repo, both Whonix 17 templates:

> whonix-gateway-17      0:4.0.6-202401140407  qubes-templates-community-testing
> whonix-workstation-17  0:4.0.6-202401140407  qubes-templates-community-testing

How stable/polished are they? And if not, can I help with the testing?

barto · February 1, 2024, 12:30pm

Update on the community templates for Whonix-17…
[ Tl;dr summary: they work fine, as far as I can tell ! including using sys-whonix for dom0 updates]

A couple of days ago, I reinstalled my guinea pig T480, which was in shambles after the terrible ordeal of sys-gui-gpu, with R4.1.2, to start testing Whonix-17.
After updates, Fedora & Debian template upgrades, etc., bringing the system up to date, installed the two whonix-*-17 community templates. No problems whatsoever. Got updates for them immediately, no problem. Updated the tor browser using the Tor Browser Downloader - no problem.
Proceeded (according to the Documentation) to replace/upgrade the Qubes-Whonix bits, and removed the Whonix-*-16 templates.
Have been using the system for more than two days as my daily driver (did not copy/restore the vault and other sensitive stuff though). It feels and behaves normally. Set sys-whonix as “Dom0 update qube” → running sudo qubes-dom0-update --releasever=4.1 --preserve-terminal shows the normal output (downloading the repo metadata etc.)
Apart for the fact that the templates are in the “Community Testing” repo, not the official one, they seem to be production-ready.

theonewithqubes · February 3, 2024, 3:52pm

Hi,

right after reading the EOL-News of whonix-16, an inplace upgrade was done as it is written in the whonix-docs and this is running fine on my 4.1 since one month.

adw · February 5, 2024, 9:51pm

fujak2 · February 14, 2024, 4:56am

Great to see this solved with the best possible solution. Thanks for the updates @deeplow @barto.