Qubes Updater security wise misfeature

When updating via Qubes Updater gui, if skip_if_not_available is NOT false in repo file, no notification about possible fails to retrieve repomd.xml from such repos, which could lead to miss important updates for packages/versions installed from those repos.

Or I miss that notification?

Hi @enmus, I edited the title of your post to make it more specific and make it easier to find. Please correct it if I misunderstood its content! :slightly_smiling_face:

1 Like

Hey @gonzalo-bulnes. Thanks for the suggestion, but it’s not that Qubes Updater fails. There can be other updates from other repos where

skip_if_not_available=false

is set and the user wouldn’t know abuot non-transparent repo queries fail.

If there’s no false at all, then we would get No updates available on theoretically all repo fails I guess.

So, probably it is better like this then…

I believe skip_if_not_available is inherited from DNF. It’s not a Qubes-specific feature.

It’s unclear what change you’re proposing. Are you suggesting that skip_if_not_available shouldn’t exist or that it should be noisier? I think both of those would probably be upstream requests to the DNF devs.

I suggest Qubes updater to notify us which repo queries failed. That is Qubes feature.

I believe there’s already an open issue for this:

It’s similar, but I described here the case where the user might get some updates and some not in the same update action, and not knowing that.

How is that a security issue, does the template stay marked as needing updates?

No. How it could be? He was never marked by such repo as needing updates because such a repo cannot be contacted. It was/could be marked by other repo. That’s what I’m trying to explain.

For example, Fedora updates repo cannot be queried (failed) while it’s skip_if_not_available is set to true, but at the same time some other updates are obtained from Fedora repo, and no notification anywhere that querying any other repo failed if there’s no skip_if_not_available=false in repo file.
At the end of process, template is marked as successfully updated, us not knowing that fedora updates repo couldn’t be queried.

So, yes I heavily consider it as security issue.

And probably this is in combination update check service - Qubes updater relation, service (not?) informing Updater that while there are some updates for the template, some repos couldn’t be queried, and that info is not passed to the user.

All that is needed is additional comment in Updater GUI that “While template is updated, these repos couldn’t be contacted while their skip_if_not_available was set to true or the flag doesn’t exist in repo file at all”

Please feel free to open an issue for this, if one doesn’t already exist.