Recommendation against "qubes-dom0-update" (use "Qubes Updater" instead)

Qurious · May 19, 2021, 11:01pm

The (Updating Qubes OS | Qubes OS) page recommends against using qubes-dom0-update to update packages of dom0.

What are some possible risks for directly running sudo qubes-dom0-update rpm instead of using the “Qubes updater”?

qubicrm · May 19, 2021, 11:11pm

I think there is no risk, but you may miss some changes to the system.
If you use the “Qubes updater” you are using Salt and the Qubes team use thar to make some security fixes.
Just run “Qubes Update” afterwards.
(At least that is what I think )

Qurious · May 20, 2021, 3:20am

Upgrading dom0 with “qubes update” works for me now.

fiftyfourthparallel · May 20, 2021, 11:28am

The current state of dom0 updates seems to be:

sudo qubes-dom0-updates doesn’t have the security benefits behind the GUI Qubes Updater, which uses the Salt version of this command. The main concern is with the Qubes repo metadata (correct if wrong), which isn’t verified due to some configuration issues. This would allow an attacker to block (but not modify) a package from being updated. A fix is being worked on and @adw is currently working on an announcement for this.

The Salt version of dom0 update has a critical issue that might be exploitable, since a bug in Salt leads to updates returning "OK"s even when it fails (e.g. ethernet cable unplugged).

So there are issues in both the Salt and the regular CLI versions of dom0 updates. The latter might actually be more severe (I think), but Salt provides the additional security checks, so it might be the lesser of two evils.

Either way, I think the case could be made for a website that lists dates on which dom0 packages were updated, sorted by date (so like a calendar) where cautious users get an easy resource to check if they suspect anything is off. Just another (low-cost) layer of protections, like an invisible pocket protector.

As usual, I’m not technical so take my words with a grain of salt (no pun intended). Also, is there a way to make a signature that’s added to every post I make? That thing kids in old-timey forums use to decorate their posts with flashy banners to show off.

adw · May 20, 2021, 1:44pm

For now, I’m just running both: qubesctl (Salt / Qubes Updater) first in case it does any Salty things, then the old qubes-dom0-update in case the first one missed anything.

I understand why you want this, but I believe it would be the wrong solution to the problem. Instead, the entire update system should be set up in such a way that you don’t feel the need to manually double-check its work. The fact that a user feels the need to make sure that the system is doing its job is a sign that there is something wrong with the system (or possibly with the user’s expectation). The solution is to fix that problem (or realign the user’s expectations), not turn the user into a micromanager of mundane machine monotony.

@deeplow might know the answer to this.

ivan-jli · May 20, 2021, 8:22pm

Hello there,

Completely agree.

I was thinking also about a feature proposition: not allowing a specific software to run if it has a known vulnerability and is not patched. Simple as that. So the availability can be sacrificed in favor of security, if needed.

I would be curious to know the developers opinion about Salt - is it in your eyes “a great tool”, or it would be more correct to describe it as “the only flexible enough solution able to do the job, being not that bad from security perspective”? Or something else? I was skimming recently the following interesting article: Unix Configuration Management Tools (short: Attempts to create a new JCL for Unix are OK. But pretentions that they change the current situation to the better are open to review. Is the King naked ?) .

Best,

Ivan

onequbesuser · May 21, 2021, 1:26pm

And what if i run updates through the Qubes Manager? Is it equivalent with the qubes updater or with the cli version?

adw · May 21, 2021, 8:45pm

This sounds hard to do and would most likely be a completely separate software project in itself.

Unfortunately, that’s a weird third in-between method. It does more than just qubes-dom0-update but is not exactly the same as the Qubes Update tool. I’m strongly in favor of phasing it out, as it seems quite confusing and unnecessary to have this third method.

fiftyfourthparallel · May 22, 2021, 12:58am

I thought the Qubes Manager was just for updating domUs. There’s a way to update dom0 via the manager?

adw · May 22, 2021, 6:20pm

The “update” button is enabled for dom0, so I’d assume so. I don’t use it, so I don’t know. Anyway, I only mentioned dom0 specifically because that was the topic of conversation. My statement applies equally to updating TemplateVMs and StandaloneVMs. Just substitute whatever the direct update command is (e.g., dnf update).

fiftyfourthparallel · May 24, 2021, 8:25am

I tested the Qubes Manager dom0 update by right-clicking and selecting Update qube. No CLI or GUI appears, but the update runs in the background. I confirmed this by then trying to use sudo qubes-dom-update, which returns the message:

Existing lock /var/tmp/yum-user-RGegpV/x86_64/4.0/yum.pid: another copy is running as pid xxxx.
Another app is currently holding the yum lock; waiting for it to exit...
    The other application is: yum

But this begs the question–when using this method to update, how do you confirm what updates to install or see what has been installed?

adw · May 24, 2021, 9:49am

No idea. Seems like another reason to dislike this weird third method.

adw · May 24, 2021, 9:52am

github.com/QubesOS/qubes-issues

4.0.1-rc2 Launching "Update qube" dropdown on dom0 in Qubes Manager appears to do nothing

opened 11:54PM - 22 Dec 18 UTC

jrsmiley

C: manager/widget P: minor T: enhancement help wanted ux

### Qubes OS version:  4.0.1-rc2 ### Affected component(s): Qubes Manager ? --- ### Steps to reproduce the behavior:  Launch QM Select dom0 Left click to open dropdown Select Update qube ### Expected behavior: Pop up appears and shows checking for updates and applying any it finds. ### Actual behavior: After about 5 minutes, a window appeared saying no updates were available. ### General notes: --- ### Related issues: More evidence that the Qubes Updater app is broken: Launching "Update qube" after selecting the debian-9 template and opening the dropdown did find and apply updates to the template. QU reported that none were available even after specifically checking the checkbox for that template.

adw · May 24, 2021, 10:11am

github.com/QubesOS/qubes-issues

Replace built-in Qube Manager update functionality with the Qubes Update tool

opened 10:11AM - 24 May 21 UTC

andrewdavidwong

C: manager/widget C: updates P: major T: enhancement ux

**The problem you're addressing (if any)** There are currently three methods …for updating things in Qubes OS: 1. Direct commands (e.g., `qubes-dom0-update`, `dnf update`, `apt update`). 2. The Qubes Update tool. 3. Selecting a VM in the Qube Manager and pressing the "Update" button. (1) and (2) have clear use cases and their own advantages. (3) is a weird in-between method that is inferior to (2). For example, historically, not all of the Salt fixes applied by (2) have been applied by (3), which is a security problem. It is also suboptimal and confusing to users to have and maintain two different GUI update methods. It also would significantly complicate the [Updating Qubes OS](https://www.qubes-os.org/doc/updating-qubes-os/) documentation, which currently just pretends this third method does not exist, for the sake of user comprehension. **Describe the solution you'd like** Get rid of this weird, third update method. Replace it with the Qubes Update tool. The simplest, easiest way to start would be to simply open the Qubes Update tool whenever the "Update" button in the Qube Manager is pressed. There are ways to make this nicer. For example, whichever VM is selected when the button is pressed could already be "checked" for you in the Qubes Update tool. **Where is the value to a user, and who might that user be?** All users who are confused about how to update Qubes OS, whether to use the Qube Manager update functionality, etc. **Describe alternatives you've considered** Leaving things as they are, updating the documentation to explain, "Well, you see, there's also this third method, which is not exactly the same as either of the other two methods and has no clear use case aside from the other two. You can use it if you want, and it will *probably* be okay, but that hasn't always been the case in the past..." Users have to make this murky choice between very similar options and try to puzzle out what to do. It's much easier to be able to say, "Here's how to update Qubes OS: Use the Qubes Update tool." That's why I've chosen to keep the documentation simple and pretend that the weird third method doesn't exist, but that doesn't stop it from existing or from users discovering it and becoming confused by it. **Additional context** - User discovering that using the weird, third method to try to update dom0 appears to do nothing: https://github.com/QubesOS/qubes-issues/issues/4652 - Users (including me) confused about weird, third method and discovering that using it to update dom0 actually does do something, just doesn't show or tell you anything: https://forum.qubes-os.org/t/recommendation-against-qubes-dom0-update-use-qubes-updater-instead/4131/7?u=adw **Related, [non-duplicate](https://www.qubes-os.org/doc/reporting-bugs/#new-issues-should-not-be-duplicates-of-existing-issues) issues** I thought we already had an issue for this, but I can't find one. As mentioned above: https://github.com/QubesOS/qubes-issues/issues/4652

fiftyfourthparallel · May 26, 2021, 1:41pm

I like how the update methods are being overhauled and unified, but I worry that Qubes might become too dependent on Salt. It’s not really that risky, since the CLI methods are still around and can act as a fall-back, but non-CLI users might have trouble (especially updating individual templates) if some Salt bug gets introduced in the future and shuts down updates (the Salt updating reporting bug isn’t inspiring confidence).

That, and I seem to remember Salt getting acquired recently.

unman · May 26, 2021, 2:51pm

Qubes isn’t dependent on Salt - it’s just a useful tool in Qubes.
If there are Salt bugs we should fix them. In this case, I think that
the underlying fault is with dnf. Wherever, we should fix that upstream,
and patch in Qubes.

Salt is an open source project. It has not been acquired.
Saltstack is a private company that promotes and contributes to Salt. It
has been acquired by VMware.

fiftyfourthparallel · May 26, 2021, 3:33pm

I hope you get to the bottom of this. I’ve been antsy about updates since I started really using Qubes and this whole episode (starting with QSB-067) hasn’t helped. My memory about Salt’s acquisition was fuzzy, but it isn’t great that severe vulnerabilities seem to be popping up more and more in VMware products:

By the way, I had no idea you are on the Qubes Team. I just thought you were a really enthusiastic contributor. Hope you get your Qubes Network Viewer integrated into a future release somehow.

fsflover · October 24, 2022, 7:40pm

A post was split to a new topic: Can’t validate my Nitrokey (pro 2)