Is there a script which can be run to ensure dom0 is up to date with all the security updates as posted
Can concepts from functional package management be used to ensure that dom0 is fully up to date
with respect to security patches addressing QSB vulns? can hashes be used to compare the patch with the
current state of the hypervisor code?
It will check for updates periodically (see Global Settings, “check for dom0 updates” should be checked), if it finds that some packages can be installed for dom0, it will create a new tray icon and will send a notification to let you know that some upgrades are waiting.
Personally, I took the habit of checking Issues · QubesOS/updates-status · GitHub to see if any updates are available and to check what are the changes between versions. Maybe you can do a RSS Feed of this and get notifications somewhere when something is pushed to the repos.
The Github update link is great; I’m wonder though if the concept of functional package management
as it is applied in NixOS could be also utilized in security patches. In NixOS all the packages are hashed
and those hashes are compared with the main repo to confirm they are fully up to date and the files are
exactly the same. With the update manager you are just sort of trusting the updates have been applied;
there is no way of verifying this.
From what I know, every package are signed with the devs GPG key. When you install updates in dom0, they are verified against the key (in /etc/pki/rpm-gpg/) so you’re sure they are really coming from the original and verified source.
(made the title more specific)