Some paranoid questions on updates

First of all, thank you for what you do, members of Qubes community!

Two years ago my PCs and phones were hacked. Since then I tried many solutions.
I finally switched to HeadsOS/Qubes OS and Pixel with GrapheneOS for internet connection.
Nevertheless, time to time I still observe some weird things. It could be just coincidences as well, but we never know, it is better to be a little paranoid.

Is it impossible to hack Qubes OS via updates?
Everyday there are some updates. How often I should receive updates normally?
Why did I get the following update? What it is used for?:

Updating fedora-38-xfce
b'warning: runaway fork() in Lua script\n'

Installed packages:
Updated packages:
fwupd-plugin-flashrom 1.9.91.fc38 -> 1.9.101.fc38
fwupd-plugin-modem-manager 1.9.91.fc38 -> 1.9.101.fc38
fwupd-plugin-uefi-capsule-data 1.9.91.fc38 -> 1.9.101.fc38
fwupd 1.9.91.fc38 -> 1.9.101.fc38
hwdata 0.3761.fc38 -> 0.3772.fc38
Removed packages:

Info about system: Nitropad T430, Qubes OS 4.2.0-rc5

1 Like


Usually everyday.

The packages were outdated.

fwupd is a firmware update daemon for managing firmware updates, and hwdata is used to contain various hardware identification and configuration data, such as the pci.ids and usb.ids databases.

1 Like

To expand on this: Updates are digitally signed with cryptographic signatures, and updates without a valid signature are rejected. This makes it very difficult for a genuine update to be replaced with a malicious one. Why is it only “very difficult” but not “impossible”? Because in the real world, there is no such thing as perfect security. That doesn’t mean it’s not secure enough or that you’ll be able to find a more secure solution that you can actually install and use today.