Template Update Errors (new thread for Fedora)

unman · December 7, 2022, 1:18pm

Since you did not identify the root cause of the issue this is almost
useless, and of little help to other users.

You did not say, (and no one asked), what qube you were using to update.
You could get this information from /etc/qubes/policy/30-user.policy,
/etc/qubes/policy/90-default.policy, and /etc/qubes-rpc/policy/qubes.UpdatesProxy

You did say that you had a template-cacher
You did not say if you had a cacher qube.

The error message you reported is inconsistent with use of cacher,
since it references https access to the repositories.
As explained in the “info” for cacher, it cannot use https access, and
has to rewrite this to http://HTTPS/// - this is because https access
means that the traffic is encrypted when it reaches the caching proxy
and so cannot be dealt with.

If you were using cacher, then you would have seen a different error
message, relating to use of https repositories.
If you were using cacher, then (since other templates seemingly worked fine),
when you changed the update proxy those other templates would have
stopped working. This is because they would have repo definitions that
used http://HTTPS/// and other proxies would not know what to do with
that*.

To summarise:
We don’t know what proxy you were using.
We don’t know what templates you were able to update.
We don’t know what caused the problem.
The problem was resolved by changing the update proxy to either sys-net or
sys-firewall, but we don’t know which, or what template that qube
used.

Do you see how unhelpful this is?

huaopeng · December 8, 2022, 9:45pm

sys-whonix was the default update proxy template

all the templates were failing to update until I deleted qubes.UpdatesProxy and copied the config file from

90-default.policy and pasted it into /etc/qubes/policy/30-user.policy

I have a template-cacher but not a cacher AppVM qube

I had previously tried switching the update proxy to sys-net and sys-firewall with no success.

So the meaningful change appears to have been (from my perspective) the qubes.UpdateProxy change

Is that a better description?

enmus · December 9, 2022, 6:51am

What is mysterious to me is why @fsflover liked this post, especially when we now know that the user choose one post as a solution and then finally explained that he actually used tips from another.

unman · December 10, 2022, 3:34pm

I was unable to update Fedora templates when using sys-whonix as update proxy.
I decided to change the update proxy used by templates.
I did this by:

deleting /etc/qubes-rpc/policy/qubes.UpdatesProxy
copying the config file from /etc/qubes/policy.d/90-default.policy to /etc/qubes/policy.d/30-user.policy
editing /etc/qubes/policy.d/30-user.policy to show:
`qubes.UpdatesProxy * @type:TemplateVM @default allow target=sys-firewall

Step 2 is unnecessary, and makes it more difficult to see what user
changes have been made.
You could have simply copied the qubes.UpdatesProxy lines from
90-default.policy to 30-user.policy, and edited them to show:

qubes.UpdatesProxy  *  @tag:whonix-updatevm  @default  allow target=sys-whonix
qubes.UpdatesProxy  *  @tag:whonix-updatevm  @anyvm    deny
qubes.UpdatesProxy  *  @type:TemplateVM      @default  allow target=sys-firewall

As a “solution” this is like taking your Tesla in to the garage
with a problem and leaving with an Impala.
Or perhaps, taking your laptop in because you are having problems with
Qubes, and leaving with a shiny installation of Windows 11.

fsflover · December 10, 2022, 6:00pm

[deleted, wrong thread]

huaopeng · December 10, 2022, 6:21pm

It doesn’t always need to be the perfect line of code, sometimes it just needs to work.

unman · December 11, 2022, 12:23am

For someone who needs to update over Tor, your “solution” does not
work.
You should make that clear.

huaopeng · December 11, 2022, 12:46am

I don’t “need” to update over tor, it just seems to be more reliable

unman · December 11, 2022, 1:24am

The Forum is a resource for other users.
You should make this clear for other users.

huaopeng · December 11, 2022, 1:36am

The forum is a resource for ALL users. And documenting issues that come up and the steps taken to solve these issues.

unman · December 11, 2022, 5:56am

Yes, but you have not “solved” the issue, and you should make this clear.
To any one who needs to use Tor your “solution” is misleading at best.

You should make it clear that you gave up on updating through Tor.
We’ve done that here.

huaopeng · December 11, 2022, 6:28am

it’s funny because my 30-user.policy file does not contain qubes.UpdatesProxy lines at all

huaopeng · December 11, 2022, 6:30am

which is strange indeed because the whole issue pertains to the qubes.UpdatesProxy config or so it logically seems.

unman · December 11, 2022, 1:18pm

But you said -
all the templates were failing to update until I deleted qubes.UpdatesProxy and copied the config file from
90-default.policy and pasted it into /etc/qubes/policy/30-user.policy

Since the qubes.UpdatesProxy lines have been in 90-default.policy since
creation of that file, either you removed them from there, or you
removed them from 30-user.policy.

Either way, this is another important detail that you missed out.

huaopeng · December 11, 2022, 4:27pm

All I did was delete qubes.UpdatesProxy and then copy the text from 90-default.policy into 30-user.policy

unman · December 12, 2022, 2:54pm

For reason stated I find this hard to believe.