Third party verification of VM updates?

It’s common practice to verify signing keys and fingerprints from numerous sources. Is there a way to confirm from other sources that the update checker on my system is accurate?

This might be overly cautious, but I would, for instance, like to see that new updates have indeed been released before proceeding to update templates. I have been getting repeated notifications to update my Debian templates, but it’s not clear where I can see a list of the actual updates from a source other than my updater.

For instance, today I got another notification to update my templates but when I manually check Index of /r4.1/vm/dists/bullseye/main/ there is no indication of recent updates. If the notification is due some other package I installed that isn’t part of official distro updates, is there a convenient way of locally listing those packages and manually confirming elsewhere that updates have in fact been released?

Or am I underestimating the security of the package update system?

I suppose I should have predicated my question with “how secure are system package updates?” Beyond using the standard salt management system via Qubes Manager or the GUI on the system tray, is there anything else I can do to harden my update protocol? Given the fact the everything is a template-based, it seems like an obvious point of weakness.

You will, of course, receive notice if there are non-Qubes Debian
If you are looking for some check, create a Debian standalone, routed
via Tor, and inspect the updates there with aptitude or apt update,
apt list --upgradeable.

Of course, seeing that updates have been released does not guarantee
that those updates are the ones that will be installed.
For that you will have to trust the update mechanisms.
Here’s some guidance for Debian
Fedora signs individual RPM packages, but not repositories.
Qubes adds some extra hardening for parsing RPM packages.

I never presume to speak for the Qubes team.
When I comment in the Forum or in the mailing lists I speak for myself.
1 Like

Thanks @unman. That addresses most of my concerns. Except, of course, various templates have unique packages installed, so running apt list --upgradeable in a Debian standalone likely won’t cover everything unless the standalone includes every package installed in other VMs.

Just one point of confusion… you said Qubes adds extra hardening for parsing .rpm packages. Are you talking about the SALT management system? My understanding is that Debian templates also benefit from being updated via Qubes Manager / the system tray update GUI rather than manually via “apt upgrade” within the template terminal. If I install additional packages in a Debian template and always update though Qubes Manager, will those updates benefit from the extra security of the salted update mechanism - or are non-Qubes upgrades handled with the standard “apt upgrade”? Hope that makes sense.