Thanks!
I use qubes 4.0
You opened a wrong file. The correct filename is âqubes.UpdatesProxyâ, you missed the âsâ. So the editor opened an empty (non-existing) file for you.
When you are entering something in the command line, you can let the system help you to choose the correct names by using Tab. For example, you write
/etc/qubes-rpc/policy/qubes.Up, then you hit Tab â and it fills the rest of the filename for you automatically.
2 Likes
Itâs spelled wrong. I made the same mistake.
Can you help me please, Im in the folder but I donât know what I should to doâŚ
how I can test it?
It looks like the right file to me now. Symbol # in front of a line means that itâs a comment. If you want to enable âUpgrade all TemplateVMs through sys-whonixâ, you need to remove # at the beginning of the next line, putting $type:TemplateVM $default allow,target=sys-whonix into force.
Then you need to save the edit by hitting ctrl+x, then y, enter. You can then open the file again and verify that itâs modified as expected.
Sorry iam Berry stupid, can you send a picture of your setting in the folderâŚ
Currently, on you screenshot you have this:
...
## Please use a single # to start your custom comments
# Upgrade all TemplateVMs through sys-whonix.
#$type:TemplateVM $default allow,target=sys-whonix
...
and you need this:
...
## Please use a single # to start your custom comments
# Upgrade all TemplateVMs through sys-whonix.
$type:TemplateVM $default allow,target=sys-whonix
...
1 Like
can I somehow check whether it works? is there anything?
thank you for your patience and help
Actually I donât know how to check that. I hope someone else could help you here.
Kill all Whonix qubes, start an update - sys-whonix should start.
I donât use Whonix so cant comment on the internals, but you may be
able to watch outgoing circuits to repositories.
You can use Onion repository instead of clearnet, ensuring that you are using tor network.
dom0
- In dom0, open
/etc/yum.repos.d/qubes-dom0.repoin a text editor. - Comment out all the
baseurl = https://yum.qubes-os.org/[...]andmetalinklines. - Uncomment all the
baseurl = [...].onionlines. - Update every
.onionaddress toyum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion. The affected lines should look like this:
#baseurl = https://yum.qubes-os.org/r$releasever/current/dom0/fc25
baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/current/dom0/fc25
#metalink = https://yum.qubes-os.org/r$releasever/current/dom0/fc25/repodata/repomd.xml.metalink
- Open
/etc/yum.repos.d/qubes-templates.repoin a text editor and repeat steps 2-4.
if the onion address is same as above, you donât need to change anything, just comment / uncomment what it need.
Fedora TemplateVMs
- In the TemplateVM, open
/etc/yum.repos.d/qubes-r4.repoin a text editor. - Comment out every line that contains
yum.qubes-os.org. - Uncomment every line that contains
.onion. - Update every
.onionaddress toyum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion. The affected lines should look like this:
#baseurl = https://yum.qubes-os.org/r4.0/current/vm/fc$releasever
baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.0/current/vm/fc$releasever
if the onion address is same as above, you donât need to change anything, just comment / uncomment what it need.
Debian & Whonix TemplateVMs
- In the TemplateVM, open
/etc/apt/sources.list.d/qubes-r4.listin a text editor. - Comment out every line that contains
deb.qubes-os.org. - Uncomment every line that contains
.onion. - Update every
.onionaddress todeb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion. The affected lines should look like this:
# Main qubes updates repository
#deb [arch=amd64] https://deb.qubes-os.org/r4.0/vm buster main
#deb-src https://deb.qubes-os.org/r4.0/vm buster main
# Qubes Tor updates repositories
# Main qubes updates repository
deb [arch=amd64] http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.0/vm buster main
#deb-src http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.0/vm buster main
if the onion address is same as above, you donât need to change anything, just comment / uncomment what it need.
4 Likes
its to bad there isnât a setting in Qubes Global Settings to change both dom0 and template updates to sys-whonix
donât like to manually edit the sources file ; as simple as it is
You have to edit the sources file to use onion repositories, not to
update over Tor.
One reason not to have a Global setting for templates is because you may
want to use different update qubes for specific templates.
I think for this fresh 4.1 installation, Iâm not going to pollute by manually changing repo sources.
someday if it was all in the QGlobalSettings, Iâd trust I wouldnât make a fatal mess or secure hole , ymmv 
like .onion sources for individual templates and Dom0 , built into the QGS tool
this post is from sept 14
is there any official maintained .onion addresses vs just changing global settings for dom0 to sys-whonix
which I imagine isnât the same
The âofficialâ onion repo addresses should already be in the .repo file, just commented out. You could simply comment out the clearnet lines and uncomment the onion lines. (Not sure if theyâre really official. I believe theyâre maintained by @unman.)
1 Like
I should mention that itâs not strictly necessary to use the onion repos. You can simply use the clearnet repos over Tor. You donât get the usual onion service benefits, but to me, those arenât very important for updates. Iâd rather not have to worry about the onion mirrors lagging behind the official ones. But thatâs just me.
1 Like
seems like qubes.UpdatesProxy in dom0
in 4.1 now just contains whonix-updatevm references
2nd line of $anyvm deny must mean all other templates use qubes-prefs updatevm choice ?
so to have templates use sys-whonix just change updatevm via $qubes-prefs ? Somehow Iâm thinking that will only do dom0
so, is it in the documentation how to make templates use sys-whonix for their updates?(*other than commenting out sources.list.d in the template, which only includes the .onion addresses) if so where ? Iâll go look again
To be clear, I donât maintain the onion mirrors. (At best I facilitate
them.)
Since they are included in the official repo definitions provided by
Qubes in dom0 and templates, I think they can be regarded as âofficialâ.
The repository data is, of course, signed by Qubes.
As with any mirror there is a slight delay in the mirroring process.
Usually this is less than 4 hours - I believe the onion repositories
currently sync hourly.
1 Like