adw
August 15, 2024, 2:43am
20
justwhy:
First of all, it was impossible to actually choose “none” at the “Default update proxy” field at “Qubes OS Global Config”. The option is there, you can choose it, but it just not being saved, when you reopen Global Config you can see some other option chosen already.
justwhy:
If it’s not a bug, why even make possible to choose “none” as Default update proxy, when it can’t be really used?
Please feel free to open a bug report for this (if one doesn’t already exist).
justwhy:
Why automatically add all new qubes to exceptions, without even signaling to user, that it will happen? Isn’t it contradicts the very sense of “exceptions”?
It already does inform the user. In the screenshot below, it’s a red box containing a “red shield with exclamation point” icon next to text stating that it applies only to existing qubes and that new qubes will have update checking enabled by default:
(However, I’ve noted a problem with this.)
justwhy:
Why don’t enable updates check over sys-whonix when it is enabled for updates download? I found other people asking the same question on this forum without an answer.
Probably because no one has opened an issue for it yet. I searched the issue tracker and wasn’t able to find one, so I’ve just opened one:
opened 02:38AM - 15 Aug 24 UTC
T: bug
P: major
privacy
C: Whonix
needs diagnosis
C: updates
affects-4.2
[How to file a helpful issue](https://www.qubes-os.org/doc/issue-tracking/)
#… ## Qubes OS release
4.2
### Brief summary
In the installer, there's an option to "Enable system and template updates over the Tor anonymity network using Whonix." Many users mistakenly understand this to mean that all of their update *checks* will also be done over Tor (via `sys-whonix`), when in reality only actual updates are done over Tor.
### Steps to reproduce
1. Install Qubes OS.
2. Select "Enable system and template updates over the Tor anonymity network using Whonix."
### Expected behavior
Many users expect that update *checks* will go over Tor, not just the actual updates themselves.
Examples:
- https://forum.qubes-os.org/t/24325
- https://forum.qubes-os.org/t/28235
- https://forum.qubes-os.org/t/974
### Actual behavior
Only the actual update happens over Tor.
### Possible solutions
- Make it so that selecting "Enable system and template updates over the Tor anonymity network using Whonix" also causes all update *checks* to go over Tor.
- Preserve the current behavior, but improve the UX and documentation to make it clear how things actually work and why. Part of the reason some users have this mistaken expectation is because they believe that the only purpose of routing updates over Tor is for privacy. They don't realize that there are [specific security benefits](https://forum.qubes-os.org/t/update-check-without-sys-whonix/974/4) independent of any privacy benefits. If the current behavior isn't changed, then the system and/or documentation should help users to understand why it's implemented this way and thereby better set users' expectations.
Related: https://github.com/QubesOS/qubes-issues/issues/7586
justwhy:
It deeply disappoints me, because as I understand, even if I choose everything to update through whonix, it will still check for updates over clearnet.
Not if you disable all update checks.
Updating over Tor has specific security benefits:
Downloading dom0 and template updates over Tor can provide specific security benefits by making it more difficult for you to be subject to targeted attacks involving malicious or withheld packages. For example:
An attacker may have gained access to an authentic upstream package signing key. He can use this key to sign a malicious package that is intended only for you. If you download updates using Tor, you force him to distribute the malicious package to everyone instead of only to you, which…
This is not accurate. For an accurate description of the situation, see: Privacy policy | Qubes OS
Qubie:
Qubes devs really messed this moment, by doing everything the way they did. They confused the users by giving them false feeling that they can hide Qubes presence by enabling that whonix proxy feature. They could at least somehow explain in their docs what really must be done for this purpose or explain in installer how really works whonix update proxy feature in order do not confuse users by this, because as we know with you - hiding presence of such OSes like Qubes can be really important thing for many users around the world.
tanky0u:
The OP issue has been bugging me for a few years as well. I noticed that even though I have set “Update Proxy” as sys-whonix in QubesOS global settings, so many times I noticed that I get “updates available” notification in the xfce-tray even though the sys-whonix wasn’t running (off, offline, shutdown). Imagine my shock and confusion.
Surprised so many people have had a problem with this for so long, yet no one has opened an issue for it (at least not that I was able to find)! Anyway, opened one now:
opened 02:38AM - 15 Aug 24 UTC
T: bug
P: major
privacy
C: Whonix
needs diagnosis
C: updates
affects-4.2
[How to file a helpful issue](https://www.qubes-os.org/doc/issue-tracking/)
#… ## Qubes OS release
4.2
### Brief summary
In the installer, there's an option to "Enable system and template updates over the Tor anonymity network using Whonix." Many users mistakenly understand this to mean that all of their update *checks* will also be done over Tor (via `sys-whonix`), when in reality only actual updates are done over Tor.
### Steps to reproduce
1. Install Qubes OS.
2. Select "Enable system and template updates over the Tor anonymity network using Whonix."
### Expected behavior
Many users expect that update *checks* will go over Tor, not just the actual updates themselves.
Examples:
- https://forum.qubes-os.org/t/24325
- https://forum.qubes-os.org/t/28235
- https://forum.qubes-os.org/t/974
### Actual behavior
Only the actual update happens over Tor.
### Possible solutions
- Make it so that selecting "Enable system and template updates over the Tor anonymity network using Whonix" also causes all update *checks* to go over Tor.
- Preserve the current behavior, but improve the UX and documentation to make it clear how things actually work and why. Part of the reason some users have this mistaken expectation is because they believe that the only purpose of routing updates over Tor is for privacy. They don't realize that there are [specific security benefits](https://forum.qubes-os.org/t/update-check-without-sys-whonix/974/4) independent of any privacy benefits. If the current behavior isn't changed, then the system and/or documentation should help users to understand why it's implemented this way and thereby better set users' expectations.
Related: https://github.com/QubesOS/qubes-issues/issues/7586
4 Likes