Was there a dom0 update for R4.0 in the last few days?

We did already have existing guidelines on this, but you (and other recent events) have encouraged me to expound on them:

https://www.qubes-os.org/doc/reporting-bugs/#the-issue-tracker-is-not-a-discussion-forum
https://www.qubes-os.org/doc/reporting-bugs/#every-issue-must-be-about-a-single-actionable-thing

1 Like

I think I’ve figured out what’s going on here–my default-mgmt-dvm template is based on a completely bare debian-10-minimal and none of my minimal templates contain qubes-mgmt-salt-vm-connector. Does the default-mgmt-dvm template need additional packages, such as qubes-mgmt-salt-vm-connector, or is that just for other templates?

I understand using Salt for dom0 updates offers additional layers of security, but is the same true for regular templates? Am I missing out if I update my templates without Salt?

Yes . See here:

  • default-mgmt-dvm : requires qubes-core-agent-passwordless-root and qubes-mgmt-salt-vm-connector.

Also, note that a Fedora-based mgmt VM can manage both Fedora and Debian VMs, but the converse does not hold. A Debian mgmt VM can only manage other Debian VMs, not Fedora VMs. (This is currently true in 4.0 but will probably change in the future.)

Potentially. I think the APT security bug fix was an example of this:

See the “Alternative patching for non-critical TemplateVMs” section.

One can imagine a scenario in which it is not merely an “alternative” patching method but rather the main one.

From the docs:

Important

The Minimal TemplateVMs are intended only for advanced users. If
you encounter problems with the Minimal TemplateVMs, we recommend
that you use their standard TemplateVM counterparts instead.

If something works with a standard TemplateVM but not the minimal
version, this is most likely due to user error (e.g., a missing
package or misconfiguration) rather than a bug. In such cases, please
do not file a bug report. Instead, please see Help, Support, Mailing
Lists, and Forum for the appropriate place to ask for help. Once
you have learned how to solve your problem, please contribute what
you learned to the documentation.

The Minimal TemplateVMs are intentionally minimal. Do not ask for
your favorite package to be added to the minimal template by default.

In order to reduce unnecessary risk, unused repositories have been
disabled by default. If you wish to install or update any packages
from those repositories, you must enable them.

Today I got two separate dom0 updates in a row… One of them seems suspicious. Here’s a screenshot:

Screenshot

Should I be worried?

Whether this indicates a compromise or not, I am finding the cryptic Qubes Updater to be a little bit too opaque for comfort. As discussed a few years ago in this thread, there is both a high difficulty and intense labor burden for a user that wishes to audit. Would very much like to see more visibility on the release history of qubes updates in the future.

I found the comment earlier about this being the “nothing was updated” prompt, so no need to reply to my question, but my confusion confirms the position argued in this post Was there a dom0 update for R4.0 in the last few days? - #16 by fiftyfourthparallel

Please note that (1) you are commenting on a thread that was last active two years ago, and (2) Qubes 4.0 has been EOL for eight months.

Yes, I am aware this is an old thread. But it appears that the problem I encountered with the Qubes updater (discussed here 2 years ago) has persisted all the way to 4.1.2 without any improvement

There is work being done to replace the salt updater with an alternative
that will provide better feedback during the update, and resolve other
issues.

I never presume to speak for the Qubes team. When I comment in the Forum or in the mailing lists I speak for myself.
2 Likes