Hi! I am sure others have done it, I look into the topics and found nothing, except the same as the documentation, that it is in fact discourage and strongly recommended against to update apt or dnf commands in your templates.
I understand that Qubes updater tool is the best and secure option, I just recently starter using Qubes OS and, when trying (successfully) to install NextCloud Desktop on Debian, and previously on Fedora templates, I ran the Updates command by mistake as I was always used to on the two distros.
THE QUESTIONS:
I want to understand if I should think of reinstalling the templates.
To what I possibly open the door to?
If in reality i am most likely fine for now, and should just keep going on my learning curve?
Just a bit of context on the why behind the why not to do it.
As fare as I know, the updater gives Qubes OS more control over the update process, and allows for pre- / post-update functions to be used by Qubes OS.
I wouldnāt reinstall the template, I would just use the update tool moving forward.
You do install them normally as by the standards of each distro. But not run the apt or dnf update/upgrade directly on terminal before installing. Just use the qubes os updater tool. It is on the icons on the top corner close to the cubes/battery/etc.
Thereās absolutely no need to reinstall the template.
The Qubes Updater is a useful tool for keeping track of templates
needing updates, and batch updating those templates. But it doesnāt
sprinkle magic fairy dust over the updates.
If you want to manually update templates using the command line, feel
free. (Or batch update or use salt, whatever suits.)
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.
@Javs Good post. Iāve wondered about this since I started using Qubes a year ago.
What Iām hearing in this thread is, the end result of updating with Qubes Update vs. with dnf in the template is effectively the same in terms of security/system integrity. Is that a fair summary?
Before we accept that, I think everyone should be reminded just how scary the warning in the documentation looks (as seen here: How to update | Qubes OS ). Look:
Warning: Updating with direct commands such as qubes-dom0-update, dnf update, and apt update is not recommended, since these bypass built-in Qubes OS update security measures. Instead, we strongly recommend using the Qubes Update tool or its command-line equivalents, as described below. (By contrast, installing packages using direct package manager commands is fine.)
Clearly there is a stark unresolved dissonance between the documentation and the advice proffered in this thread. So I feel like there has to be more to this question. What are the security measures itās talking about? What justification must there have been to give it a spooky caution symbol and red text? Could the documentation be wrong?
Well, hereās something I read yesterday in the latest @alimirjamali 's always-appreciated Weekly Review:
A Major part of SELinux relabling for the existing templates (via updater) to make memory ballooning work again. This one is education and one of the example cases where updating via the distroās native updating tool (dnf in this case) is not enough and user has to use the Qubes Update GUI or qubes-vm-update to make it work.
I donāt entirely understand it, but how this reads to me is that there are cases in which SELinux labels are not set as intended if updating solely with dnf inside the template. SELinux is a security enhancement technology, and if things are mislabeled that could reduce its coverage. So does this actually happen? I donāt know. But if nothing else, this Weekly Update note has me thinking Qubes Update really does sprinkle in at least a little magic, and itās right to wonder about the security implications of that.
There can be Qubes OS specific changes, that the guest OS package manager isnāt going to deploy. You would need to either use the updater or salt to get them.
This doesnāt mean you canāt run apt or dnf in the template and get the updates for the guest distro, but this alone will not apply Qubes OS specific updates.
So in your opinion, there is nothing damaging about updating with mere dnf/apt, because it will simply leave the template in a state of mostly/partially updated, from which point you always have the option to progress it to fully updated by running Qubes Update at any time. Did I understand?
@adw Thanks for this link. It was good read and clearly is still a situation in development, but does not look like something to loose my mind over it.
One quote from the conversation you provided.
AFAIK, thatās correct. The direct commands are not inherently unsafe or any less safe than they were before the introduction of Salt. (The risk to the update mechanism itself was always there.) In other words, when there are no Salt fixes to apply, theyāre effectively equivalent. Itās just that now we have a more capable mechanism (in the sense that qubesctl is capable of doing fancy Salt things, whereas the direct commands are not). Since security is a never-ending arms race, we always have to be keeping up in order to stay secure. The trouble (discovered after this PR was opened) is that the new qubesctl update method comes with a drawback (falsely claiming to succeed when it sometimes fails), so itās not a strictly better upgrade, which means we have to combine both in a particular order to achieve optimal results.