"WHY" is wrong or discourage to update apt of dnf on the terminal of a template? It was second nature, now what?

Hi! I am sure others have done it, I look into the topics and found nothing, except the same as the documentation, that it is in fact discourage and strongly recommended against to update apt or dnf commands in your templates.

I understand that Qubes updater tool is the best and secure option, I just recently starter using Qubes OS and, when trying (successfully) to install NextCloud Desktop on Debian, and previously on Fedora templates, I ran the Updates command by mistake as I was always used to on the two distros.

THE QUESTIONS:

  • I want to understand if I should think of reinstalling the templates.
  • To what I possibly open the door to?
  • If in reality i am most likely fine for now, and should just keep going on my learning curve?

Just a bit of context on the why behind the why not to do it.

Thanks!

4 Likes

I donā€™t think you opened the door for anything.

As fare as I know, the updater gives Qubes OS more control over the update process, and allows for pre- / post-update functions to be used by Qubes OS.

I wouldnā€™t reinstall the template, I would just use the update tool moving forward.

5 Likes

Only if you want to follow best practices.

1 Like

Oh, crapā€¦ :grimacing::grimacing::grimacing:

Wait, how are we supposed to install software packages then?

1 Like

You do install them normally as by the standards of each distro. But not run the apt or dnf update/upgrade directly on terminal before installing. Just use the qubes os updater tool. It is on the icons on the top corner close to the cubes/battery/etc.

1 Like

This is what I think as wellā€¦not really worried, but wanted to see if I was missing anything.
Thanks!

1 Like

Thereā€™s absolutely no need to reinstall the template.
The Qubes Updater is a useful tool for keeping track of templates
needing updates, and batch updating those templates. But it doesnā€™t
sprinkle magic fairy dust over the updates.
If you want to manually update templates using the command line, feel
free. (Or batch update or use salt, whatever suits.)

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.

2 Likes

That is why I wrote want, not need.

maybe this can help you to get an overview:

1 Like

@Javs Good post. Iā€™ve wondered about this since I started using Qubes a year ago.

What Iā€™m hearing in this thread is, the end result of updating with Qubes Update vs. with dnf in the template is effectively the same in terms of security/system integrity. Is that a fair summary?

Before we accept that, I think everyone should be reminded just how scary the warning in the documentation looks (as seen here: How to update | Qubes OS ). Look:

:warning: Warning: Updating with direct commands such as qubes-dom0-update, dnf update, and apt update is not recommended, since these bypass built-in Qubes OS update security measures. Instead, we strongly recommend using the Qubes Update tool or its command-line equivalents, as described below. (By contrast, installing packages using direct package manager commands is fine.)

Clearly there is a stark unresolved dissonance between the documentation and the advice proffered in this thread. So I feel like there has to be more to this question. What are the security measures itā€™s talking about? What justification must there have been to give it a spooky caution symbol and red text? Could the documentation be wrong?

Well, hereā€™s something I read yesterday in the latest @alimirjamali 's always-appreciated Weekly Review:

A Major part of SELinux relabling for the existing templates (via updater) to make memory ballooning work again. This one is education and one of the example cases where updating via the distroā€™s native updating tool (dnf in this case) is not enough and user has to use the Qubes Update GUI or qubes-vm-update to make it work.

I donā€™t entirely understand it, but how this reads to me is that there are cases in which SELinux labels are not set as intended if updating solely with dnf inside the template. SELinux is a security enhancement technology, and if things are mislabeled that could reduce its coverage. So does this actually happen? I donā€™t know. But if nothing else, this Weekly Update note has me thinking Qubes Update really does sprinkle in at least a little magic, and itā€™s right to wonder about the security implications of that.

1 Like

That is correct.

1 Like

You are mixing Qubes OS and the guest distros.

There can be Qubes OS specific changes, that the guest OS package manager isnā€™t going to deploy. You would need to either use the updater or salt to get them.

This doesnā€™t mean you canā€™t run apt or dnf in the template and get the updates for the guest distro, but this alone will not apply Qubes OS specific updates.

1 Like

Yes, thatā€™s just what I was thinking.

So in your opinion, there is nothing damaging about updating with mere dnf/apt, because it will simply leave the template in a state of mostly/partially updated, from which point you always have the option to progress it to fully updated by running Qubes Update at any time. Did I understand?

1 Like

Yes, but I also think that qubes-update-gui or qubes-vm-update is the best/easiest way to update your templates.

1 Like

All the details are spelled out here:

Note, however, that this post draft was never approved for official publication, so take it with a grain of salt (no pun intended).

2 Likes

@adw Thanks for this link. It was good read and clearly is still a situation in development, but does not look like something to loose my mind over it.

One quote from the conversation you provided.

AFAIK, thatā€™s correct. The direct commands are not inherently unsafe or any less safe than they were before the introduction of Salt. (The risk to the update mechanism itself was always there.) In other words, when there are no Salt fixes to apply, theyā€™re effectively equivalent. Itā€™s just that now we have a more capable mechanism (in the sense that qubesctl is capable of doing fancy Salt things, whereas the direct commands are not). Since security is a never-ending arms race, we always have to be keeping up in order to stay secure. The trouble (discovered after this PR was opened) is that the new qubesctl update method comes with a drawback (falsely claiming to succeed when it sometimes fails), so itā€™s not a strictly better upgrade, which means we have to combine both in a particular order to achieve optimal results.

1 Like

FWIW, the bug mentioned here was fixed a long time ago:

1 Like