Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace old HTTPS repo warning with APT vuln warning #790

Merged
merged 3 commits into from Feb 17, 2019
Merged

Replace old HTTPS repo warning with APT vuln warning #790

merged 3 commits into from Feb 17, 2019

Conversation

andrewdavidwong
Copy link
Member

My understanding is that the old HTTPS repo warning is no longer applicable to users who are installing Qubes 4.0.1. Meanwhile, @v6ak has suggested adding a warning about QSB 46.

@andrewdavidwong
Copy link
Member Author

In the discussion thread, it was suggested that users use the GUI tools to update the templates installed from the ISO. However, I opted to instead advise users to install fresh templates, since this is what we advised as the safer route in the QSB. A user who reads a recommendation in the installation guide to use the GUI tool, then reads the QSB, will be under the impression that the installation guide is being sloppy with respect to security.

marmarek
marmarek reviewed Feb 15, 2019
View reviewed changes
installing/installation-guide.md Outdated
7. Check for updates normally.
8. Shut down the TemplateVM.
After installing Qubes 4.0.1, please install fresh APT-based (e.g., Debian and Whonix) TemplateVMs in order to be protected from the APT update mechanism vulnerability that was patched after the release of 4.0.1.
For instructions and further details, please see [QSB #46].
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since just after installation templates are definitely installed using rpm (not for example upgraded from previous template version or cloned), there is an easier option to reinstall them:

sudo qubes-dom0-update --action=upgrade qubes-template-debian-9

(and similar for other templates)

Do you think it worth noting it here? The full procedure described in the QSB of course works too, but is more complex (to handle the cases where template wasn't installed directly with rpm).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, let's make it easier on users.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let me know what you think of the updated recommendation, @marmarek.

marmarek
marmarek reviewed Feb 16, 2019
View reviewed changes
installing/installation-guide.md Outdated
For instructions and further details, please see [QSB #46].
Immediately after installing Qubes 4.0.1, please upgrade all of your APT-based (e.g., Debian and Whonix) TemplateVMs by executing the following command in a dom0 terminal for each such TemplateVM:

$ sudo qubes-dom0-update --action=upgrade <template-package-name>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should it also mention relevant --enablerepo option for Whonix templates?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated. How about now?

@andrewdavidwong andrewdavidwong merged commit b86488a into master Feb 17, 2019
@andrewdavidwong andrewdavidwong deleted the qsb-46-install-warning branch February 17, 2019 02:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marmarek marmarek marmarek approved these changes

Assignees

@marmarek marmarek

Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@andrewdavidwong @marmarek