Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign upDifficulty to upgrade Whonix TemplateVMs over clearnet considered a bug or feature? #1880
Comments
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
marmarek
Mar 28, 2016
Member
Instead of repairing this complex mechanism, I am asking a more fundamental question. Is the difficulty to upgrade Whonix TemplateVMs over clearnet considered a bug or feature? Do we trust the Qubes management stack enough to really set Whonix TemplateVM's NetVM to a Whonix-Gateway ProxyVM?
I think so. I guess the mechanism was implemented to make sure the user followed installation instruction to the end. To hide Whonix usage from ISP level observers, especially in censored areas. Without management stack IMHO it wasn't obvious (other than installation instruction) what to set to really have all Whonix related traffic over Tor.
And if the user changes Whonix TemplateVM's NetVM to sys-firewall (or so) should the user be free to easily upgrade over clearnet or should the user be more patronized and have to jump through an additional hoop?
You tell me :) This will leak Whonix usage. How bad it can be? It depends. Ideally it should depend on tor bridges usage, but there is no easy way to check that at template level. Maybe that message should have additional option like "allow updates over clearnet"? Or even one with "and remember this setting"?
I think so. I guess the mechanism was implemented to make sure the user followed installation instruction to the end. To hide Whonix usage from ISP level observers, especially in censored areas. Without management stack IMHO it wasn't obvious (other than installation instruction) what to set to really have all Whonix related traffic over Tor.
You tell me :) This will leak Whonix usage. How bad it can be? It depends. Ideally it should depend on tor bridges usage, but there is no easy way to check that at template level. Maybe that message should have additional option like "allow updates over clearnet"? Or even one with "and remember this setting"? |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
andrewdavidwong
Mar 28, 2016
Member
Is the difficulty to upgrade Whonix TemplateVMs over clearnet considered a bug or feature?
I consider it a feature. (IMHO, it's even worth considering broadening it into a global Qubes feature.)
Do we trust the Qubes management stack enough to really set Whonix TemplateVM's NetVM to a Whonix-Gateway ProxyVM?
I'm not sure I understand. What exactly is the concern? Is it that, if the mechanism were to be removed, the Qubes management stack could somehow fail, and the Whonix TemplateVM's NetVM would default to the regular clearnet ProxyVM, which could result in the user updating the Whonix TemplateVM over their clearnet connection?
And if the user changes Whonix TemplateVM's NetVM to sys-firewall (or so) should the user be free to easily upgrade over clearnet or should the user be more patronized and have to jump through an additional hoop?
IMHO, a warning pop-up is not, in this particular case, patronizing. Rather, it's an appropriate way of protecting users from making an honest mistake (a mistake which even a competent, diligent new user could make simply due to not yet being familiar with how Qubes+Whonix works).
I think most users will expect and appreciate that Whonix errs on the side of caution in informing and warning them about taking risky actions. Speaking from a user's perspective, my expectations for privacy-oriented software are different from most other software. When I see that my privacy-oriented software has checks in place which force me to proceed carefully and methodically, it inspires confidence that the software is well-thought-out and designed to protect me. I don't feel annoyed. I feel grateful.
The only time I would feel annoyed is if there were a particular action which I performed regularly, but which I was blocked from/nagged for performing every time, with no option to opt out of the blocking/nagging. So, I do think that experienced users should be free to use whichever NetVM they want, and I think a good way to do this is to offer a "never warn me again"-type option.
I consider it a feature. (IMHO, it's even worth considering broadening it into a global Qubes feature.)
I'm not sure I understand. What exactly is the concern? Is it that, if the mechanism were to be removed, the Qubes management stack could somehow fail, and the Whonix TemplateVM's NetVM would default to the regular clearnet ProxyVM, which could result in the user updating the Whonix TemplateVM over their clearnet connection?
IMHO, a warning pop-up is not, in this particular case, patronizing. Rather, it's an appropriate way of protecting users from making an honest mistake (a mistake which even a competent, diligent new user could make simply due to not yet being familiar with how Qubes+Whonix works). I think most users will expect and appreciate that Whonix errs on the side of caution in informing and warning them about taking risky actions. Speaking from a user's perspective, my expectations for privacy-oriented software are different from most other software. When I see that my privacy-oriented software has checks in place which force me to proceed carefully and methodically, it inspires confidence that the software is well-thought-out and designed to protect me. I don't feel annoyed. I feel grateful. The only time I would feel annoyed is if there were a particular action which I performed regularly, but which I was blocked from/nagged for performing every time, with no option to opt out of the blocking/nagging. So, I do think that experienced users should be free to use whichever NetVM they want, and I think a good way to do this is to offer a "never warn me again"-type option. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
adrelanos
Mar 31, 2016
Member
Axon:
Do we trust the Qubes management stack enough to really set
Whonix TemplateVM's NetVM to a Whonix-Gateway ProxyVM?
I'm not sure I understand. What exactly is the concern? Is it that,
if the mechanism were to be removed, the Qubes management stack could
somehow fail, and the Whonix TemplateVM's NetVM would default to the
regular clearnet ProxyVM, which could result in the user updating the
Whonix TemplateVM over their clearnet connection?
Was only concerned about hypothetical bugs leading to not setting the
NetVM to sys-whonix.
|
Axon:
Was only concerned about hypothetical bugs leading to not setting the |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
|
Okay, so we consider this a feature. |
adrelanos commentedMar 28, 2016
Currently Whonix TemplateVMs implement a check, refuse to upgrade and show a warning popup when they are not connected to Whonix-Gateway ProxyVM. This mechanism was invented by @nrgaway.
[ Something in Qubes R3.1 has now partially broken this so this warning will be shown even if they are connected to a Whonix-Gateway ProxyVM. ]
Instead of repairing this complex mechanism, I am asking a more fundamental question. Is the difficulty to upgrade Whonix TemplateVMs over clearnet considered a bug or feature? Do we trust the Qubes management stack enough to really set Whonix TemplateVM's NetVM to a Whonix-Gateway ProxyVM?
And if the user changes Whonix TemplateVM's NetVM to sys-firewall (or so) should the user be free to easily upgrade over clearnet or should the user be more patronized and have to jump through an additional hoop?
[ Why upgrade Whonix TemplateVM's over Tor in the first place anyhow? One reason is, it hides the list of installed packages from ISP level observers which can be considered a feature as it leaks less information. However, if the user (perhaps using a standard setup) does not care about this and prefers faster packages download speeds, more power to them. ]