/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document Torified update checking #1948

Open
andrewdavidwong opened this Issue May 4, 2016 · 9 comments

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
  Ongoing
4 participants
@andrewdavidwong @unman @marmarek @adrelanos
@andrewdavidwong

@andrewdavidwong andrewdavidwong added enhancement C: doc P: minor labels May 4, 2016

@andrewdavidwong andrewdavidwong added this to the Documentation/website milestone May 4, 2016

@andrewdavidwong andrewdavidwong added help wanted C: Whonix privacy labels Mar 18, 2018

@unman

This comment has been minimized.

Show comment
Hide comment
@unman

unman Mar 22, 2018

Member

I've pushed some changes to qubes-doc adding more information on update checking etc in 3.2 and 4.0.
dom0, and in qubes
Can you review please @adrelanos and @andrewdavidwong ?
If you're happy, close this.
Member

unman commented Mar 22, 2018

I've pushed some changes to qubes-doc adding more information on update checking etc in 3.2 and 4.0.
dom0, and in qubes
Can you review please @adrelanos and @andrewdavidwong ?
If you're happy, close this.
@andrewdavidwong

This comment has been minimized.

Show comment
Hide comment
@andrewdavidwong

andrewdavidwong Mar 23, 2018

Member

Thank you, @unman. I gather that you're referring to QubesOS/qubes-doc@0366878. Correct?

  1. Would you mind separating the 3.2 and 4.0 content as prescribed in our Documentation Guidelines?
  2. I don't think this is an accurate description of how the UpdateVM works in 3.2. The UpdateVM is the VM in which dom0 updates are downloaded, not the VM that TemplateVMs use as their NetVM. Setting the UpdateVM to sys-whonix will not result in TemplateVMs downloading updates over Tor if those TemplateVMs still have sys-firewall as their NetVM. In fact, it will probably not even result in dom0's updates being downloaded over Tor, since traffic from sys-whonix itself is not Torified.

In the future, if you'd like to have a doc contribution reviewed, please consider submitting it as a PR so that we can leverage our established doc contribution workflow.
Member

andrewdavidwong commented Mar 23, 2018

Thank you, @unman. I gather that you're referring to QubesOS/qubes-doc@0366878. Correct?

  1. Would you mind separating the 3.2 and 4.0 content as prescribed in our Documentation Guidelines?
  2. I don't think this is an accurate description of how the UpdateVM works in 3.2. The UpdateVM is the VM in which dom0 updates are downloaded, not the VM that TemplateVMs use as their NetVM. Setting the UpdateVM to sys-whonix will not result in TemplateVMs downloading updates over Tor if those TemplateVMs still have sys-firewall as their NetVM. In fact, it will probably not even result in dom0's updates being downloaded over Tor, since traffic from sys-whonix itself is not Torified.

In the future, if you'd like to have a doc contribution reviewed, please consider submitting it as a PR so that we can leverage our established doc contribution workflow.

andrewdavidwong added a commit to QubesOS/qubes-doc that referenced this issue Mar 23, 2018

@andrewdavidwong
Revert "Add more information about updating over Tor" 
This reverts commit 0366878.

QubesOS/qubes-issues#1948
Verified
This commit was signed with a verified signature.
@andrewdavidwong andrewdavidwong Andrew David Wong
GPG key ID: 8CE137352A019A17 Learn about signing commits
39ac64e
@andrewdavidwong

This comment has been minimized.

Show comment
Hide comment
@andrewdavidwong

andrewdavidwong Mar 23, 2018

Member

I've reverted QubesOS/qubes-doc@0366878 for now, since the risk of deanonymization from following these instructions has the potential to be dangerous for some users. Perhaps we could take this opportunity to have the revised content submitted as a PR for further review?
Member

andrewdavidwong commented Mar 23, 2018

I've reverted QubesOS/qubes-doc@0366878 for now, since the risk of deanonymization from following these instructions has the potential to be dangerous for some users. Perhaps we could take this opportunity to have the revised content submitted as a PR for further review?
@unman

This comment has been minimized.

Show comment
Hide comment
@unman

unman Mar 23, 2018

Member

@andrewdavidwong I wasn't actually expecting that to hit the site - in the past when I've pushed changes to qubes-docs they haven't automatically been applied. Apologies.

You're quite right, of course for 3.2 Templates, but not, I think, for dom0 - the existing page says that setting UpdateVM to sys-whonix will torify dom0 updates, so I think the addition to that section should be fine.
Member

unman commented Mar 23, 2018

@andrewdavidwong I wasn't actually expecting that to hit the site - in the past when I've pushed changes to qubes-docs they haven't automatically been applied. Apologies.

You're quite right, of course for 3.2 Templates, but not, I think, for dom0 - the existing page says that setting UpdateVM to sys-whonix will torify dom0 updates, so I think the addition to that section should be fine.
@andrewdavidwong

This comment has been minimized.

Show comment
Hide comment
@andrewdavidwong

andrewdavidwong Mar 23, 2018

Member

You're quite right, of course for 3.2 Templates, but not, I think, for dom0 - the existing page says that setting UpdateVM to sys-whonix will torify dom0 updates, so I think the addition to that section should be fine.

I see that portion was added over two years ago in QubesOS/qubes-doc@6b8b0ec. However, given that traffic from sys-whonix itself is usually not Torified, I'd love to get confirmation from @marmarek that it actually works as described.
Member

andrewdavidwong commented Mar 23, 2018

You're quite right, of course for 3.2 Templates, but not, I think, for dom0 - the existing page says that setting UpdateVM to sys-whonix will torify dom0 updates, so I think the addition to that section should be fine.

I see that portion was added over two years ago in QubesOS/qubes-doc@6b8b0ec. However, given that traffic from sys-whonix itself is usually not Torified, I'd love to get confirmation from @marmarek that it actually works as described.
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 23, 2018

Member

However, given that traffic from sys-whonix itself is usually not Torified, I'd love to get confirmation from @marmarek that it actually works as described.

That was true about old TorVM. Whonix Gateway have appropriate handling to route dom0 updates through tor (uwt wrapper), when it's set as updatevm.
Member

marmarek commented Mar 23, 2018

However, given that traffic from sys-whonix itself is usually not Torified, I'd love to get confirmation from @marmarek that it actually works as described.

That was true about old TorVM. Whonix Gateway have appropriate handling to route dom0 updates through tor (uwt wrapper), when it's set as updatevm.
@andrewdavidwong

This comment has been minimized.

Show comment
Hide comment
@andrewdavidwong

andrewdavidwong Mar 23, 2018

Member

Ok, great! Thanks, @marmarek!
Member

andrewdavidwong commented Mar 23, 2018

Ok, great! Thanks, @marmarek!
@adrelanos

This comment has been minimized.

Show comment
Hide comment
@adrelanos

adrelanos Mar 23, 2018

Member
Member

adrelanos commented Mar 23, 2018

@andrewdavidwong

This comment has been minimized.

Show comment
Hide comment
@andrewdavidwong

andrewdavidwong Mar 24, 2018

Member

However, given that traffic from sys-whonix itself is usually not Torified

It it, always was and will be. :)

My mistake! I was confusing sys-whonix with TorVM. Thank you for the correction!
Member

andrewdavidwong commented Mar 24, 2018

However, given that traffic from sys-whonix itself is usually not Torified

It it, always was and will be. :)

My mistake! I was confusing sys-whonix with TorVM. Thank you for the correction!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment