Enable Torified updates by default in installer and remove "experimental" label

[mfc]

The level of adoption of torified system updates is painfully low and not increasing in percentage, according to the stats.

This is primarily due to it not being the default. The level of adoption for a USB qube is probably similarly low because it is not the default. This is a real shame because it is one of the main differentiating points for Qubes.

I think these features have been "out" for long enough that we should remove the "experimental" tag from their description in the firstboot screen. In addition, the USB qube and torifying updates should be selected as default, with adequate descriptive text so that users can make an informed decision about whether they want the default or to change it.

[marmarek]

Removing "experimental" tag indeed maybe a good idea. But I'm strongly against enabling routing all the traffic through tor (this is what that option is about - it isn't only about updates). While it may make some targeted attacks harder, in majority use cases it will only greatly degrade user experience.

Do we need an option to download updates (only) over tor? Maybe.

[marmarek]

Removing "experimental" tag indeed maybe a good idea. But I'm strongly against enabling routing all the traffic through tor (this is what that option is about - it isn't only about updates). While it may make some targeted attacks harder, in majority use cases it will only greatly degrade user experience.

Do we need an option to download updates (only) over tor? Maybe.

[mfc]

routing all the traffic through tor (this is what that option is about - it isn't only about updates)

I don't think that's an accurate representation of what happens. even if you select this option ("route all traffic through tor [experimental]"), the default qubes that get created and their networking are:

• personal: sys-firewall
• banking: sys-firewall
• anon-whonix: sys-whonix
• vault: none
• untrusted: sys-firewall

What is does do is make the default networkvm for a new qube sys-whonix, which can be modified in the creation screen they are in.

[mfc]

routing all the traffic through tor (this is what that option is about - it isn't only about updates)

I don't think that's an accurate representation of what happens. even if you select this option ("route all traffic through tor [experimental]"), the default qubes that get created and their networking are:

• personal: sys-firewall
• banking: sys-firewall
• anon-whonix: sys-whonix
• vault: none
• untrusted: sys-firewall

What is does do is make the default networkvm for a new qube sys-whonix, which can be modified in the creation screen they are in.

[marmarek]

Indeed. Anyway, it isn't only about updates currently. And actually IMO the current situation is buggy, as it is neither "everything" nor "updates only".

[marmarek]

Indeed. Anyway, it isn't only about updates currently. And actually IMO the current situation is buggy, as it is neither "everything" nor "updates only".

[mfc]

yes agreed. So I would say:

Default:

• system updates over Tor
• installation of whonix-gateway and whonix-workstation
• Default networking of new qubes: sys-firewall

Option presented to user:

• Enable system updates over the Tor anonymity network using Whonix

[mfc]

yes agreed. So I would say:

Default:

• system updates over Tor
• installation of whonix-gateway and whonix-workstation
• Default networking of new qubes: sys-firewall

Option presented to user:

• Enable system updates over the Tor anonymity network using Whonix

[andrewdavidwong]

with adequate descriptive text so that users can make an informed decision about whether they want the default or to change it

This is a good candidate for an explanatory tooltip (#2211).

Option presented to user:

• Enable system updates over the Tor anonymity network

Perhaps also:

• Install Whonix TemplateVMs.

For some people, using Tor at all is dangerous, illegal, or simply against corporate policy. For such users, there may be no point in installing the Whonix TemplateVMs at all, since they will never be used; doing so may just be a liability.

[andrewdavidwong]

with adequate descriptive text so that users can make an informed decision about whether they want the default or to change it

This is a good candidate for an explanatory tooltip (#2211).

Option presented to user:

• Enable system updates over the Tor anonymity network

Perhaps also:

• Install Whonix TemplateVMs.

For some people, using Tor at all is dangerous, illegal, or simply against corporate policy. For such users, there may be no point in installing the Whonix TemplateVMs at all, since they will never be used; doing so may just be a liability.

[marmarek]

Perhaps also:

Install Whonix TemplateVMs.

For some people, using Tor at all is dangerous, illegal, or simply against corporate policy. For such users, there may be no point in installing the Whonix TemplateVMs at all, since they will never be used; doing so may just be a liability.

This is already possible in software selection before installation. You can opt-out from installing those templates, and then Whonix-related options in firstboot are inactive.

[marmarek]

Perhaps also:

Install Whonix TemplateVMs.

For some people, using Tor at all is dangerous, illegal, or simply against corporate policy. For such users, there may be no point in installing the Whonix TemplateVMs at all, since they will never be used; doing so may just be a liability.

This is already possible in software selection before installation. You can opt-out from installing those templates, and then Whonix-related options in firstboot are inactive.

[andrewdavidwong]

This issue combines two distinct things, so I'm branching the USB qube issue off into a separate ticket: #2665.

[andrewdavidwong]

This issue combines two distinct things, so I'm branching the USB qube issue off into a separate ticket: #2665.

[mfc]

@marmarek with whonix set to be included in 4.0-rc2, are we in a position to implement this as well? From your previous comment it looks like you have the logic of it already figured out.

[mfc]

@marmarek with whonix set to be included in 4.0-rc2, are we in a position to implement this as well? From your previous comment it looks like you have the logic of it already figured out.

[marmarek]

Yes, I think we can drop "experimental" label. But I'm still not sure about enabling it by default. For most people disadvantages of this (slow updates, timeouts etc) may be greater than advantages (mitigation against targeted attacks).
@rootkovska @andrewdavidwong ?

[marmarek]

Yes, I think we can drop "experimental" label. But I'm still not sure about enabling it by default. For most people disadvantages of this (slow updates, timeouts etc) may be greater than advantages (mitigation against targeted attacks).
@rootkovska @andrewdavidwong ?

[andrewdavidwong]

But I'm still not sure about enabling it by default. For most people disadvantages of this (slow updates, timeouts etc) may be greater than advantages (mitigation against targeted attacks).

I think that's a reasonable assessment. If it's enabled by default, there may be a lot of people who don't realize they're using it, and they may attribute the slowness to something else or simply be unhappy with their user experience as a result. I think we should just explain the trade-off to the user (e.g., in an explanatory tooltip).

[andrewdavidwong]

But I'm still not sure about enabling it by default. For most people disadvantages of this (slow updates, timeouts etc) may be greater than advantages (mitigation against targeted attacks).

I think that's a reasonable assessment. If it's enabled by default, there may be a lot of people who don't realize they're using it, and they may attribute the slowness to something else or simply be unhappy with their user experience as a result. I think we should just explain the trade-off to the user (e.g., in an explanatory tooltip).

[rootkovska]

Agree, we should not enable Tor updates by default. This option is useful/attractive only to specific groups of Qubes users, not all.

[rootkovska]

Agree, we should not enable Tor updates by default. This option is useful/attractive only to specific groups of Qubes users, not all.

[mfc]

I think if the Whonix templates are selected for installation, then torified system updates should be enabled by default.

[mfc]

I think if the Whonix templates are selected for installation, then torified system updates should be enabled by default.

[rootkovska]

I think if the Whonix templates are selected for installation, then torified system updates should be enabled by default.

I don't agree. Lots of people might want to install Whonix just out of curiosity, or because "maybe I will use sometime in the future". We should not automatically force them into Torified updates.

[rootkovska]

I think if the Whonix templates are selected for installation, then torified system updates should be enabled by default.

I don't agree. Lots of people might want to install Whonix just out of curiosity, or because "maybe I will use sometime in the future". We should not automatically force them into Torified updates.

[h01ger]

On Wed, Sep 20, 2017 at 12:55:26AM -0700, Joanna Rutkowska wrote: I don't agree. Lots of people might want to install Whonix just out of curiosity, or because "maybe I will use sometime in the future". We should not automatically force them into Torified updates.

agreed. I want my whonix templates updated via tor, but not others.

…

-- cheers, Holger

[h01ger]

On Wed, Sep 20, 2017 at 12:55:26AM -0700, Joanna Rutkowska wrote: I don't agree. Lots of people might want to install Whonix just out of curiosity, or because "maybe I will use sometime in the future". We should not automatically force them into Torified updates.

agreed. I want my whonix templates updated via tor, but not others.

…

-- cheers, Holger

[mfc]

agreed. I want my whonix templates updated via tor, but not others.

we are talking about system updates, not template updates.

I find folks' positions perplexing, given that using Tor for system updates improves the security position of the user which I would have thought a security-focused OS would want to encourage users to adopt, assuming they are interested in using Tor in the first place.

It also reduces the personal information collected by Qubes servers (and other repo servers) of Qubes users (and the intermediaries who see the HTTP traffic), which I imagine would be a benefit towards reducing how much the user has to trust the Qubes team (and others). This usually is a "theme" of Qubes development practice but I guess not in this case?

But apparently I'm in the minority and not going to belabor this point now.

@marmarek have you changed the wording of the option to be more accurate, as previously discussed in this thread? from: route all traffic through tor [experimental] to: Enable system updates over the Tor anonymity network using Whonix. If so, then we can keep this closed.

[mfc]

agreed. I want my whonix templates updated via tor, but not others.

we are talking about system updates, not template updates.

I find folks' positions perplexing, given that using Tor for system updates improves the security position of the user which I would have thought a security-focused OS would want to encourage users to adopt, assuming they are interested in using Tor in the first place.

It also reduces the personal information collected by Qubes servers (and other repo servers) of Qubes users (and the intermediaries who see the HTTP traffic), which I imagine would be a benefit towards reducing how much the user has to trust the Qubes team (and others). This usually is a "theme" of Qubes development practice but I guess not in this case?

But apparently I'm in the minority and not going to belabor this point now.

@marmarek have you changed the wording of the option to be more accurate, as previously discussed in this thread? from: route all traffic through tor [experimental] to: Enable system updates over the Tor anonymity network using Whonix. If so, then we can keep this closed.

[andrewdavidwong]

I find folks' positions perplexing, given that using Tor for system updates improves the security position of the user which I would have thought a security-focused OS would want to encourage users to adopt, assuming they are interested in using Tor in the first place.

Torified updates do improve the security position of the user, but the security benefits may not be great enough to outweigh the costs for most users (slow and failed updates, Tor being illegal or against workplace policy, etc.). For example, one of the primary security benefits of Torified updates is that it prevents attackers from selectively withholding updates from you based on your external IP address. But this security benefit is not on par with the core security benefits Qubes provides, e.g., VM isolation. Whereas there isn't any easy way to get secure VM isolation with full integration on a single desktop without Qubes, there are several easy ways to get around selectively withheld updates (e.g., updating from a different location or simply learning of the updates from somewhere else, like a mailing list or social media). The security benefits provided by Torified updates, while valuable, are not essential to the fundamental security goals of Qubes. It makes sense to get them when they're cost effective, but they may not be cost effective for many users. (By contrast, it would never make sense for Qubes to give up on VM isolation due to cost, since that's the whole point of Qubes. If it's too costly for a given usecase, it just means Qubes isn't appropriate for that usecase, probably because the usecase doesn't require much security.)

It also reduces the personal information collected by Qubes servers (and other repo servers) of Qubes users (and the intermediaries who see the HTTP traffic), which I imagine would be a benefit towards reducing how much the user has to trust the Qubes team (and others). This usually is a "theme" of Qubes development practice but I guess not in this case?

Collecting less personal information is also desirable in this case, but again, it's not worth the cost for many users. For those users, we would be collecting less information from them by forcing them to have slow or broken updates or jeopardizing other areas of their lives by getting them flagged as Tor users in places where being a Tor user is dangerous. (Again, I'm only talking about users for whom the tradeoff isn't worth it.) The idea is that if this group constitutes a large portion of our userbase, it's probably not worth turning on Torified updates by default. We'd be doing more harm than good.

[andrewdavidwong]

I find folks' positions perplexing, given that using Tor for system updates improves the security position of the user which I would have thought a security-focused OS would want to encourage users to adopt, assuming they are interested in using Tor in the first place.

Torified updates do improve the security position of the user, but the security benefits may not be great enough to outweigh the costs for most users (slow and failed updates, Tor being illegal or against workplace policy, etc.). For example, one of the primary security benefits of Torified updates is that it prevents attackers from selectively withholding updates from you based on your external IP address. But this security benefit is not on par with the core security benefits Qubes provides, e.g., VM isolation. Whereas there isn't any easy way to get secure VM isolation with full integration on a single desktop without Qubes, there are several easy ways to get around selectively withheld updates (e.g., updating from a different location or simply learning of the updates from somewhere else, like a mailing list or social media). The security benefits provided by Torified updates, while valuable, are not essential to the fundamental security goals of Qubes. It makes sense to get them when they're cost effective, but they may not be cost effective for many users. (By contrast, it would never make sense for Qubes to give up on VM isolation due to cost, since that's the whole point of Qubes. If it's too costly for a given usecase, it just means Qubes isn't appropriate for that usecase, probably because the usecase doesn't require much security.)

It also reduces the personal information collected by Qubes servers (and other repo servers) of Qubes users (and the intermediaries who see the HTTP traffic), which I imagine would be a benefit towards reducing how much the user has to trust the Qubes team (and others). This usually is a "theme" of Qubes development practice but I guess not in this case?

Collecting less personal information is also desirable in this case, but again, it's not worth the cost for many users. For those users, we would be collecting less information from them by forcing them to have slow or broken updates or jeopardizing other areas of their lives by getting them flagged as Tor users in places where being a Tor user is dangerous. (Again, I'm only talking about users for whom the tradeoff isn't worth it.) The idea is that if this group constitutes a large portion of our userbase, it's probably not worth turning on Torified updates by default. We'd be doing more harm than good.

[mfc]

again: if a user is installing whonix templates, it is because they would like to use them. if they have made that decision, then helping them take advantage of that added functionality would seem helpful.

if it is against workplace policy, if they are going to killed for using it, then they are probably not going to install the whonix templates. yes?

if they are unsure whether or not they want whonix templates and tor functionality, then we can put some language about tor in a tooltip on first boot, as you previously suggested. they can always deselect the option. and they also get additional language about tor via the first start-up of sys-whonix.

Qubes system updates are usually quite small, tor's slight slowness is not really noticed on them. again by informing the user through the initial tooltip, they can make an informed decision.

if a user is not interested in Qubes' integrated tor-based privacy solutions, then they should not select the whonix templates for installation. if they are interested in them, then we should help them set them up properly.

[mfc]

again: if a user is installing whonix templates, it is because they would like to use them. if they have made that decision, then helping them take advantage of that added functionality would seem helpful.

if it is against workplace policy, if they are going to killed for using it, then they are probably not going to install the whonix templates. yes?

if they are unsure whether or not they want whonix templates and tor functionality, then we can put some language about tor in a tooltip on first boot, as you previously suggested. they can always deselect the option. and they also get additional language about tor via the first start-up of sys-whonix.

Qubes system updates are usually quite small, tor's slight slowness is not really noticed on them. again by informing the user through the initial tooltip, they can make an informed decision.

if a user is not interested in Qubes' integrated tor-based privacy solutions, then they should not select the whonix templates for installation. if they are interested in them, then we should help them set them up properly.

[unman]

There are people who will want to use Tor for some qubes, while maintaining an apparently clean image the rest of the time. You shouldn't assume that because they want to use Tor some of the time, they want all their system updates to run through Tor. This may or may not be the case, and your assumption is dangerous.

[unman]

There are people who will want to use Tor for some qubes, while maintaining an apparently clean image the rest of the time. You shouldn't assume that because they want to use Tor some of the time, they want all their system updates to run through Tor. This may or may not be the case, and your assumption is dangerous.

[mfc]

again: we are currently talking about dom0 system updates, not "all their system updates".

if a user wants to use tor "some of the time", then they have clearly made a decision that using tor is not going to kill them, and that tor is actually useful for their desktop experience. your argument that such a default would be "dangerous" makes no logical sense.

as a reminder:

if user installs whonix templates
then suggest to user in firstboot:

• Enable system updates over the Tor anonymity network using Whonix

or perhaps

• Enable Qubes OS updates over the Tor anonymity network using Whonix

if you want to make even more clear this is not affecting non-whonix template updates.

end result networking-wise is:

• dom0 UpdateVM: sys-whonix
• default networking of new qubes: sys-firewall
• default networking of non-whonix templates: sys-firewall
• default networking of whonix templates: sys-whonix

[mfc]

again: we are currently talking about dom0 system updates, not "all their system updates".

if a user wants to use tor "some of the time", then they have clearly made a decision that using tor is not going to kill them, and that tor is actually useful for their desktop experience. your argument that such a default would be "dangerous" makes no logical sense.

as a reminder:

if user installs whonix templates
then suggest to user in firstboot:

• Enable system updates over the Tor anonymity network using Whonix

or perhaps

• Enable Qubes OS updates over the Tor anonymity network using Whonix

if you want to make even more clear this is not affecting non-whonix template updates.

end result networking-wise is:

• dom0 UpdateVM: sys-whonix
• default networking of new qubes: sys-firewall
• default networking of non-whonix templates: sys-firewall
• default networking of whonix templates: sys-whonix

[h01ger]

On Sun, Oct 01, 2017 at 09:09:30AM -0700, Michael Carbone wrote: again: we are currently talking about dom0 system updates, not "all their system updates".

so what? why should installing $some_templates cause changes how dom0 is configured? this makes no sense :)

if a user wants to use tor "*some* of the time", then they have clearly made a decision that using tor is not going to kill them,

so far, I'm with you…

and that tor is actually useful for their desktop experience. your argument that such a default would be "dangerous" makes no logical sense.

ok, let me try another analogy: using Tor is like (not) carrying a gun. (though I can see how this doesnt work for some. ;) I'll try anyway.) Clearly it's not *always* useful (not) to carry a gun, sometimes you are more safe when doing so, but sometimes you are more safe when not doing so. (This very much depends on the situation… I hope we can agree that not all situations are the same.) Some people (of the set of people who have whonix installed) prefer (for whatever reasons) to update dom0 via tor, some not. The simple fact that whonix is installed doesnt really say anything about the situation / people's preferences. Using tor doesnt magically add "security" to your internet connection. Depending on "how you see it" (and other factors), it might also make your internet connection less secure. (This is like (not) carrying guns, which also doesn't make *every* sitution more secure.) Having an easy way to configure whether tor should be used for dom0 updates obviously is great, because sometimes people preferences change according to situations.

…

-- cheers, Holger

[h01ger]

On Sun, Oct 01, 2017 at 09:09:30AM -0700, Michael Carbone wrote: again: we are currently talking about dom0 system updates, not "all their system updates".

so what? why should installing $some_templates cause changes how dom0 is configured? this makes no sense :)

if a user wants to use tor "*some* of the time", then they have clearly made a decision that using tor is not going to kill them,

so far, I'm with you…

and that tor is actually useful for their desktop experience. your argument that such a default would be "dangerous" makes no logical sense.

ok, let me try another analogy: using Tor is like (not) carrying a gun. (though I can see how this doesnt work for some. ;) I'll try anyway.) Clearly it's not *always* useful (not) to carry a gun, sometimes you are more safe when doing so, but sometimes you are more safe when not doing so. (This very much depends on the situation… I hope we can agree that not all situations are the same.) Some people (of the set of people who have whonix installed) prefer (for whatever reasons) to update dom0 via tor, some not. The simple fact that whonix is installed doesnt really say anything about the situation / people's preferences. Using tor doesnt magically add "security" to your internet connection. Depending on "how you see it" (and other factors), it might also make your internet connection less secure. (This is like (not) carrying guns, which also doesn't make *every* sitution more secure.) Having an easy way to configure whether tor should be used for dom0 updates obviously is great, because sometimes people preferences change according to situations.

…

-- cheers, Holger

[mfc]

so what? why should installing $some_templates cause changes how dom0 is
configured? this makes no sense :)

because they could not ask Qubes to torify their system updates if they don't have whonix templates installed? and because installing whonix templates is a signal that the user is interested in integrating tor into their desktop?

The simple fact that whonix is installed doesnt really say anything
about the situation / people's preferences.

yes it says that they have determined they are not going to immediately die as soon as they use tor, that having tor on their system is not going to get them fired, etc.

Some people (of the set of people who have whonix installed) prefer (for
whatever reasons) to update dom0 via tor, some not.

totally. i am simply trying to push for safer/more-privacy-friendly defaults, since many users will not change them.

[mfc]

so what? why should installing $some_templates cause changes how dom0 is
configured? this makes no sense :)

because they could not ask Qubes to torify their system updates if they don't have whonix templates installed? and because installing whonix templates is a signal that the user is interested in integrating tor into their desktop?

The simple fact that whonix is installed doesnt really say anything
about the situation / people's preferences.

yes it says that they have determined they are not going to immediately die as soon as they use tor, that having tor on their system is not going to get them fired, etc.

Some people (of the set of people who have whonix installed) prefer (for
whatever reasons) to update dom0 via tor, some not.

totally. i am simply trying to push for safer/more-privacy-friendly defaults, since many users will not change them.

[unman]

again: we are currently talking about dom0 system updates, not "all their system updates".

Yes, I understand that, but you should realise that "system updates" are not monolithic. At a minimum there are Fedora updates and Qubes updates, and whether a user updates via Tor or clearnet may change from time to time.

if a user wants to use tor "some of the time", then they have clearly made a decision that using tor is not going to kill them, and that tor is actually useful for their desktop experience. your argument that such a default would be "dangerous" makes no logical sense.

No, it's this that doesn't make sense. Someone may want/need the protection of Tor at some times, in some circumstances, while accepting that using Tor may be dangerous. Making updates default to using Tor may expose them and open them to risk. Your flippancy on this is misplaced.

One way of mitigating the risk would be to turn off automatic update checks, with the option to enable it offered as another option to the user.

[unman]

again: we are currently talking about dom0 system updates, not "all their system updates".

Yes, I understand that, but you should realise that "system updates" are not monolithic. At a minimum there are Fedora updates and Qubes updates, and whether a user updates via Tor or clearnet may change from time to time.

if a user wants to use tor "some of the time", then they have clearly made a decision that using tor is not going to kill them, and that tor is actually useful for their desktop experience. your argument that such a default would be "dangerous" makes no logical sense.

No, it's this that doesn't make sense. Someone may want/need the protection of Tor at some times, in some circumstances, while accepting that using Tor may be dangerous. Making updates default to using Tor may expose them and open them to risk. Your flippancy on this is misplaced.

One way of mitigating the risk would be to turn off automatic update checks, with the option to enable it offered as another option to the user.

[mfc]

hey all, sorry for the exasperated tone previously, thanks for your patience with it.

i think once the GUI salt recipe "app store" exists i will be able create ways to make it easier for high-risk, less-tech-savvy people to setup Qubes appropriately for their needs.

instead of arguing for a change of the default in this regard, maybe just have a default-not-selected-option in firstboot that does include both template and system updates over Tor:

• Enable system and template updates over the Tor anonymity network using Whonix

that is only possible if the user has chosen to install Whonix templates.

[mfc]

hey all, sorry for the exasperated tone previously, thanks for your patience with it.

i think once the GUI salt recipe "app store" exists i will be able create ways to make it easier for high-risk, less-tech-savvy people to setup Qubes appropriately for their needs.

instead of arguing for a change of the default in this regard, maybe just have a default-not-selected-option in firstboot that does include both template and system updates over Tor:

• Enable system and template updates over the Tor anonymity network using Whonix

that is only possible if the user has chosen to install Whonix templates.

[qubesos-bot]

Automated announcement from builder-github

The package qubes-mgmt-salt-dom0-virtual-machines-4.0.6-1.fc25 has been pushed to the r4.0 testing repository for dom0.
To test this update, please install it with the following command:

sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing

Changes included in this update

[qubesos-bot]

Automated announcement from builder-github

The package qubes-mgmt-salt-dom0-virtual-machines-4.0.6-1.fc25 has been pushed to the r4.0 testing repository for dom0.
To test this update, please install it with the following command:

sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing

Changes included in this update

[qubesos-bot]

Automated announcement from builder-github

The package pykickstart-2.32-4.fc25 has been pushed to the r4.0 testing repository for dom0.
To test this update, please install it with the following command:

sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing

Changes included in this update

[qubesos-bot]

Automated announcement from builder-github

The package pykickstart-2.32-4.fc25 has been pushed to the r4.0 testing repository for dom0.
To test this update, please install it with the following command:

sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing

Changes included in this update

[qubesos-bot]

Automated announcement from builder-github

The package qubes-mgmt-salt-dom0-virtual-machines-4.0.6-1.fc25 has been pushed to the r4.0 stable repository for dom0.
To install this update, please use the standard update command:

sudo qubes-dom0-update

Or update dom0 via Qubes Manager.

Changes included in this update

[qubesos-bot]

Automated announcement from builder-github

The package qubes-mgmt-salt-dom0-virtual-machines-4.0.6-1.fc25 has been pushed to the r4.0 stable repository for dom0.
To install this update, please use the standard update command:

sudo qubes-dom0-update

Or update dom0 via Qubes Manager.

Changes included in this update

[DrCMY]

Hi, what's the official explanation from Qubes staff about the torified updates?
Thank you

[DrCMY]

Hi, what's the official explanation from Qubes staff about the torified updates?
Thank you

[marmarek]

See those three comments: #2604 (comment) #2604 (comment) #2604 (comment)

[marmarek]

See those three comments: #2604 (comment) #2604 (comment) #2604 (comment)