'qubes-set-updates disable' does not work if a new VM is created

[marmarek]

Reported by marmarek on 4 Sep 2014 21:28 UTC
https://groups.google.com/d/topic/qubes-users/XRwMnO9mdeU/discussion

I've noticed that even though I have disabled all automatic update checks (through Qubes Manager, and verified disabled with qubes-set-updates status; also, the flag file /var/lib/qubes/updates/disable-updates exists), I am still sometimes notified of available updates. It's rather disconcerting and makes me worried that I do not have full control over my network traffic.

After investigating which VM has the /var/run/qubes-service/qubes-update-check file that enables the qubes-update-check.timer service, I found exactly one: a newly-created (as in, created after I disabled automatic update checks) network-connected VM. I did not dig deeper, but I suspect the service is not being properly disabled upon VM creation as it should be.

That /var/lib/qubes/updates/disable-updates file is only for dom0 updates, there is currently no simple way to check that setting for VMs (other than checking each VM individually, which Qubes Manager does). So apparently default for VMs needs to be stored somewhere.

Migrated-From: https://wiki.qubes-os.org/ticket/892