Operating System Software and Updates

From Kicksecure
Jump to navigation Jump to search

This page contains details on updating the Kicksecure operating system, including frozen packages. Most software in Kicksecure is maintained in a frozen state to ensure stability, so updates primarily focus on critical security fixes. The page also covers update indicators, version numbers, release upgrades versus re-installation, and common issues and their solutions.

Updates[edit]

Introduction[edit]

All packages must stay up-to-date for security purposes.

Special Notices[edit]

Currently none.

Frozen Packages[edit]

Info As Kicksecure is based on the stable Debian distribution, software is normally "frozen" to the stable Debian versionarchive.org at the point of each major Debian releasearchive.org. The Debian packages page notes: [1]

This is the latest official release of the Debian distribution. This is stable and well tested software, which changes only if major security or usability fixes are incorporated.

As a distribution, Debian's compilation of software is mostly acquired from "upstream" third parties (the original software vendors). Debian has embraced the principle of software stability which means each major release "freezes" software versions. As a result the stable distribution software is not regularly updated except for critical security fixes. This is called "security support" and only leads to minimal changes across the entire distribution. The intent is to improve stability by reducing the overall number of system changes.

The frozen packages policy means the versions of software installed from Debian package sources will not usually change when a newer release is made available by upstream. [2]

Application Specific Update Indicators[edit]

In most cases, specific end user applications such as electrum show notifications about the availability of newer versions can be safely ignored since electrum is also a Frozen Packages. No manual user action required. To receive security advisories should there be a special case that requires manual user action, see Follow Kicksecure Developments.

Application specific update indicators should not be shown to the user, should be disabled by Debian. This is a bug that shouldn't happen. It is happening due to the organisational background.

Standard Update vs Release Upgrade[edit]

There are two different types of updates.

  1. Standard Update
  2. Release Upgrade

This procedure on this wiki page is for standard ("everyday") updating of Kicksecure and will not perform a Release Upgrade.

It is recommended to first complete a standard update before applying a release upgrade.

Update vs Image Re-Installation[edit]

The standard ("everyday") update procedure for Kicksecure is more convenient than a complete re-installation of Kicksecure images because all (VM) settings and user data are persistent. Backups are possible using (VM) clones and/or snapshots.

In contrast, a complete re-installation of Kicksecure images requires Kicksecure to be completely removed and then re-installed, similar to newcomers installing the platform for the first time. This is "cleaner" and elaborated on the Factory Reset page. Obviously all (VM) settings and data are lost during this procedure. If this is necessary, follow these steps:

Developers periodically announce a newer Kicksecure Point Release or major release. To stay informed about releases, see: Follow Kicksecure Developments. It is recommended to subscribe to relevant news channels for this purpose.

Standard updates are generally easier, but image re-installation can completely avoid technical issues that might emerge during upgrades.

Standard Update Steps[edit]

1. Save Progress and Backup

On rare occasions [3] the machine might freeze during the upgrade process. In this case any materials already in progress might be lost, for example documents or other drafts that were created. If this is applicable, save the progress before installing operating system updates. If required, backup all user data -- it is ideal to have a copy of the VM(s) so it is possible to try again (if necessary).

2. Flatpak Update

This step is only required if the user previously manually installed any software using flatpak. Can be skipped otherwise.

3. Update the APT Package Lists

System package lists should be updated at least once per day [4] with the latest version information for new/updated packages that are available. To update Kicksecure packages lists, run.

sudo apt update

The output should be similar to this.

Hit:1 tor+https://deb.debian.org/debian bookworm InRelease Hit:2 tor+https://deb.kicksecure.com bullseye bookworm Hit:3 tor+https://deb.debian.org/debian bookworm-updates InRelease Hit:4 tor+https://fasttrack.debian.net/debian bookworm-fasttrack InRelease Hit:5 tor+https://deb.debian.org/debian-security bookworm-security InRelease Hit:6 tor+https://deb.debian.org/debian bookworm-backports InRelease Reading package lists... Done

If an error message like this appears:

W: Failed to fetch https://ftp.us.debian.org/debian/dist/bookworm/contrib/binary-amd64/Packages 404 Not Found W: Failed to fetch https://ftp.us.debian.org/debian/dist/bookworm/non-free/binary-amd64/Packages 404 Not Found E: Some index files failed to download. They have been ignored, or old ones used instead. Err https://ftp.us.debian.org bookworm Release.gpg Could not resolve 'ftp.us.debian.org' Err https://deb.torproject.org bookworm Release.gpg Could not resolve 'deb.torproject.org' Err https://security.debian.org bookworm/updates Release.gpg Could not resolve 'security.debian.org' Reading package lists... Done W: Failed to fetch https://security.debian.org/dists/bookworm/updates/Release.gpg Could not resolve 'security.debian.org' W: Failed to fetch https://ftp.us.debian.org/debian/dists/bookworm/Release.gpg Could not resolve 'ftp.us.debian.org' W: Failed to fetch https://deb.torproject.org/torproject.org/dists/bookworm/Release.gpg Could not resolve 'deb.torproject.org' W: Some index files failed to download. They have been ignored, or old ones used instead.

Or this.

500 Unable to connect

Then something went wrong. It could be a temporary Tor exit relay or server failure that should resolve itself. Check if the network connection is functional by changing the Tor circuit and trying again. Running systemcheck might also help to diagnose the problem.

Sometimes a message like this will appear.

Could not resolve 'security.debian.org'

It that case, it helps to run.

nslookup security.debian.org

And then try again.

4. APT Upgrade

To install the newest versions of the current packages installed on the system, run.

sudo apt full-upgrade

Please note that if the Kicksecure APT Repository was disabled (see Disable Kicksecure APT Repository), then manual checks are required for new Kicksecure releases and manual installation from source code.

5. Never Install Unsigned Packages!

If a message like this appears.

WARNING: The following packages cannot be authenticated! thunderbird Install these packages without verification [y/N]?

Then do not proceed! Press N and <enter>. Running apt update again should fix the problem. If not, something is broken or it might be a man-in-the-middle attack, which is not that unlikely because updates are retrieved via Tor exit relays and some are malicious. Changing the Tor circuit is recommended if this message appears.

6. Signature Verification Warnings

No signature verification warnings should appear. If it does occur, it will look similar to the following.

W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://deb.torproject.org stable Release: The following signatures were invalid: KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681
E: Release file for tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion/dists/bullseye/InRelease has expired (invalid since 1 d 20 h 41 min 7 s). Updates for this depot are not applied.

Caution is warranted even though APT will automatically ignore repositories with expired keys or signatures, and no upgrades will be received from that repository. Unless the issue is already known or documented, it should be reported for further investigation.

There are two possible reasons for this occurrence. Either there is a problem with the repository that is unfixed by contributors or a man-in-the-middle attack has taken place. [5] The latter is not a big issue, since no malicious packages are installed. It may also automatically resolve itself after a period of time when a different, non-malicious Tor exit relay is used, or following a manual change of the Tor circuit.

In the past, various apt repositories were signed with an expired key. To see how the documentation looked at that point, please click on Expand on the right.

For instance, the Tor Project's apt repository key had expiredarchive.org and the following warning appeared.

W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://deb.torproject.org stable Release: The following signatures were invalid: KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 W: Failed to fetch https://deb.torproject.org/torproject.org/dists/stable/Release W: Some index files failed to download. They have been ignored, or old ones used instead.

This issue was quickly reportedarchive.org. There was no immediate danger and the message could be safely ignored. As a reminder, never install unsigned packages as explained above.

Please report any other signature verification errors if/when they appear, even though this is fairly rare.

7. Changed Configuration Files [ link The Web Archive ]

Be careful if a message like this appears.

Setting up ifupdown ... Configuration file `/etc/network/interfaces' ==> Modified (by you or by a script) since installation. ==> Package distributor has shipped an updated version. What would you like to do about it ? Your options are: Y or I : install the package contributor's version N or O : keep your currently-installed version D : show the differences between the versions Z : background this process to examine the situation The default action is to keep your current version. *** interfaces (Y/I/N/O/D/Z) [default=N] ? N

It is safest to press y, but any customized settings will be lost (these can be re-added afterwards). [6] [7]

Conflicts like these should be rare if modular flexible .d style configuration folders are used.

See also:

8. If APT reports packages that can be autoremoved, safely run APT autoremove.

9. Restart Services After Updating

To restart services after updating, either reboot.

sudo reboot

Or use the (harder) needrestart method to avoid rebooting. For readers interested in the needrestart method, please click on Expand on the right side.

Perform this step once. Install needrestart.

sudo apt update sudo apt install needrestart

Run needrestart.

sudo needrestart

The program will provide advice. Run it again after applying the advice.

sudo needrestart

If nothing else needs to be restarted, it should show.

No services need to be restarted.

This feature might become more usable and automated in the future. (T324archive.org)

10. Restart After Kernel Updates

When linux-image-... is upgraded, a reboot is required for any security updates to be in effect.

End-of-life Software[edit]

Users should not run software that has reached end-of-life status, because developers will not fix existing defects, bugs or vulnerabilities, posing serious security risks.

An old example is VLC in Debian jessiearchive.org, which reached end-of-life status in May, 2018. In that case, Kicksecure 13 users who did not utilize a different media player were at risk, because VLC in jessie has unpatched security vulnerabilities. This VLC vulnerability does not apply to the current stable Kicksecure 17 release.

Issues[edit]

fasttrack repository issues[edit]

If an issue happens such as...

SOCKS proxy socks5h://127.0.0.1:9050 could not connect to fasttrack.debian.net (0.0.0.0:0) due to: general SOCKS server failure (1) [IP: 127.0.0.1 9050]

Or...

Err:4 http://HTTPS///fasttrack.debian.net/debian bookworm-fasttrack InRelease
  500  SSL error: wrong version number [IP: 127.0.0.1 3142]

Or similar.

  • Cause: That’s an issue caused by Debian fasttrack.
  • Workarounds:
    • A) Fasttrack Repository Ignoring Method: Ignore this issue according to instructions below.
    • B) Fasttrack Repository Disabling Method: Temporarily disable Debian fasttrack repository until this gets resolved in Debian. Documented below.
  • Fixed when? Debian hopefully, probably will notice this would any need for a bug report since that is happening to all users of Debian fasttrack.
  • forum discussion: https://forums.whonix.org/t/update-issue-fasttrack-repository-issue/15876archive.org

Choose either workaround A) or B).

A) Fasttrack Repository Ignoring Method

1. upgrade-nonroot notice

Upgrading upgrade-nonroot will not be possible but that is no concern as upgrade-nonroot internally uses APT which is still functional according to instructions below.

2. Update the package lists.

sudo apt update

3. Ignore if the fasttrack repository cannot be updated.

This is OK because package lists for other repositoryies will still be updated.

4. Continue upgrading as usual according to the instructions on this wiki page generally.

sudo apt full-upgrade

5. Done.

The workaround has been completed.

B) Fasttrack Repository Disabling Method

1. Open file /etc/apt/sources.list.d/debian.list in an editor with root rights.

Kicksecure

This box uses sudoedit for better security.

Kicksecure for Qubes

NOTE: When using Kicksecure-Qubes, this needs to be done inside the Template.

Others and Alternatives

  • This is just an example. Other tools could achieve the same goal.
  • If this example does not work for you or if you are not using Kicksecure, please refer to this link.

sudoedit /etc/apt/sources.list.d/debian.list

2. Edit the file.

Search the following line (approximately line 28).

Optional: In the editor the feature View -> Line numbers might be helpful.

deb tor+https://fasttrack.debian.net/debian bookworm-fasttrack main contrib non-free

Comment it out by adding a hash ("#") in front of it. Should look like the following.

#deb tor+https://fasttrack.debian.net/debian bookworm-fasttrack main contrib non-free

3. Save and exit.

4. Remember to re-enable this repository.

Add an appointment to your callender with a reminder to re-enable that in 1-2 weeks or so.

5. Done.

The process of disabling the Debian fasttrack repository has been completed.

Release File Expired Error[edit]

Same as below.

InRelease is not valid yet error[edit]

A release file expired error can look like this.

E: Release file for tor+https://fasttrack.debian.net/debian/dists/bookworm-fasttrack/InRelease is not valid yet (invalid for another 49s). Updates for this repository will not be applied.

1. Retry.

If this message is transient, it can be safely ignored. Try again later. There is a good chance that is has been resolved.

2. Platform specific.

  • Non-Qubes: no platform specific step reuqired.
  • Qubes: If using Qubes, try Standard Update Steps instead of Qubes update tool.

3. Attempt to debug the issue.

See the following box.

A) fasttrack in Debian

If it's an issue with the fasttrack repository, for debugging the issue further, the user could try to enable the Debian fasttrack repository in the Qubes Debian template and attempt to reproduce the issue there as per generic bug reproduction and report the result to the forums.

B) Check the release file.

When this issue is happening, could you please check this link/file?

https://fasttrack.debian.net/debian/dists/bookworm-fasttrack/Releasearchive.org

Note the Date: and Valid-Until fields.

Date: Sat, 20 Nov 2021 15:30:10 UTC
Valid-Until: Sat, 27 Nov 2021 15:30:10 UTC

C) Note the VM time.

Inside the VM.

date --utc

D) Note the host time.

On the host operating system (or dom0 when using Qubes).

date --utc

E) Report to developers.

If none of the following gave any ideas how to fix the issue, please copy the error message and results from above debugging steps to developers. Forum discussion: https://forums.whonix.org/t/whonix-ws-16-fails-to-update-due-to-timing-issue/12739archive.org

does not have a Release file[edit]

E: The repository 'tor+deb.kicksecure.com bookworm Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

1. User exceptions.

100% uptime should not be expected. See also server downtime.

2. Retry.

If this message is transient, it can be safely ignored. Try again later. There is a good chance that is has been resolved.

APT Hash Sum Mismatch[edit]

A hash sum mismatch can look like this.

W: Failed to fetch https://deb.debian.org/debian/dists/stable/main/i18n/Translation-enIndex  Hash Sum mismatch

This might occur due to Tor and/or network unreliability issues. If this warning message is transient, it can be safely ignored. Otherwise, try one of the fixes below.

  1. Change the Tor circuit and/or try again later.
  2. If the warning message still persists, deleting the package lists should solve it. [8]

To delete the package lists, run:

sudo rm -rf /var/lib/apt/lists/*

To check everything is functional, update the package lists and then upgrade the distribution. It is likely that previous update/upgrade attempts failed due to the mismatch.

sudo apt update && sudo apt full-upgrade

Windows 10, VirtualBox users only: refer to the Hash Sum mismatch?archive.org forum thread.

Non-functional Onion Services[edit]

Sometimes the Debian, Kicksecure onion servers are non-functional. This could be due to DDOS attacks on the Tor network. [9] In result, this means updates cannot be completed automatically and an error message similar to below will appear.

user@host:~$ sudo apt update Hit:1 https://security.debian.org bookworm/updates InRelease Hit:2 tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion bookworm InRelease Ign:3 https://ftp.us.debian.org/debian bookworm InRelease Hit:4 https://deb.kicksecure.com bookworm InRelease Hit:5 https://ftp.us.debian.org/debian bookworm Release Err:7 tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion bookworm/updates InRelease SOCKS proxy socks5h://localhost:9050 could not connect to 5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion (0.0.0.0:0) due to: Host unreachable (6) Err:8 tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bookworm InRelease SOCKS proxy socks5h://localhost:9050 could not connect to 2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion (0.0.0.0:0) due to: Host unreachable (6) Reading package lists… Done W: Failed to fetch tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion/dists/bookworm/updates/InRelease SOCKS proxy socks5h://localhost:9050 could not connect to 5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion (0.0.0.0:0) due to: Host unreachable (6) W: Failed to fetch tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian/dists/bookworm/InRelease SOCKS proxy socks5h://localhost:9050 could not connect to 2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion (0.0.0.0:0) due to: Host unreachable (6) W: Some index files failed to download. They have been ignored, or old ones used instead.

Until the onion service is re-established, complete the following steps in Kicksecure to circumvent the issue. [10] [11]

1. Open Debian sources.list in an editor.

Open file /etc/apt/sources.list.d/debian.list in an editor with root rights.

Kicksecure

This box uses sudoedit for better security.

Kicksecure for Qubes

NOTE: When using Kicksecure-Qubes, this needs to be done inside the Template.

Others and Alternatives

  • This is just an example. Other tools could achieve the same goal.
  • If this example does not work for you or if you are not using Kicksecure, please refer to this link.

sudoedit /etc/apt/sources.list.d/debian.list

2. Comment (#) the .onion address lines and uncomment the clearnet address lines.

The code blocks should look like this; only these entries require editing. [12]

deb tor+https://deb.debian.org/debian bullseye main contrib non-free deb tor+https://deb.debian.org/debian bullseye-updates main contrib non-free deb tor+https://deb.debian.org/debian-security bullseye-security main contrib non-free deb tor+https://deb.debian.org/debian bullseye-backports main contrib non-free deb tor+https://fasttrack.debian.net/debian bullseye-fasttrack main contrib non-free #deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye main contrib non-free #deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye-updates main contrib non-free #deb tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion/debian-security bullseye-security main contrib non-free #deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye-backports main contrib non-free

Save and exit.

3. Confirm the clearnet repositories are functional.

sudo apt update

4. Optional: Revert and update the package lists.

Consider reverting these changes later on because onion repositories have various security advantages. Afterwards, apply Updates to refresh the package lists.

Broken APT[edit]

This chapter is dedicated to providing a series of commands that can help in fixing a broken APT system. However, it's important to note that these steps might not resolve all cases of broken APT.

1. Relation to Debian.

Since Kicksecure is based on Debian, the methods to fix broken APT are also applicable to Kicksecure.

2. Interactive vs Non-interactive Commands.

For each troubleshooting step, two types of commands are provided. Choose one. No need to use both.

  • A) Interactive: Commands without the -noninteractive suffix.
  • B) Non-interactive: Commands with the -noninteractive suffix, available in Kicksecure to avoid user prompts.

3. Update the Package Lists.

sudo apt update

4. Resolve Incomplete DPKG Processes.

Since APT uses DPKG internally, ensure to complete any interrupted DPKG processes:

  • sudo dpkg --configure -a
  • sudo dpkg-noninteractive --configure -a

5. Address Interrupted APT Processes.

To continue any interrupted APT processes:

  • sudo apt install -f
  • sudo apt-get-noninteractive install -f

6. Address Interrupted APT Processes.

To continue any interrupted APT processes:

  • sudo apt full-upgrade -f
  • sudo apt-get-noninteractive full-upgrade -f

7. Run a DPKG audit.

The following command does not fix anything but might return error messages which might be helpful to resolve this issue.

  • dpkg --audit
  • If the command outputs nothing, then this is a good sign.
  • If the command outputs something, then you need to address this.

8. Additional Steps for Persistent Issues.

If the issue persists, consult the Self Support First Policy and consider enhancing this documentation.

Advanced[edit]

Non-Torified Updates[edit]

By Kicksecure default, all updates are torified, which is a security feature.

To optionally update without Tor, apply the following instructions.

Testers only! Warning: This is for testers-only!

1. Platform specific notice:

  • Kicksecure: No special notice.
  • Whonix: These instructions won't work for Whonix (a derivative of Kicksecure).

2. Configure Kicksecure APT sources to use plain TLS.

sudo repository-dist --transport plain-tls

3. Configure Debian APT sources to use plain TLS.

sudo str_replace "tor+https" "https" /etc/apt/sources.list.d/debian.list

4. Notice.

These instructions are not an absolute prevention of never using Tor.

Optional: To avoid ever using Tor, system Tor needs to be removed.

Note: Understanding meta packages is required.

sudo apt purge tor

5. Done.

The process of setting up non-torified (clearnet TLS) updates has been completed.

See Also[edit]

Footnotes[edit]

  1. https://www.debian.org/distrib/packagesarchive.org
  2. https://forums.whonix.org/t/keepassxc-2-5-4/9669archive.org
  3. https://forums.whonix.org/t/whonix-xfce-for-virtualbox-users-ram-increase-required/8993archive.org
  4. In Kicksecure and on the host.
  5. Rollback or indefinite freeze attacks as defined by The Update Framework (TUF) - Threat Model - Attacks and Weaknesses - https://github.com/theupdateframework/tuf/blob/develop/docs/SECURITY.mdarchive.org -.
  6. Or Kicksecure changes can be delayed, inspected, and then backported if the effort is worth it.
  7. Kicksecure uses package config-package-devarchive.org which assumes ownership of configuration files coming from “other distributions” (mostly Debian, although third party repositories might be added by users). (Kicksecure on config-package-dev)
  8. https://askubuntu.com/questions/41605/trouble-downloading-updates-due-to-hash-sum-mismatch-errorarchive.org
  9. If similar issues occur with Kicksecure onion services then follow the same procedure and modify the derivative.list files.
  10. https://forums.whonix.org/t/errors-updating-september-2018/6028archive.org
  11. https://salsa.debian.org/fasttrack-team/support/-/issues/27archive.org.

Unfinished: This wiki is a work in progress. Please do not report broken links until this notice is removed, use Search Engines First and contribute improving this wiki.

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!