Actions

Operating System Software and Updates

From Whonix

(Redirected from Update)


Operatingsystemupdated234234.jpg

Error changed its 'Suite' value from 'testing' to 'stable'[edit]

If you see the following error message.

E: Repository 'tor+https://cdn-aws.deb.debian.org/debian-security buster/updates InRelease' changed its 'Suite' value from 'testing' to 'stable'

For a solution, see this forum thread [archive].

End-of-life Software[edit]

Users should not run software that has reached end-of-life status, because developers will not fix existing defects, bugs or vulnerabilities, posing serious security risks.

A recent example was VLC in Debian jessie [archive], which reached end-of-life status in May, 2018. In that case, Whonix 13 users who did not utilize a different media player were at risk, because VLC in jessie has unpatched security vulnerabilities. This VLC vulnerability does not apply to the current stable Whonix 15 release.

Installing Additional Software[edit]

See Install Software.

Updates[edit]

Info As Whonix ™ is based on the stable Debian distribution, software is normally "frozen" to the stable version of Debian [archive] at the point of each major Debian release [archive]. As noted on the Debian packages page: [1]

This is the latest official release of the Debian distribution. This is stable and well tested software, which changes only if major security or usability fixes are incorporated.

Debian is a distribution. A compilation of software. Debian acquires most software from third parties, the original vendors of the software. Also called "upstream". Debian has a concept of stabilization of software and stable releases. When Debian creates a stable release, it "freezes" software versions. Debian will not update the software in the stable distribution except for the purpose of fixing security issues. In that case, Debian will only do minimal changes to fix security issues. This is also called "security support". The goal of this process is to ensure a stable system where the behavior of the system changes as little as possible.

Therefore, do not expect that versions of installed software from Debian package sources will change whenever a newer release is made available by upstream (the original vendor of the software). [2]

Ambox warning pn.svg.png All packages must stay up-to-date for security and anonymity purposes.

Standard Upgrade vs Release Upgrade[edit]

This procedure is for standard ("everyday") upgrading of Non-Qubes-Whonix and will not perform a Release Upgrade.

If a message like this appears.

WARNING: Whonix News Result:
✘ Outdated: Installed whonix-gateway-packages-dependencies 3.4.2-1 is outdated!

WARNING: Whonix News Result:
✘ Outdated: Installed whonix-workstation-packages-dependencies 3.4.2-1 is outdated!

Then most likely a Release Upgrade is necessary.

Before applying a release upgrade, it is useful to first complete a standard upgrade as documented below.

Upgrade vs Image Re-Installation[edit]

The procedure is for standard ("everyday") upgrading of Non-Qubes-Whonix is more convenient than a complete re-installation of Whonix ™ images since all settings and user data inside the VM is easily persistent. Backups are possible using VM clones and/or snapshots.

Complete re-installation of Whonix ™ images means deleting all of Whonix ™ and re-installing Whonix ™ as if you are a first time user of Whonix ™.

In case of Qubes-Whonix this means uninstall Qubes-Whonix and then install Qubes-Whonix.

In case of Non-Qubes-Whonix this means to remove any Whonix ™ VMs and to install these again.

At some points in time, a newer Whonix ™ Point Release or a newer Whonix ™ major release is available. You can learn about such new releases by Following Whonix ™ Developments, which subscribing to is absolutely crucial anyhow.

In case both is available, standard upgrade and image re-installation, which one is better?

While standard upgrades are easier, image re-installation is less likely to suffer from any upgrading issues. This is due to technical issues.

Standard Upgrade Steps[edit]

1. Update the Package Lists

At least once a day users should update the system package lists [3] with the latest version information on new and updated packages that are available for download. To update Whonix-Gateway ™ and Whonix-Workstation ™ packages lists, run.

sudo apt-get update

The output should look similar to this.

Hit http://security.debian.org buster/updates Release.gpg                                                                                                    
Hit http://security.debian.org buster/updates Release                                                                                                        
Hit http://deb.torproject.org buster Release.gpg                           
Hit http://ftp.us.debian.org buster Release.gpg
Hit http://security.debian.org buster/updates/main amd64 Packages
Hit http://deb.torproject.org buster Release                                             
Hit http://security.debian.org buster/updates/contrib amd64 Packages    
Hit http://ftp.us.debian.org buster Release                           
Hit http://security.debian.org buster/updates/non-free amd64 Packages  
Hit http://deb.torproject.org buster/main amd64 Packages               
Hit http://security.debian.org buster/updates/contrib Translation-en  
Hit http://ftp.us.debian.org buster/main amd64 Packages                
Hit http://security.debian.org buster/updates/main Translation-en                        
Hit http://ftp.us.debian.org buster/contrib amd64 Packages                                
Hit http://security.debian.org buster/updates/non-free Translation-en                    
Hit http://ftp.us.debian.org buster/non-free amd64 Packages                               
Ign http://ftp.us.debian.org buster/contrib Translation-en              
Ign http://ftp.us.debian.org buster/main Translation-en
Ign http://ftp.us.debian.org buster/non-free Translation-en
Ign http://deb.torproject.org buster/main Translation-en_US
Ign http://deb.torproject.org buster/main Translation-en
Reading package lists... Done

If an error message like this appears.

W: Failed to fetch http://ftp.us.debian.org/debian/dist/buster/contrib/binary-amd64/Packages 404 Not Found

W: Failed to fetch http://ftp.us.debian.org/debian/dist/buster/non-free/binary-amd64/Packages 404 Not Found

E: Some index files failed to download. They have been ignored, or old ones used instead.

Err http://ftp.us.debian.org buster Release.gpg
  Could not resolve 'ftp.us.debian.org'
Err http://deb.torproject.org buster Release.gpg
  Could not resolve 'deb.torproject.org'
Err http://security.debian.org buster/updates Release.gpg
  Could not resolve 'security.debian.org'
Reading package lists... Done
W: Failed to fetch http://security.debian.org/dists/buster/updates/Release.gpg  Could not resolve 'security.debian.org'

W: Failed to fetch http://ftp.us.debian.org/debian/dists/buster/Release.gpg  Could not resolve 'ftp.us.debian.org'

W: Failed to fetch http://deb.torproject.org/torproject.org/dists/buster/Release.gpg  Could not resolve 'deb.torproject.org'

W: Some index files failed to download. They have been ignored, or old ones used instead.

Or this.

500  Unable to connect

Then something went wrong. It could be a temporary Tor exit relay or server failure that should resolve itself. Check if the network connection is functional by changing the Tor circuit and trying again. Running whonixcheck might also help to diagnose the problem.

Sometimes a message like this will appear.

Could not resolve 'security.debian.org'

It that case, it helps to run.

nslookup security.debian.org

And then try again.

2. Upgrade

To install the newest versions of the current packages installed on the system, run.

sudo apt-get dist-upgrade

Please note that if the Whonix APT Repository was disabled (see Disable Whonix APT Repository), then manual checks are required for new Whonix releases and manual installation from source code.

3. Never Install Unsigned Packages!

If a message like this appears.

WARNING: The following packages cannot be authenticated!
  thunderbird
Install these packages without verification [y/N]?

Then do not proceed! Press N and <enter>. Running apt-get update again should fix the problem. If not, something is broken or it is a man-in-the-middle attack, which is not that unlikely since updates are retrieved over Tor exit relays and some of them are malicious. Changing the Tor circuit is recommended if this message appears.

4. Signature Verification Warnings

There should be no signature verification warnings at present. If such a warning occurs, it will look like this.

W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.torproject.org stable Release: The following signatures were invalid: KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681

Caution is required in this case, even though apt-get will automatically ignore repositories with expired keys or signatures, and the user will not receive upgrades from that repository. Unless the issue is already known or documented, it should be reported so it can be further investigated.

There are two possible reasons why this could happen. Either there is an issue with the repository that the contributors have yet to fix or the user is the victim of a man-in-the-middle attack. [4] The latter is not a big issue, since no malicious packages are installed. Further, it may automatically resolve itself after a period of time when a different, non-malicious Tor exit relay is used, or following a manual change of the Tor circuit.

In the past, various apt repositories were signed with an expired key. To see how the documentation looked at that point, please click on Expand on the right.

For instance, the Tor Project's apt repository key had expired [archive] and the following warning appeared.

W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.torproject.org stable Release: The following signatures were invalid: KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681

W: Failed to fetch http://deb.torproject.org/torproject.org/dists/stable/Release  

W: Some index files failed to download. They have been ignored, or old ones used instead.

This issue had already been reported [archive]. There was no immediate danger and it could have safely been ignored. Just make sure to never install unsigned packages as explained above.

For another example, see the more recent Whonix apt repository keyexpired error.

Please report any other signature verification errors if/when they appear. This outcome is considered unlikely at this time.

5. Changed Configuration Files [ link]

If a message like this appears.

Setting up ifupdown ...
Configuration file `/etc/network/interfaces'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package contributor's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : background this process to examine the situation
 The default action is to keep your current version.
*** interfaces (Y/I/N/O/D/Z) [default=N] ? N

Be careful.

Learn how to determine if the file is coming from a package by Whonix ™ or otherwise such as Debian. This list of Whonix ™-specific package name prefixes:

  • whonix-...,
  • anon-... or,
  • kicksecure-....

Users can also look at the list of packages by Whonix ™ on Whonix ™ GitHub [archive] or Whonix ™ GitLab [archive]. A search function is available too. Another option is to use the apt-cache show command. For example to find out if the sdwdate package is coming from Whonix ™ or otherwise, run.

apt-cache show sdwdate

Show show (bold added): [5]

Homepage: https://github.com/Whonix/sdwdate

If the package is:

  • not coming from Whonix ™: In this case, the user should press n as previously advised. Otherwise settings affecting anonymity, privacy, and security might be lost. This is the case in above example where is saying "Setting up ifupdown ...". Advanced users who know better can of course manually check the differences and merge them.
  • is coming from Whonix ™: In this case, the safest bet is pressing y, but then any customized settings will be lost (these can be re-added afterwards). Such conflicts will hopefully rarely happen if using Whonix ™'s modular flexible .d style configuration folders.

See also:

6. Restart Services After Upgrading

To restart services after upgrading, either simply reboot.

sudo reboot

Or to omit rebooting, use the needrestart method (harder). For users interested in the latter method, please click on Expand on the right side.

Do this once. Install needrestart.

sudo apt-get update
sudo apt-get install needrestart

Run needrestart.

sudo needrestart

The program will provide some advice. Run it again after applying the advice.

sudo needrestart

If nothing else has to be restarted, it should show.

No services need to be restarted.

This feature might become more usable and automated in the future. (T324 [archive])

7. Restart After Kernel Upgrades

When linux-image-... is upgraded, a reboot is required to profit from any security updates.

apt-get Hash Sum mismatch[edit]

A hash sum mismatch can look like this:

W: Failed to fetch http://deb.debian.org/debian/dists/stable/main/i18n/Translation-enIndex  Hash Sum mismatch

This might happen due to Tor and/or network unreliability issues.

If this warning message is transient, it can be safely ignored. Otherwise, try one of the fixes below. Change your Tor circuit and/or try again later.

If this warning message persists, deleting the package lists should solve it.

To delete the package lists, run:

sudo rm -rf /var/lib/apt/lists/*

To make sure everything works like it should, update your package lists and upgrade your distribution. Chances are that your previous update/upgrade attempts have failed due to the mismatch.

sudo apt-get update && sudo apt-get dist-upgrade

(Source [6])

Non-functional Onion Services[edit]

Sometimes the Debian, Whonix or Qubes onion servers are non-functional, meaning updates cannot be completed automatically. In that case, an error message similar to the following will appear.

user@host:~$ sudo apt-get update
Hit:1 http://security.debian.org buster/updates InRelease
Hit:2 tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion buster InRelease
Ign:3 http://ftp.us.debian.org/debian buster InRelease
Hit:4 http://deb.whonix.org buster InRelease
Hit:5 http://ftp.us.debian.org/debian buster Release
Err:7 tor+http://sgvtcaew4bxjd7ln.onion buster/updates InRelease
SOCKS proxy socks5h://localhost:9050 could not connect to sgvtcaew4bxjd7ln.onion (0.0.0.0:0) due to: Host unreachable (6)
Err:8 tor+http://vwakviie2ienjx6t.onion/debian buster InRelease
SOCKS proxy socks5h://localhost:9050 could not connect to vwakviie2ienjx6t.onion (0.0.0.0:0) due to: Host unreachable (6)
Reading package lists… Done
W: Failed to fetch tor+http://sgvtcaew4bxjd7ln.onion/dists/buster/updates/InRelease SOCKS proxy socks5h://localhost:9050 could not connect to sgvtcaew4bxjd7ln.onion (0.0.0.0:0) due to: Host unreachable (6)
W: Failed to fetch tor+http://vwakviie2ienjx6t.onion/debian/dists/buster/InRelease SOCKS proxy socks5h://localhost:9050 could not connect to vwakviie2ienjx6t.onion (0.0.0.0:0) due to: Host unreachable (6)
W: Some index files failed to download. They have been ignored, or old ones used instead.

To circumvent this issue until the onion service is re-established, complete the following steps in Whonix-Gateway ™ (whonix-gw-15) and Whonix-Workstation ™ (whonix-ws-15). [7] [8]

1. Open Debian sources.list in an editor.

Open file /etc/apt/sources.list.d/debian.list in an editor with root rights.

(Qubes-Whonix ™: In TemplateVM)

This box uses sudoedit for better security [archive]. This is an example and other tools could also achieve the same goal. If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /etc/apt/sources.list.d/debian.list

2. Comment (#) the lines with the .onion address and uncomment the lines with the clearnet address.

The first two code blocks should look like this. Note: only blocks shown need to be edited.

#deb tor+http://sgvtcaew4bxjd7ln.onion buster/updates main contrib non-free
deb tor+https://deb.debian.org/debian-security/ buster/updates main contrib non-free

#deb tor+http://vwakviie2ienjx6t.onion/debian buster main contrib non-free
deb tor+https://deb.debian.org/debian buster main contrib non-free

Save and exit.

3. Confirm the clearnet repositories are functional.

sudo apt-get update

4. Revert and update the package lists.

It is recommended to revert these changes later on due to the security advantages of onion repositories. Afterwards, apply Updates to refresh the package lists.

Updating with Extra Care[edit]

See How-to: Install or Update with Utmost Caution.

GUI Applications with Root Rights[edit]

Moved to root - Graphical Applications with Root Rights.

See Also[edit]

See also:

Footnotes[edit]

  1. https://www.debian.org/distrib/packages [archive]
  2. https://forums.whonix.org/t/keepassxc-2-5-4/9669 [archive]
  3. In Whonix and on the host.
  4. Rollback or indefinite freeze attacks as defined by The Update Framework (TUF) - Threat Model - Attacks and Weaknesses - https://github.com/theupdateframework/tuf/blob/develop/SECURITY.md [archive] - http://www.webcitation.org/6F7Io2ncN [archive].
  5. Will be changed to GitLab.
  6. http://askubuntu.com/questions/41605/trouble-downloading-updates-due-to-hash-sum-mismatch-error [archive]
  7. If similar problems are experienced with Whonix or Qubes onion services then the same procedure can be used to modify the whonix.list and qubes-r4.list files, respectively.
  8. http://forums.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/t/errors-updating-september-2018/6028 [archive]


Search engines: YaCy | Qwant | ecosia | MetaGer | peekier


Follow: Twitter.png Facebook.png 1280px-Gab text logo.svg.png Iconfinder news 18421.png Rss.png Matrix logo.svg.png 1024px-Telegram 2019 Logo.svg.png Discourse logo.svg Reddit.jpg Diaspora.png Gnusocial.png Mewe.png 500px-Tumblr Wordmark.svg.png Iconfinder youtube 317714.png 200px-Minds logo.svg.png 200px-Mastodon Logotype (Simple).svg.png 200px-LinkedIn Logo 2013.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate whonix.png United Federation of Planets 1000px.png

Share: Twitter | Facebook

Love Whonix and want to help spread the word? You can start by telling your friends or posting news [archive] about Whonix on your website, blog or social media.

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat applies.

Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.