mirror of
https://github.com/QubesOS/qubes-doc.git
synced 2024-12-31 10:16:14 -05:00
209 lines
7.9 KiB
ReStructuredText
209 lines
7.9 KiB
ReStructuredText
|
==========================
|
|||
|
Updating Debian and Whonix
|
|||
|
==========================
|
|||
|
|
|||
|
|
|||
|
Despite Qubes shipping with :doc:`Debian Templates </user/templates/debian/debian>`, most of Qubes core components run
|
|||
|
on Fedora and thus our documentation has better coverage for Fedora.
|
|||
|
However, Qubes has been working closely with the
|
|||
|
`Whonix <https://whonix.org>`__ project which is based on Debian.
|
|||
|
|
|||
|
This troubleshooting guide is collection of tips about updating Whonix
|
|||
|
that also pertain to updating the normal Debian package manager. If you
|
|||
|
plan to use Debian heavily, **we highly recommend you install the Whonix templates and use them to update your normal Debian template.**
|
|||
|
|
|||
|
*Note: some of the links on this page go to documentation on Whonix’s website*
|
|||
|
|
|||
|
Updating Error Messages
|
|||
|
-----------------------
|
|||
|
|
|||
|
|
|||
|
After running the commands to update Debian or Whonix, hopefully
|
|||
|
everything will complete perfectly.
|
|||
|
|
|||
|
.. code:: bash
|
|||
|
|
|||
|
sudo apt-get update && sudo apt-get dist-upgrade
|
|||
|
|
|||
|
|
|||
|
|
|||
|
However, if you see something like the following, then something went
|
|||
|
wrong.
|
|||
|
|
|||
|
.. code:: bash
|
|||
|
|
|||
|
W: Failed to fetch http://ftp.us.debian.org/debian/dist/jessie/contrib/binary-i386/Packages 404 Not Found
|
|||
|
|
|||
|
W: Failed to fetch http://ftp.us.debian.org/debian/dist/jessie/non-free/binary-i386/Packages 404 Not Found
|
|||
|
|
|||
|
E: Some index files failed to download. They have been ignored, or old ones used instead.
|
|||
|
|
|||
|
Err http://ftp.us.debian.org jessie Release.gpg
|
|||
|
Could not resolve 'ftp.us.debian.org'
|
|||
|
Err http://deb.torproject.org jessie Release.gpg
|
|||
|
Could not resolve 'deb.torproject.org'
|
|||
|
Err http://security.debian.org jessie/updates Release.gpg
|
|||
|
Could not resolve 'security.debian.org'
|
|||
|
Reading package lists... Done
|
|||
|
W: Failed to fetch http://security.debian.org/dists/jessie/updates/Release.gpg Could not resolve 'security.debian.org'
|
|||
|
|
|||
|
W: Failed to fetch http://ftp.us.debian.org/debian/dists/jessie/Release.gpg Could not resolve 'ftp.us.debian.org'
|
|||
|
|
|||
|
W: Failed to fetch http://deb.torproject.org/torproject.org/dists/jessie/Release.gpg Could not resolve 'deb.torproject.org'
|
|||
|
|
|||
|
W: Some index files failed to download. They have been ignored, or old ones used instead.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
This could be a temporary Tor exit relay or server failure that should
|
|||
|
fix itself. Here are some simple things to try:
|
|||
|
|
|||
|
- Check if your network connection is functional
|
|||
|
|
|||
|
- Try to `change your Tor circuit <https://www.whonix.org/wiki/Arm>`__,
|
|||
|
then try again
|
|||
|
|
|||
|
- Running `whonixcheck <https://www.whonix.org/wiki/Whonixcheck>`__
|
|||
|
might also help diagnose the problem
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Sometimes if you see a message such as:
|
|||
|
|
|||
|
.. code:: bash
|
|||
|
|
|||
|
Could not resolve 'security.debian.org'
|
|||
|
|
|||
|
|
|||
|
|
|||
|
It helps to run the following command:
|
|||
|
|
|||
|
.. code:: bash
|
|||
|
|
|||
|
nslookup security.debian.org
|
|||
|
|
|||
|
|
|||
|
|
|||
|
And then trying running the ``update`` and ``upgrade`` commands again.
|
|||
|
|
|||
|
.. code:: bash
|
|||
|
|
|||
|
sudo apt-get update && sudo apt-get dist-upgrade
|
|||
|
|
|||
|
|
|||
|
|
|||
|
*Please note: if you* `disabled the Whonix APT Repository <https://www.whonix.org/wiki/Whonix-APT-Repository#Disable_Whonix_APT_Repository>`__
|
|||
|
*you’ll have to manually check for new Whonix releases and* `manually install them from source code <https://www.whonix.org/wiki/Dev/Build_Documentation>`__ *.*
|
|||
|
|
|||
|
Never Install Unsigned Packages
|
|||
|
-------------------------------
|
|||
|
|
|||
|
|
|||
|
If you see something like this:
|
|||
|
|
|||
|
.. code:: bash
|
|||
|
|
|||
|
WARNING: The following packages cannot be authenticated!
|
|||
|
icedove
|
|||
|
Install these packages without verification [y/N]?
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Don’t proceed! Press ``N`` and ``<enter>``. Running ``apt-get update``
|
|||
|
again should fix it. If not, something is broken or it’s a `Man in the middle attack <https://www.whonix.org/wiki/Warning#Man-in-the-middle_attacks>`__,
|
|||
|
which isn’t that unlikely, since we are updating over Tor exit relays
|
|||
|
and some of them are malicious. Try to `change your Tor circuit <https://www.whonix.org/wiki/Arm#Arm>`__.
|
|||
|
|
|||
|
Signature Verification Warnings
|
|||
|
-------------------------------
|
|||
|
|
|||
|
|
|||
|
There should be none at the moment. If there was such a warning, it
|
|||
|
would look like this:
|
|||
|
|
|||
|
.. code:: bash
|
|||
|
|
|||
|
W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.torproject.org stable Release: The following signatures were invalid: KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Even though, ``apt-get`` will automatically ignore repositories with
|
|||
|
expired keys or signatures, you will not receive upgrades from that
|
|||
|
repository. Unless the issue is already known/documented, it should be
|
|||
|
reported so it can be further investigated.
|
|||
|
|
|||
|
There are two possible reasons why this could happen, either there is an
|
|||
|
issue with the repository that the maintainers have to fix, or you are
|
|||
|
victim of a
|
|||
|
`Man-in-the-middle_attacks <https://www.whonix.org/wiki/Warning#Man-in-the-middle_attacks>`__.
|
|||
|
The latter would not be a big issue and might go away after a while
|
|||
|
automatically or try to `change your Tor circuit <https://www.whonix.org/wiki/Arm#Arm>`__
|
|||
|
|
|||
|
In past various apt repositories were signed with expired key. If you
|
|||
|
want to see how the documentation looked at that point, please click on
|
|||
|
expand on the right.
|
|||
|
|
|||
|
`The Tor Project’s apt repository key was expired <https://trac.torproject.org/projects/tor/ticket/12994>`__. You
|
|||
|
saw the following warning.
|
|||
|
|
|||
|
.. code:: bash
|
|||
|
|
|||
|
W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.torproject.org stable Release: The following signatures were invalid: KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681
|
|||
|
|
|||
|
W: Failed to fetch http://deb.torproject.org/torproject.org/dists/stable/Release
|
|||
|
W: Some index files failed to download. They have been ignored, or old ones used instead.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
It had already been
|
|||
|
`reported <https://trac.torproject.org/projects/tor/ticket/12994>`__.
|
|||
|
There was no immediate danger. You could have just ignored it. Just make
|
|||
|
sure, you never install unsigned packages as explained above.
|
|||
|
|
|||
|
If you were to see other signature verification errors, those should be
|
|||
|
reported, but it shouldn’t happen at this time.
|
|||
|
|
|||
|
Changed Configuration Files
|
|||
|
---------------------------
|
|||
|
|
|||
|
|
|||
|
If you see something like the following.
|
|||
|
|
|||
|
.. code:: bash
|
|||
|
|
|||
|
Setting up ifupdown ...
|
|||
|
Configuration file /etc/network/interfaces
|
|||
|
==> Modified (by you or by a script) since installation.
|
|||
|
==> Package distributor has shipped an updated version.
|
|||
|
What would you like to do about it ? Your options are:
|
|||
|
Y or I : install the package maintainer's version
|
|||
|
N or O : keep your currently-installed version
|
|||
|
D : show the differences between the versions
|
|||
|
Z : background this process to examine the situation
|
|||
|
The default action is to keep your current version.
|
|||
|
*** interfaces (Y/I/N/O/D/Z) [default=N] ? N
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Be careful. If the updated file isn’t coming from Whonix specific
|
|||
|
package (some are called ``whonix-...``), then press ``n``. Otherwise
|
|||
|
anonymity/privacy/security settings deployed with Whonix might get lost.
|
|||
|
If you are an advanced user and know better, you can of course manually
|
|||
|
check the difference and merge them.
|
|||
|
|
|||
|
How could you find out if the file is coming from a Whonix specific
|
|||
|
package or not?
|
|||
|
|
|||
|
- Whonix specific packages are sometimes called ``whonix-...``. In the
|
|||
|
example above it’s saying ``Setting up ifupdown ...``, so the file
|
|||
|
isn’t coming from a Whonix specific package. In this case, you should
|
|||
|
press ``n`` as advised in the paragraph above.
|
|||
|
|
|||
|
- If the package name does include ``whonix-...``, it’s a Whonix
|
|||
|
specific package. In that case, your safest bet should be pressing
|
|||
|
``y``, but then you would lose your customized settings. You can
|
|||
|
re-add them afterwards. Such conflicts will hopefully rarely happen,
|
|||
|
if you use `Whonix modular flexible .d style configuration folders <https://www.whonix.org/wiki/Whonix_Configuration_Files>`__.
|
|||
|
|
|||
|
|