Add warnings and mitigation for QubesOS/qubes-issues#6585

See the discussion on QubesOS/qubes-posts#79.
This commit is contained in:
Andrew David Wong 2022-02-19 15:17:13 -08:00
parent 31007f3c4c
commit a4aea3e981
No known key found for this signature in database
GPG Key ID: 8CE137352A019A17

View File

@ -36,7 +36,10 @@ Fully updating your Qubes OS system means updating:
- [templates](/doc/glossary/#template)
- [standalones](/doc/glossary/#standalone) (if you have any)
You can accomplish this using the **Qubes Update** tool.
You can accomplish this using the **Qubes Update** tool. (**Warning:** This
tool is currently affected by bug
[#6585](https://github.com/QubesOS/qubes-issues/issues/6585). See below for a
mitigation.)
[![Qubes Update](/attachment/doc/r4.0-software-update.png)](/attachment/doc/r4.0-software-update.png)
@ -55,15 +58,41 @@ desired items from the list and clicking "Next."
<div class="alert alert-danger" role="alert">
<i class="fa fa-exclamation-triangle"></i>
<b>Warning:</b> Updating with direct commands such as
<b>Warning:</b> Updating <em>exclusively</em> with direct commands such as
<code>qubes-dom0-update</code>, <code>dnf update</code>, and <code>apt
update</code> is <b>not</b> recommended, since these bypass built-in Qubes OS
update security measures. Instead, we strongly recommend using the <b>Qubes
Update</b> tool or its command-line equivalents, as described below. (By
update security measures. Instead, we strongly recommend <em>first</em> using
the <b>Qubes Update</b> tool or its command-line equivalents, as described
below, <em>then</em> using the direct commands for confirmation (see <a
href="https://github.com/QubesOS/qubes-issues/issues/6585">#6585</a> and <a
href="https://github.com/QubesOS/qubes-posts/pull/79">PR #79</a>). (By
contrast, <a href="/doc/how-to-install-software/">installing</a> packages
using direct package manager commands is fine.)
</div>
As a temporary mitigation until
[#6585](https://github.com/QubesOS/qubes-issues/issues/6585) is fixed, the
following update sequence is recommended (see
[PR #79](https://github.com/QubesOS/qubes-posts/pull/79)
for explanation and discussion):
1. Update dom0 with Salt.
2. Update dom0 by direct command.
3. Update templates and standalones with Salt.
4. Update templates and standalones by direct commands.
Example using only the command line (all commands with `sudo` or as root):
1. In dom0: `qubesctl --show-output state.sls update.qubes-dom0`
2. In dom0: `qubes-dom0-update --clean -y`
3. In dom0: `qubesctl --show-output --skip-dom0 --templates state.sls
update.qubes-vm`
4. In dom0: `qubesctl --show-output --skip-dom0 --standalones state.sls
update.qubes-vm`
5. In every Fedora template and standalone: `dnf -y --refresh upgrade`
6. In every Debian template and standalone: `apt-get clean && apt-get -y update
&& apt-get -y dist-upgrade && apt-get clean`
### Qubes 4.0
Advanced users may wish to perform updates via the command-line interface. The