qubes-doc/user/troubleshooting/debian-and-whonix-update-troubleshooting.rst

==========================
Updating Debian and Whonix
==========================


Despite Qubes shipping with :doc:`Debian Templates </user/templates/debian/debian>`, most of Qubes core components run
on Fedora and thus our documentation has better coverage for Fedora.
However, Qubes has been working closely with the
`Whonix <https://whonix.org>`__ project which is based on Debian.

This troubleshooting guide is collection of tips about updating Whonix
that also pertain to updating the normal Debian package manager. If you
plan to use Debian heavily, **we highly recommend you install the Whonix templates and use them to update your normal Debian template.**

*Note: some of the links on this page go to documentation on Whonix’s website*

Updating Error Messages
-----------------------


After running the commands to update Debian or Whonix, hopefully
everything will complete perfectly.

.. code:: bash

      sudo apt-get update && sudo apt-get dist-upgrade



However, if you see something like the following, then something went
wrong.

.. code:: bash

      W: Failed to fetch http://ftp.us.debian.org/debian/dist/jessie/contrib/binary-i386/Packages 404 Not Found
      
      W: Failed to fetch http://ftp.us.debian.org/debian/dist/jessie/non-free/binary-i386/Packages 404 Not Found
      
      E: Some index files failed to download. They have been ignored, or old ones used instead.
      
      Err http://ftp.us.debian.org jessie Release.gpg
        Could not resolve 'ftp.us.debian.org'
      Err http://deb.torproject.org jessie Release.gpg
        Could not resolve 'deb.torproject.org'
      Err http://security.debian.org jessie/updates Release.gpg
        Could not resolve 'security.debian.org'
      Reading package lists... Done
      W: Failed to fetch http://security.debian.org/dists/jessie/updates/Release.gpg  Could not resolve 'security.debian.org'
      
      W: Failed to fetch http://ftp.us.debian.org/debian/dists/jessie/Release.gpg  Could not resolve 'ftp.us.debian.org'
      
      W: Failed to fetch http://deb.torproject.org/torproject.org/dists/jessie/Release.gpg  Could not resolve 'deb.torproject.org'
      
      W: Some index files failed to download. They have been ignored, or old ones used instead.



This could be a temporary Tor exit relay or server failure that should
fix itself. Here are some simple things to try:

- Check if your network connection is functional

- Try to `change your Tor circuit <https://www.whonix.org/wiki/Arm>`__,
  then try again

- Running `whonixcheck <https://www.whonix.org/wiki/Whonixcheck>`__
  might also help diagnose the problem



Sometimes if you see a message such as:

.. code:: bash

      Could not resolve 'security.debian.org'



It helps to run the following command:

.. code:: bash

      nslookup security.debian.org



And then trying running the ``update`` and ``upgrade`` commands again.

.. code:: bash

      sudo apt-get update && sudo apt-get dist-upgrade



*Please note: if you* `disabled the Whonix APT Repository <https://www.whonix.org/wiki/Whonix-APT-Repository#Disable_Whonix_APT_Repository>`__
*you’ll have to manually check for new Whonix releases and* `manually install them from source code <https://www.whonix.org/wiki/Dev/Build_Documentation>`__ *.*

Never Install Unsigned Packages
-------------------------------


If you see something like this:

.. code:: bash

      WARNING: The following packages cannot be authenticated!
        icedove
      Install these packages without verification [y/N]?



Don’t proceed! Press ``N`` and ``<enter>``. Running ``apt-get update``
again should fix it. If not, something is broken or it’s a `Man in the middle attack <https://www.whonix.org/wiki/Warning#Man-in-the-middle_attacks>`__,
which isn’t that unlikely, since we are updating over Tor exit relays
and some of them are malicious. Try to `change your Tor circuit <https://www.whonix.org/wiki/Arm#Arm>`__.

Signature Verification Warnings
-------------------------------


There should be none at the moment. If there was such a warning, it
would look like this:

.. code:: bash

      W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.torproject.org stable Release: The following signatures were invalid: KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681



Even though, ``apt-get`` will automatically ignore repositories with
expired keys or signatures, you will not receive upgrades from that
repository. Unless the issue is already known/documented, it should be
reported so it can be further investigated.

There are two possible reasons why this could happen, either there is an
issue with the repository that the maintainers have to fix, or you are
victim of a
`Man-in-the-middle_attacks <https://www.whonix.org/wiki/Warning#Man-in-the-middle_attacks>`__.
The latter would not be a big issue and might go away after a while
automatically or try to `change your Tor circuit <https://www.whonix.org/wiki/Arm#Arm>`__

In past various apt repositories were signed with expired key. If you
want to see how the documentation looked at that point, please click on
expand on the right.

`The Tor Project’s apt repository key was expired <https://trac.torproject.org/projects/tor/ticket/12994>`__. You
saw the following warning.

.. code:: bash

      W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.torproject.org stable Release: The following signatures were invalid: KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681
      
      W: Failed to fetch http://deb.torproject.org/torproject.org/dists/stable/Release
      W: Some index files failed to download. They have been ignored, or old ones used instead.



It had already been
`reported <https://trac.torproject.org/projects/tor/ticket/12994>`__.
There was no immediate danger. You could have just ignored it. Just make
sure, you never install unsigned packages as explained above.

If you were to see other signature verification errors, those should be
reported, but it shouldn’t happen at this time.

Changed Configuration Files
---------------------------


If you see something like the following.

.. code:: bash

      Setting up ifupdown ...
      Configuration file /etc/network/interfaces
       ==> Modified (by you or by a script) since installation.
       ==> Package distributor has shipped an updated version.
         What would you like to do about it ?  Your options are:
          Y or I  : install the package maintainer's version
          N or O  : keep your currently-installed version
            D     : show the differences between the versions
            Z     : background this process to examine the situation
       The default action is to keep your current version.
      *** interfaces (Y/I/N/O/D/Z) [default=N] ? N



Be careful. If the updated file isn’t coming from Whonix specific
package (some are called ``whonix-...``), then press ``n``. Otherwise
anonymity/privacy/security settings deployed with Whonix might get lost.
If you are an advanced user and know better, you can of course manually
check the difference and merge them.

How could you find out if the file is coming from a Whonix specific
package or not?

- Whonix specific packages are sometimes called ``whonix-...``. In the
  example above it’s saying ``Setting up ifupdown ...``, so the file
  isn’t coming from a Whonix specific package. In this case, you should
  press ``n`` as advised in the paragraph above.

- If the package name does include ``whonix-...``, it’s a Whonix
  specific package. In that case, your safest bet should be pressing
  ``y``, but then you would lose your customized settings. You can
  re-add them afterwards. Such conflicts will hopefully rarely happen,
  if you use `Whonix modular flexible .d style configuration folders <https://www.whonix.org/wiki/Whonix_Configuration_Files>`__.