{{Header}}
{{#seo:
|description=Why does {{project_name_long}} (not) use Automatic Updates? Why does {{project_name_long}} (not) use a GUI Update Notifier or GUI Updater?
}}
{{intro|
Why does {{project_name_short}} (not) use Automatic Updates? Why does {{project_name_short}} (not) use a GUI Update Notifier or GUI Updater?
}}
= Introduction =
== APT upstream bugs ==
{{Anchor|Bugs}}
* [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745735 apt: Provide meaningful exit codes for gpg failures]
* (Fixed issues.
* [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776152 provide meaningful exit codes for network failures]
* [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778357 audit 'apt update' exit codes]
* [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696335 exit-code 0 when apt update fails]
* https://wiki.debian.org/Teams/Apt/Specs/UpdateExitStatus
)
== Security Issues when using apt-get update in Scripts ==
Scripts need to use apt-get with --error-on=any
. Otherwise network errors do not result in a non-zero exit code. APT sources that failed would not be noticed. Security updates might be missing.
= Simplified Assisted Updates =
== One click upgrade button for Debian packages ==
This is a very difficult problem. [[Unspecific|Unspecific to {{project_name_short}}]]. Applies to any APT based distribution.
Automation is very difficult due to issues introduced at a higher level (Debian).
APT is not good at conflict resolution with config files (the user may have installed arbitrary packages, changed their configs and then upstream may have updated the config file. dpkg will ask if the user wants to take the new or the old config file. I.e. APT is showing an [[Configuration_Files#dpkg_interactive_conflict_resolution_dialog|dpkg interactive conflict resolution dialog]]. See also [[Configuration_Files|Configuration Files]].
Also other things can go wrong, such as problems with gpg verification, package lists, which are no longer {{Code2|valid-until}}
https://blog.ganneff.de/blog/2008/09/23/valid-until-field-in-release-f.html
, general brokenness due to aborts during last action and so forth. Others dedicated projects have failed at simplification of APT, such as synaptic, apperBugs such as apper recommends restarting while APT (command line) is still working., packagekit and software center. All failed at implementing this for everyone in all cases. When separate projects failed as a higher level (Linux distributions aren't user friendly themselves in the first place), there is nothing that be could fixed in {{project_name_short}} at a lower level.
See also these related [[#APT upstream bugs]], which would make it harder to implement a script automating this. See also this [https://phabricator.whonix.org/T135 issue with packages that lack full security support, even though those are in Debian stable repository].
See also [[Operating System Software and Updates]] for yet more complexity that needs to be covered, that we're currently only documenting (unsigned packages, restart required).
See the following ticket, where it has been discussed at length, why an automated, one or zero click update utility cannot be securely and easily implemented by "just writing some utility".
[https://phabricator.whonix.org/T373#5867 It's a huge task of the size of a separate project.] (Not {{project_name_short}} specific, even though discussed at {{project_name_short}} tracker...!)
At [[Release Upgrade]]s APT autoremove
is required.
Err:4 http://HTTPS///fasttrack.debian.net/debian bullseye-fasttrack InRelease 500 SSL error: wrong version number [IP: 127.0.0.1 3142]https://forums.whonix.org/t/update-issue-fasttrack-500-ssl-error-wrong-version-number/15876 = Automatic Updates = == Unattended upgrades in background for Debian packages == Reasons for Automatic Updates: * Better usability. Reasons against Automatic Updates: * Apparently mysterious to those who don't know that automatic updates are enabled by default; would result in questions such as this: Broken link:
Automatic updates are dangerous. All updates are dangerous. They are remote root backdoors (with some restrictions and checks of course). The problem is, if "something" goes wrong it will automatically propagate accross all users in a very short amount of time. On the other hand, if you update manually a day later or so, it's likely that somone else has noticed the problem and notified Canonical and you stay save. Lots of things can "go wrong": a dev system, a build system, the key or the crypto system could become compromised. It has happened several times, openssl issue, Fedora/RedHat, kernel.org, Flame malware. Not all of them would be mitigated by using manual updates (only donwloading the patches, reviewing them and manually applying them would. Sadly for that to be usable the TCB is too complex and large, it just wouldn't scale. Software updates are messy but right now a necessary evil. I feel more comfortable not letting them run in the background without any verbose output. The one day more or not will not impact security. With Linux distros it already takes time anyway between upstream fix and downstream release. Further, if it's a 0day you already lost that one (and have to rely on the additional security that aos provides). A single security issue should never impact security in a fatal way. It still does in aos 0.* but I hope that can be changed. i.e. we need to migrate away from using the same OS for t-w and t-g. This includes the kernel and I'm not really sure what alternatives there are. Essentially there's only *BSD. See new ticket...* Locked APT database usability issue: When the APT is already fetching or installing upgrades in background and the user starts it manually the user will see the following error message. This is happening in Qubes Debian and [[Qubes|{{q_project_name_long}}]] templates.APT would need to give better feedback to the user or abort the background process and start the foreground process.
sudo apt update Reading package lists... Done E: Could not get lock /var/lib/apt/lists/lock - open (11: Resource temporarily unavailable) E: Unable to lock directory /var/lib/apt/lists/* Anonymity specific: If the user is using Debian a host operating system or connecting to the same mirror, "Connect to a Server Anonymously and Non-anonymously at the Same Time" applies. (Since using stream isolation, in worst case, as far as I can see, the server only knows what packages you wanted to download, if that happens.) Needs Research: * What happens when a stale mirror is detected? Will the user be informed? * Stale mirror attack not of concern, since exit relays change anyway? * Are times when "apt update" is run randomized to prevent a clear network fingerprint? If not, this needs a custom implementation/diverting some scripts. * Are times when "apt full-upgrade" is run randomized to prevent a clear network fingerprint? If not, this needs a custom implementation/diverting some scripts. * What are the reasons why distributions such as Debian/Ubuntu/Qubes OS are not using automatic updates by default? Non-issues: * The Tor Project did not ask us, not to download updates over Tor, see: [[Dev/Tor#Why_Waste_Network_Bandwidth_by_Downloading_Operating_System_Updates_over_Tor.3F|You should not waste the Tor network's bandwidth by downloading operating system updates over Tor!]] Forum discussion: * in old forum https://web.archive.org/web/20211231041032/https://sourceforge.net/p/whonix/discussion/general/thread/2753b89c/ == Auto Upgrading Tor Browser == [[Tor_Browser#Update_Tor_Browser|Update Tor Browser]] = Update Notifier / GUI Updater = == Rejects ideas == === apper (kde) package === Apper is user friendly since there is only one big update button and does also honor proxy settings in ''/etc/apt/apt.conf'' which are required for Tor stream isolation. Automatic update check has been disabled in ''/etc/apt/apt.conf.d/10periodic'' because the execution time would be too predictable. systemcheck runs at startup (non-predictable) and every day at a random time. Apper / Synaptic was removed in {{project_name_short}} 8, see: https://web.archive.org/web/20201214130721/https://github.com/Whonix/Whonix/issues/104 Too many bugs, too confusing. * broken link:
cp /etc/xdg/autostart/update-notifier.desktop /etc/xdg/autostart/update.desktopAnd remove shownotin kde from /etc/xdg/autostart/update.desktop. === update-notifier-kde package === Is confusing. It shows how many updates are available, but it has only one button "later". = Conclusion = As long there are no tools which can handle always all cases for all users, it is the best of the worse choices to teach users how to update using the CLI tools. Those always work reliably. = Footnotes = {{reflist|close=1}} {{Footer}} [[Category:Design]] [[Category:Development]]