On Sat, Dec 15, 2018 at 06:12:04PM -0800, John Smiley wrote: > On Saturday, December 15, 2018 at 4:47:19 PM UTC-8, unman wrote: > > On Sat, Dec 15, 2018 at 03:19:15PM -0800, John Smiley wrote: > > > On Saturday, December 15, 2018 at 3:02:13 PM UTC-8, 22...@tutamail.com > > > wrote: > > > > Some typos corrected and clarification added: > > > > > > > > > > > > John, > > > > I'll take a shot at helping but would defer to Unman who has helped me > > > > out a lot, both directly and indirectly on this forum. > > > > > > > > Some notes: > > > > Been using 3.2 and 4.0 only...haven't tried 4.0.1 > > > > Not an expert but have having been using Qubes as my primary for over a > > > > year. > > > > > > > > I loaded 4.0, however during the setup I did not add the default whonix > > > > template(v13 I think) to my system as the default whonix needs to be > > > > removed in order to upgrade to whonix-14. This option is chosen when > > > > loading Qubes for the first time. > > > > > > > > I immediately update Dom0 using a VPN connection thru my network > > > > > > > > After installing Qubes 4.0, I immediately install the whonix-14 > > > > template following these instructions: > > > > https://www.whonix.org/wiki/Qubes/Install > > > > > > > > All updates going forward are done thru sys-whonix-14-GW......... > > > > > > > > When you say upgrading Firefox are you just updating Firefox or the > > > > whole template...I don't just upgrade Firefox, I update the whole > > > > template i.e. I update the Debian template and the Fedora template and > > > > this updates Firefox in the template and the appvm's associated with > > > > the templates. Make sure you are aware of the template/appvm > > > > relationship...you don't update the appvm(e.g. sys-whonix), you update > > > > the template(whonix-gw) which is the source for the appvm(sys-whonix). > > > > > > > > Other best practices I follow: > > > > *Fresh templates seems to be the advice(vs upgrading) > > > > *Whonix-gw template is a key template to update as all my updates are > > > > done thru this template/appvms > > > > * Get a VPN appvm setup as a priority > > > > * Clone your templates and experiment on the clones, this way you can > > > > resort back to your clean template WHEN you F%$# it up (Not IF...you > > > > will at some point mess one up) > > > > > > > > Good luck, hope this helps... > > > > > > Thank you @tutamail. This is more like what I was looking for. I've > > > tried most of what you recommend, but not everything. I'll re-install > > > 4.0 and give your suggestions a try. > > > > > > I appreciate the other replies as well. Sorry if I wasn't clear. I only > > > tried 4.0.1-rc1 out of desperation. What I want is the latest production > > > 4.0 platform. Most operating systems have a simple process by which you > > > are informed of packages that are out of date and are offered an > > > opportunity to upgrade them to the most recent version supported by the > > > distributor. It would be great if Qubes had something like that. > > > Perhaps someday it will. In the meantime, there ought to be a document > > > that clearly explains how to go from a fresh install to the most recent > > > Qubes-supported version of every package installed in each template and > > > dom0. It would be even nicer if there were a nightly/weekly build of the > > > same packages used in a fresh install, but all updated to the latest > > > supported version so that we could simply download and install that and > > > know that we have all of the most recent patches and upgrades. > > > > > > > Qubes already has a simple process to show you when updates are > > available , and enables you to update them. If you open the Qube manager > > you will see an indicator of when updates are available, and can R-click > > to select "update qube". > > I've noticed and tried the update notices in QM. I wasn't sure if that was > the same as using the shortcuts and/or os package manager. I've tried both > and had issues with both. > > > If you don't use the Qube manager, then you can just run "sudo > > qubes-dom0-update" periodically to check for and install updates in > > dom0, and 'apt update' as you will. > > I generally do include qubes-dom0-update as either the first step after a > fresh install or right after installing fedora-28. Oddly, the first section > of the doc on installing and updating software in dom0 > https://www.qubes-os.org/doc/software-update-dom0/ reads like a warning not > to do it unless you have a specific reason (and then goes on to list some of > those reasons), so at first didn't run qubes-dom0-update. It was only after > I started reading some of the Xen security patch announcements that I started > including this as a mandatory early step after a fresh install. > > > > > I use salt to update all my templates with a single command, but other > > users have python/bash scripts to iterate over templates. > > Interesting. I'm not familiar with this at all. I'll see what I can find > out with some searching.
The relevant section in the docs is www.qubes-os.org/doc/salt - It's not that good as an introduction, and needs more work. There is a reasonable discussion on github with different approaches. > > > > > There's also an update widget on the way. > > > > There are already docs about updating dom0 and templates: > > www.qubes-os.org/doc/software-update-dom0 > > www.qubes-os.org/doc/software-update-vm > > These give a fairly detailed guide. If you think they need clarification > > please suggest changes in a PR. > > > > The latest versions of packages are in the current repository after > > spending some time in testing. There really isn't any need for nightly > > builds, I think. If you keep your dom0 updated then it will transition > > to 4.0.1. (Many users seem to find this hard to grasp.) > > Thanks for pointing this out. So once 4.0.1 goes GA, a 4.0 system will > automatically upgrade itself to 4.0.1 via qubes-dom0-update? > Yes, if you keep updating you will end at 4.0.1. (That doesn't include the templates though - I mean that 4 shipped with jessie as Debian template and that isn't updated with qubes-dom0-update. You need to separately install a stretch template, or dist-upgrade the jessie.) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20181216023118.dvdy7go67wi45uic%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.