Does dom0 check-update go over Tor?

AFAIK, TemplateVM update checks work by having some AppVMs based on the TemplateVM check for updates. If all TemplateVMs are connected to a Whonix-Gateway, but not all AppVMs based on these templates are, then it seems like a good idea to disable “Check for VM updates” in Qubes Manager (in order to preserve package list privacy linkability, for example).

However, is the same true of dom0? In other words, if my UpdateVM is connected to a Whonix-Gateway, does enabling “Check for dom0 updates” cause the update checks to go over my clearnet connection (sys-firewall or sys-net) or over Tor?

Makes sense and we should document this somewhere.

“Check for dom0 updates” uses the UpdateVM. And if your UpdateVM is sys-whonix or connected to sys-whonix, then updates are torified.

(Btw on Redirecting… there is a chapter “Upgrading over Tor”.)

Thanks, Patrick!