Does whonix automatically update itself?

Ok read this

“Now that you’ve changed the password the next step is to update Whonix in both the gateway and workstation. In this tutorial https://youtu.be/yXcFHgGjY6M?si=lmfdFiFJdGxU1RJW it says to do “sudo apt update && sudo apt upgrade -y” in the terminal in both gateway and workstation. So make sure you do that.” That was copied and pasted from here https://www.reddit.com/r/Whonix/comments/1dxk1gn/how_to_install_whonix_on_linux_ubuntu_mint_etc/

So yeah do I have to manually update whonix by entering “sudo apt update && sudo apt upgrade -y” in the terminal in both gateway and workstation, or does whonix automatically update itself?

These kind of simple beginner questions you’ll all find in documentation.

I have not seen the video that you linked, but the answer is no. Whonix does not update automatically. You have to update it manually in gateway and workstation. However, the instructions you posted are a little out of date. You just need to type “upgrade-nonroot” in the terminal.

Example terminal output-

user@host:~$ upgrade-nonroot
Hit:1 tor+https://deb.debian.org/debian bookworm InRelease                                      
Hit:2 tor+https://deb.whonix.org bookworm InRelease                                             
Get:3 tor+https://fasttrack.debian.net/debian bookworm-fasttrack InRelease [12.9 kB]
Get:4 tor+https://deb.debian.org/debian bookworm-updates InRelease [55.4 kB]
Get:5 tor+https://deb.kicksecure.com bookworm InRelease [62.0 kB]
Hit:6 tor+https://deb.debian.org/debian-security bookworm-security InRelease
Get:7 tor+https://deb.debian.org/debian bookworm-backports InRelease [59.0 kB]
Get:8 tor+https://deb.debian.org/debian bookworm-backports/main amd64 Packages.diff/Index [63.3 kB]
Get:9 tor+https://deb.debian.org/debian bookworm-backports/main amd64 Packages T-2025-01-02-2007.35-F-2025-01-02-2007.35.pdiff [2215 B]
Get:9 tor+https://deb.debian.org/debian bookworm-backports/main amd64 Packages T-2025-01-02-2007.35-F-2025-01-02-2007.35.pdiff [2215 B]
Fetched 255 kB in 5s (53.7 kB/s)
Reading package lists... Done
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

This way, you do not have to type in your password in order to update your packages. You still have to use “sudo apt” in order to install packages.

Example-

user@host:~$ sudo apt install neofetch
[sudo] password for user:                                                             
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  caca-utils chafa imagemagick imagemagick-6.q16 jp2a libchafa0 libid3tag0 libimlib2
  libnetpbm11 libsixel-bin netpbm toilet toilet-fonts w3m w3m-img
Suggested packages:
  imagemagick-doc autotrace enscript gimp gnuplot grads graphviz hp2xx html2ps
  libwmf-bin mplayer povray radiance sane-utils texlive-base-bin transfig ufraw-batch
  figlet brotli cmigemo compface dict dict-wn dictd w3m-el xsel
The following NEW packages will be installed:
  caca-utils chafa imagemagick imagemagick-6.q16 jp2a libchafa0 libid3tag0 libimlib2
  libnetpbm11 libsixel-bin neofetch netpbm toilet toilet-fonts w3m w3m-img
0 upgraded, 16 newly installed, 0 to remove and 0 not upgraded.
Need to get 5139 kB of archives.
After this operation, 16.0 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 tor+https://deb.debian.org/debian bookworm/main amd64 libid3tag0 amd64 0.15.1b-14 [35.4 kB]
Get:2 tor+https://deb.debian.org/debian bookworm/main amd64 libimlib2 amd64 1.10.0-4+deb12u1 [206 kB]
Get:3 tor+https://deb.debian.org/debian bookworm/main amd64 caca-utils amd64 0.99.beta20-3 [57.6 kB]
Get:4 tor+https://deb.debian.org/debian bookworm/main amd64 libchafa0 amd64 1.12.4-1+b1 [85.1 kB]
Get:5 tor+https://deb.debian.org/debian bookworm/main amd64 chafa amd64 1.12.4-1+b1 [67.8 kB]
Get:6 tor+https://deb.debian.org/debian bookworm/main amd64 imagemagick-6.q16 amd64 8:6.9.11.60+dfsg-1.6+deb12u2 [339 kB]
Get:7 tor+https://deb.debian.org/debian bookworm/main amd64 imagemagick amd64 8:6.9.11.60+dfsg-1.6+deb12u2 [122 kB]
Get:8 tor+https://deb.debian.org/debian bookworm/main amd64 jp2a amd64 1.1.1-2 [32.8 kB]
Get:9 tor+https://deb.debian.org/debian bookworm/main amd64 libnetpbm11 amd64 2:11.01.00-2 [174 kB]
Get:10 tor+https://deb.debian.org/debian bookworm/main amd64 libsixel-bin amd64 1.10.3-3 [19.1 kB]
Get:11 tor+https://deb.debian.org/debian bookworm/main amd64 neofetch all 7.1.0-4 [81.8 kB]
Get:12 tor+https://deb.debian.org/debian bookworm/main amd64 netpbm amd64 2:11.01.00-2 [2015 kB]
Get:13 tor+https://deb.debian.org/debian bookworm/main amd64 toilet-fonts all 0.3-1.4 [724 kB]
Get:14 tor+https://deb.debian.org/debian bookworm/main amd64 toilet amd64 0.3-1.4 [22.6 kB]
Get:15 tor+https://deb.debian.org/debian bookworm/main amd64 w3m amd64 0.5.3+git20230121-2 [1102 kB]
Get:16 tor+https://deb.debian.org/debian bookworm/main amd64 w3m-img amd64 0.5.3+git20230121-2 [51.7 kB]
Fetched 5139 kB in 9s (600 kB/s)                                                         
Selecting previously unselected package libid3tag0:amd64.
(Reading database ... 128343 files and directories currently installed.)
Preparing to unpack .../00-libid3tag0_0.15.1b-14_amd64.deb ...
Unpacking libid3tag0:amd64 (0.15.1b-14) ...
Selecting previously unselected package libimlib2:amd64.
Preparing to unpack .../01-libimlib2_1.10.0-4+deb12u1_amd64.deb ...
Unpacking libimlib2:amd64 (1.10.0-4+deb12u1) ...
Selecting previously unselected package caca-utils.
Preparing to unpack .../02-caca-utils_0.99.beta20-3_amd64.deb ...
Unpacking caca-utils (0.99.beta20-3) ...
Selecting previously unselected package libchafa0:amd64.
Preparing to unpack .../03-libchafa0_1.12.4-1+b1_amd64.deb ...
Unpacking libchafa0:amd64 (1.12.4-1+b1) ...
Selecting previously unselected package chafa.
Preparing to unpack .../04-chafa_1.12.4-1+b1_amd64.deb ...
Unpacking chafa (1.12.4-1+b1) ...
Selecting previously unselected package imagemagick-6.q16.
Preparing to unpack .../05-imagemagick-6.q16_8%3a6.9.11.60+dfsg-1.6+deb12u2_amd64.deb ...
Unpacking imagemagick-6.q16 (8:6.9.11.60+dfsg-1.6+deb12u2) ...
Selecting previously unselected package imagemagick.
Preparing to unpack .../06-imagemagick_8%3a6.9.11.60+dfsg-1.6+deb12u2_amd64.deb ...
Unpacking imagemagick (8:6.9.11.60+dfsg-1.6+deb12u2) ...
Selecting previously unselected package jp2a.
Preparing to unpack .../07-jp2a_1.1.1-2_amd64.deb ...
Unpacking jp2a (1.1.1-2) ...
Selecting previously unselected package libnetpbm11:amd64.
Preparing to unpack .../08-libnetpbm11_2%3a11.01.00-2_amd64.deb ...
Unpacking libnetpbm11:amd64 (2:11.01.00-2) ...
Selecting previously unselected package libsixel-bin.
Preparing to unpack .../09-libsixel-bin_1.10.3-3_amd64.deb ...
Unpacking libsixel-bin (1.10.3-3) ...
Selecting previously unselected package neofetch.
Preparing to unpack .../10-neofetch_7.1.0-4_all.deb ...
Unpacking neofetch (7.1.0-4) ...
Selecting previously unselected package netpbm.
Preparing to unpack .../11-netpbm_2%3a11.01.00-2_amd64.deb ...
Unpacking netpbm (2:11.01.00-2) ...
Selecting previously unselected package toilet-fonts.
Preparing to unpack .../12-toilet-fonts_0.3-1.4_all.deb ...
Unpacking toilet-fonts (0.3-1.4) ...
Selecting previously unselected package toilet.
Preparing to unpack .../13-toilet_0.3-1.4_amd64.deb ...
Unpacking toilet (0.3-1.4) ...
Selecting previously unselected package w3m.
Preparing to unpack .../14-w3m_0.5.3+git20230121-2_amd64.deb ...
Unpacking w3m (0.5.3+git20230121-2) ...
Selecting previously unselected package w3m-img.
Preparing to unpack .../15-w3m-img_0.5.3+git20230121-2_amd64.deb ...
Unpacking w3m-img (0.5.3+git20230121-2) ...
Setting up toilet-fonts (0.3-1.4) ...
Setting up toilet (0.3-1.4) ...
update-alternatives: using /usr/bin/figlet-toilet to provide /usr/bin/figlet (figlet) in a
uto mode
Setting up jp2a (1.1.1-2) ...
Setting up libnetpbm11:amd64 (2:11.01.00-2) ...
Setting up libsixel-bin (1.10.3-3) ...
Setting up neofetch (7.1.0-4) ...
Setting up libchafa0:amd64 (1.12.4-1+b1) ...
Setting up libid3tag0:amd64 (0.15.1b-14) ...
Setting up w3m (0.5.3+git20230121-2) ...
Setting up libimlib2:amd64 (1.10.0-4+deb12u1) ...
Setting up netpbm (2:11.01.00-2) ...
Setting up imagemagick-6.q16 (8:6.9.11.60+dfsg-1.6+deb12u2) ...
update-alternatives: using /usr/bin/compare-im6.q16 to provide /usr/bin/compare (compare) 
in auto mode
update-alternatives: using /usr/bin/compare-im6.q16 to provide /usr/bin/compare-im6 (compa
re-im6) in auto mode
update-alternatives: using /usr/bin/animate-im6.q16 to provide /usr/bin/animate (animate) 
in auto mode
update-alternatives: using /usr/bin/animate-im6.q16 to provide /usr/bin/animate-im6 (anima
te-im6) in auto mode
update-alternatives: using /usr/bin/convert-im6.q16 to provide /usr/bin/convert (convert) 
in auto mode
update-alternatives: using /usr/bin/convert-im6.q16 to provide /usr/bin/convert-im6 (conve
rt-im6) in auto mode
update-alternatives: using /usr/bin/composite-im6.q16 to provide /usr/bin/composite (compo
site) in auto mode
update-alternatives: using /usr/bin/composite-im6.q16 to provide /usr/bin/composite-im6 (c
omposite-im6) in auto mode
update-alternatives: using /usr/bin/conjure-im6.q16 to provide /usr/bin/conjure (conjure) 
in auto mode
update-alternatives: using /usr/bin/conjure-im6.q16 to provide /usr/bin/conjure-im6 (conju
re-im6) in auto mode
update-alternatives: using /usr/bin/import-im6.q16 to provide /usr/bin/import (import) in 
auto mode
update-alternatives: using /usr/bin/import-im6.q16 to provide /usr/bin/import-im6 (import-
im6) in auto mode
update-alternatives: using /usr/bin/identify-im6.q16 to provide /usr/bin/identify (identif
y) in auto mode
update-alternatives: using /usr/bin/identify-im6.q16 to provide /usr/bin/identify-im6 (ide
ntify-im6) in auto mode
update-alternatives: using /usr/bin/stream-im6.q16 to provide /usr/bin/stream (stream) in 
auto mode
update-alternatives: using /usr/bin/stream-im6.q16 to provide /usr/bin/stream-im6 (stream-
im6) in auto mode
update-alternatives: using /usr/bin/display-im6.q16 to provide /usr/bin/display (display) 
in auto mode
update-alternatives: using /usr/bin/display-im6.q16 to provide /usr/bin/display-im6 (displ
ay-im6) in auto mode
update-alternatives: using /usr/bin/montage-im6.q16 to provide /usr/bin/montage (montage) 
in auto mode
update-alternatives: using /usr/bin/montage-im6.q16 to provide /usr/bin/montage-im6 (monta
ge-im6) in auto mode
update-alternatives: using /usr/bin/mogrify-im6.q16 to provide /usr/bin/mogrify (mogrify) 
in auto mode
update-alternatives: using /usr/bin/mogrify-im6.q16 to provide /usr/bin/mogrify-im6 (mogri
fy-im6) in auto mode
Setting up caca-utils (0.99.beta20-3) ...
Setting up chafa (1.12.4-1+b1) ...
Setting up imagemagick (8:6.9.11.60+dfsg-1.6+deb12u2) ...
Processing triggers for menu (2.1.49) ...
Processing triggers for mailcap (3.70+nmu1) ...
Processing triggers for desktop-file-utils (0.26-1) ...
Processing triggers for hicolor-icon-theme (0.17-2) ...
Processing triggers for libc-bin (2.36-9+deb12u9) ...
Processing triggers for man-db (2.11.2-2) ...
Processing triggers for security-misc (3:41.1-1) ...
INFO: triggered security-misc: 'security-misc' security-misc DPKG_MAINTSCRIPT_NAME: 'posti
nst' $\@: 'triggered /usr' 2: '/usr'
/usr/libexec/security-misc/mmap-rnd-bits: INFO: Successfully written ASLR map config file:
/etc/sysctl.d/30_security-misc_aslr-mmap.conf
Running SUID Disabler and Permission Hardener... See also:
https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener
/var/lib/dpkg/info/security-misc.postinst: INFO: running: permission-hardener enable
permission-hardener: [NOTICE]: Managing (S|G)UID of line:  setgid='true' existing_mode='27
55' new_mode='744' file='/usr/lib/w3m/w3mimgdisplay'
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root video 744 
/usr/lib/w3m/w3mimgdisplay
permission-hardener: [NOTICE]: Executing: setcap -r /bin/ping
permission-hardener: [NOTICE]: To compare the current and previous permission modes, insta
ll 'meld' (or preferred diff tool) for comparison of file mode changes:
    sudo apt install --no-install-recommends meld
    meld /var/lib/permission-hardener/existing_mode/statoverride /var/lib/permission-harde
ner/new_mode/statoverride
/var/lib/dpkg/info/security-misc.postinst: INFO: Permission hardening success.
Setting up w3m-img (0.5.3+git20230121-2) ...

To remove neofetch-

user@host:~$ sudo apt remove neofetch
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
  caca-utils chafa jp2a libchafa0 toilet toilet-fonts
Use 'sudo apt autoremove' to remove them.
The following packages will be REMOVED:
  neofetch
0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
After this operation, 360 kB disk space will be freed.
Do you want to continue? [Y/n] y
(Reading database ... 129447 files and directories currently installed.)
Removing neofetch (7.1.0-4) ...
Processing triggers for security-misc (3:41.1-1) ...
INFO: triggered security-misc: 'security-misc' security-misc DPKG_MAINTSCRIPT_NAME: 'posti
nst' $\@: 'triggered /usr' 2: '/usr'
/usr/libexec/security-misc/mmap-rnd-bits: INFO: Successfully written ASLR map config file:
/etc/sysctl.d/30_security-misc_aslr-mmap.conf
Running SUID Disabler and Permission Hardener... See also:
https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener
/var/lib/dpkg/info/security-misc.postinst: INFO: running: permission-hardener enable
permission-hardener: [NOTICE]: Executing: setcap -r /bin/ping
permission-hardener: [NOTICE]: To compare the current and previous permission modes, insta
ll 'meld' (or preferred diff tool) for comparison of file mode changes:
    sudo apt install --no-install-recommends meld
    meld /var/lib/permission-hardener/existing_mode/statoverride /var/lib/permission-harde
ner/new_mode/statoverride
/var/lib/dpkg/info/security-misc.postinst: INFO: Permission hardening success.
Processing triggers for man-db (2.11.2-2) ...

“upgrade-nonroot” and “apt” do not handle flatpaks. If you are using flatpaks, you can use “flatpak upgrade” to update them.

Example-

user@host:~$ flatpak update
Looking for updates…


        ID                                  Branch     Op Remote  Download
 1. [✓] org.freedesktop.Platform.GL.default 24.08      u  flathub 120.2 MB / 156.3 MB
 2. [✓] org.freedesktop.Platform.GL.default 24.08extra u  flathub  19.4 MB / 156.3 MB
 3. [✓] org.freedesktop.Platform.Locale     24.08      u  flathub 949.3 kB / 379.9 MB
 4. [✓] org.freedesktop.Platform            24.08      u  flathub  16.9 MB / 261.4 MB

Updates complete.

So if you run both “upgrade-nonroot” and “flatpak upgrade” in your terminal, you should be fine.

Additionally, I recommend running the systemcheck application when you open up gateway and workstation. systemcheck will check for tor connectivity and whether or not you need to update with “upgrade-nonroot”. It will not check whether flatpaks need to be updated.

System check is already installed on your device. You can find it by going to the menu and searching for it. I recommend putting a desktop shortcut on both your gateway and workstation so that you remember to do this. To do so, you can right-click the system check icon in the menu and select to add to desktop.

If you want to, you can run systemcheck automatically at startup. The instructions to do that is here- systemcheck - Security Check Application . However, it may be easier for you to do it manually.

I hope all that is helpful to you.

Making your own fresh builds of whonix & co might also be a viable alternative to updating repeatedly.

Cause who really remembers to do that on a regular basis? (Debian cycles are pretty slow but still just saying).

If it’s a throw-away install nevermind, but for important stuff I’d much prefer the clean feel of a fresh dist in comparison.

I’m sorry you’ve got me confused. I don’t believe I used flatpak to install whonix. You can use flatpak to install whonix on virtualbox? Who uses flatpak to install whonix?

Pardon me. I was talking about using and updating flatpak within whonix. I was not talking about using flatpak to install whonix.

Oh so you can use flatpak inside of a whonix session, how exactly?

I might sound like a newb and that’s cause I am.

If there is not a specific program that you want to install as a flatpak, then knowing how flatpaks work is not really relevant to you. The normal way of installing software with apt (which I gave an example of previously) should be sufficient for you.

However, if you still want to know more about flatpak, please read http://www.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion/wiki/Install_Software#Flatpak

Do you have in mind a specific flatpak program that you want to use? Do you need me to go through a specific example?

related:

So how how often does a new update for whonix come out, every 3 months or what?

So honestly it really should work like this, if there is a new update available for whonix, when you login to whonix workstation there should be a pop-up that tells you there’s a new update available for whonix and then it should tell you the command to run in terminal to execute said update.

Cause this is the command I currently do to update whonix (I run this command in terminal in both gateway and workstation)

sudo apt update && sudo apt upgrade -y

And I run this command about every 3 months or so.

Quote Operating System Software and Updates

3. Update the APT Package Lists

System package lists should be updated at least once per day

I’m sorry but in order to update whonix this is what I do, I go into terminal in both gateway and workstation and enter this command

sudo apt update && sudo apt upgrade -y

So are you saying I should be doing this every single day? Really? Can’t I do this at least just once per month or so?

Unfortunately, these issues are unavoidable due to ecosystem-wide issues:

Whonix is based on Kicksecure. And Kicksecure is based on Debian. Therefore, it inherits many of the same issues of Debian.

Debian itself inherits these issues from upstreams, which consists of thousands of individual software projects that are packaged by Debian.

I suggest configuring systemcheck to autostart. Systemcheck can check for you if updates are required or not.

See http://www.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion/wiki/Systemcheck#autostart_systemcheck

autostart systemcheck

Perform these steps to automatically start systemcheck; this step is optional.

1. Create folder ~/.config/autostart.

mkdir -p ~/.config/autostart

2. Create a symlink from /usr/share/applications/systemcheck.desktop to ~/.config/autostart/systemcheck.desktop.

ln -s /usr/share/applications/systemcheck.desktop ~/.config/autostart/systemcheck.desktop

3. Done.

systemcheck will now automatically start after boot.

Uh… Yeah… Looks very confusing to me. I’m not a computer expert and it looks very confusing to me.

You computer experts need to understand we are not all computer experts here. Some of us are just your Average Joe.

If you want Whonix to become more popular then you have to make it user friendly, now you know what user friendly means right? It needs to be easy to use, not super complicated.

Yeah something, something, something, create a symlink, something, something, ok now systemcheck will tell you when Whonix needs to be updated.

I’m scratching my head right now, going, “What?”

Yeah this is not user friendly. I need to say this again. If you want Whonix to become more popular then it needs to be user friendly.

Now you’re saying systemcheck will tell me when Whonix needs to be updated? Honestly I don’t believe you. I mean what?

And honestly, whonix is the one that should remind me to update it, and it should provide the instructions, how to update it.

Again, make it user friendly!

Whonix is the one that should notify me that it needs to be updated! And it should tell me how to update it!

Make it user friendly! If you want Whonix to grow in popularity then it needs to be user friendly.

See: