Please check my edits to upgrade instructions. One of those Qubes packages is now in the stable repo, not the testing one (I fixed that). But could be other minor errors.
Could be good to double check since Whonix 14 has been announced.
I was contemplating to drop support for Qubes R3.2. Makes development a
lot harder / time consuming to keep compatibility with both in mind.
Suffering from sunken cost fallacy.
Sounds reasonable with only 6 months left on that anyway.
PS Whonix 14 upgrade seems ok. However:
Steps for install qubes-whonix-workstation (and gateway) are not necessary. They are already installed before that step.
Ditto the dom0 qubes-whonix-add-on (or whatever it’s called) - it’s already installed somewhere before that step.
The qubes salt stuff to create the anon-whonix didn’t work for me (similar to mig5 from memory). Had to manually create one from Qubes Manager. I trust that is safe with anon-vm tags now (?) If not, how to check for tags etc?
Sounds reasonable with only 6 months left on that anyway.
PS Whonix 14 upgrade seems ok. However:
Steps for install qubes-whonix-workstation (and gateway) are not necessary. They are already installed before that step.
Confirmed. Should be kept anyhow. This is only a safeguard to make sure Whonix distribution defaults as far as default package selection are enforced. Will only matter for users who previously uninstalled a Whonix meta package.
Ditto the dom0 qubes-whonix-add-on (or whatever it’s called) - it’s already installed somewhere before that step.
Right, it is now a dependency of qubes-mgmt-salt-dom0-virtual-machines. Therefore can be removed.
The qubes salt stuff to create the anon-whonix didn’t work for me (similar to mig5 from memory). Had to manually create one from Qubes Manager.
Let’s concentrate on this one since it is the easier one. One connection work (and once gpg works) it’s easy to replace curl with gpg on the command line.
This looks like a bug in curl. Looks like curl tries to resolve DNS without using the proxy when using https destination (https://check.torproject.org ).
Btw it is always http_proxy=http. Never http_proxy=https. This is because it’s a local proxy. Even https would work there, that would be ok. But it wouldn’t use encryption / use certificates. It only means http connect.
possible to replace apt-key with bash -x apt-key for better debug
When you get gpg: keyserver receive failed: Server indicated a failure means the Qubes TemplateVM connectivity side is solved, then you “only” need to workaround / configure / solve that gpg bug.
Once working please refine the apt-key command by adding --keyring /etc/apt/trusted.gpg.d/reponame.gpg. Much much cleaner than adding to /etc/apt/trusted.gpg! Also then instructions to disable it are as simple as sudo rm /etc/apt/trusted.gpg.d/reponame.gpg.
The onionizing of Whonix (v3) and Debian (v2) package updates is nice, so the user no longer needs to manually edit /etc/apt/sources.list.d/debian.list etc in Qubes-Whonix templates.
However, I note that in Debian and Whonix templates, we have:
qubes-r4.list
which is using the clearnet resources, instead of presumably the v3 .onion i.e.
This is an obvious (and relatively safe) feature improvement, since we already host the Qubes .onion as I understand it i.e. we trust the same infrastructure for Whonix package updates over onion services.
So this is an easy candidate for stretch-proposed-updates i.e. update sources.list.d in that qubes list for R3.2 and R4?
Tried to clean up Qubes/Install to reduce user confusion i see in forums etc.
Also, you sure we still need all this at the bottom here for the separate upgrade instructions? That testing pillar command looks out of place too in terms of sequence and not explained why/if user would want to do that.