Is it safe to upgrade Whonix with apt-get update and apt-get upgrade?
It would be OK but its recommended that you use
apt-get dist-upgrade
Actually I don’t see a reason why you wouldn’t use dist-upgrade
since thats what Whonix developers recommend (with Whonix.)
Thanks. I was more concerned with it using http and not https, wouldn’t that be a security issue, with the exit node injecting data into the updated packages?
you can disable whonix and debian http repos, and allow only onion repos from sources.list
Why are .onion repos better?
It seems that from reading the apt-secure man pages that apt since version 0.6 does signature checking. However, it also seems that the repository can disable this from the server side, resulting only in a warning on the client side, which will probably be missed by most users.
I’m not an expert though, so please correct me if I’m wrong.
The link that I posted in the provious thread provided the information that you wanted.
https://www.whonix.org/wiki/Onionizing_Repositories
There are several security and privacy benefits of using Tor onion services: [2]
- The user cannot be uniquely targeted for malicious updates (attackers are forced to attack everyone requesting the update).
- The package repository, or observers watching it, can’t track what programs are installed.
- The ISP cannot easily learn what packages are fetched.
- End-to-end authentication and encryption provides protection against man-in-the-middle attacks (like version downgrade attacks).
Thanks!
I see that this is undocumented, but basically it involves editing the files in sources.list.d/ and remove anything that isn’t a .onion URL?
This is documented.
https://www.whonix.org/wiki/Onionizing_Repositories#Whonix_and_Debian_Packages