User-sysmaint-split not installed after update | qubes passwordless root is still installed

Support
1

The whonix-workstation-17 TemplateVM was updated as I saw it in Qubes Update Tool (saw so many packages updated at once (while previous day no updates were found), indicating it’s the point release… also System Check gives INFO: Debian Package Update Check Result: No updates found via apt-get.).

However, user-sysmaint-split package is “Absent” as indicated by System Check, and as
sudo apt list user-sysmaint-split
gives out
user-sysmaint-split/unknown 3:6.4-1 all (without [installed])
and
sudo apt list qubes-core-agent-passwordless-root
gives out
qubes-core-agent-passwordless-root/unknown,now 4.2.41-1+deb12u1 amd64 [installed]

I thought the point release doesn’t do it automatically and I would go and install it manually with sudo apt install and remove passwordless root manually. But I saw a recent forum post from a user issuing “Permission denied : sudo” (you can find it by seeing latest posts), indicating that user-sysmaint-split gets installed automatically for users by updating (using Qubes Update Tool).

What should I do?

2
  • CLI: There will be a link below it.

    • https://www.whonix.org/wiki/Sysmaint

  • GUI: There will be a clickable link.
    • (It’s actually cannot but opened on Whonix-Gateway but you can see the link by right click → copy link location. Link is also shown and clickable in Whonix-Workstation’s systemcheck.)

Documented here:

3

You mean I should install it and remove qubes-core-agent-passwordless-root manually?

Doesn’t that happen automatically when updating?

4

User decision.

Refer documentation.

5

In “Kicksecure Doc: Point Release” it says:

Installing any version of Kicksecure 17 and fully updating it leads to a system which is (mostly) identical to installing a Kicksecure point release.

In “Kicksecure Doc: Sysmaint” it says:

Starting from version 17.3.9.9, Kicksecure comes with a security feature called user-sysmaint-split enabled by default (in Xfce and above).

My question is I updated whonix-workstation-17 and user-sysmaint-split doesn’t exist, as I explained above.

Also:

… and whonix news didn’t say

Surely the difference between the image update and the normal update is not only sudo apt install user-sysmaint-split && sudo apt remove qubes-core-agent-passwordless-root, then people who are new and installing with images will have pros than people doing normal update?

My question is clear: Do Whonix users who update normally get user-sysmaint-split installed and passwordless root removed automatically? Do we have to install the new point release from an image to have that?

6

Mostly identical. Not fully identical.

Known relevant differences are pointed out in documentation.

Quote Whonix 17.3.9.9 - Point Release!

That should say Build Version.

You’re not on build version 17.3.9.9.

For older versions, upgrades refer to Whonix wiki, sysmaint wiki page, chapter, Version Overview, column:

Old Versions

7

This is hard to answer in the forums because it depends on Whonix-Gateway versus Whonix-Workstation, standard (“everyday”) update versus plans what will happen during the next release upgrade.

However, Whonix wiki, sysmaint wiki page, chapter, Version Overview should make all of that easily accessible.

For installation instructions…

Note, Whonix wiki, sysmaint wiki page, chapter Upstream.

It links to: Kicksecure wiki, sysmaint wiki page.

Then there’s chapter Installation.

Nothing about any point releases is mentioned there. If there was an issue “feature X is unavailable for build versions […]”, then we would need to clearly document that. Or at least package installation would need to fail with a clear error message.

Absent of any mention of such limitation in documentation, you can safely assume there is no such limitation.