Whonix Update Notification Message, Outdated doesn't mean Unsafe, needs revision

Patrick · March 1, 2014, 1:28pm

Some input for improving user output of whonixcheck Whonix News Update Notification is needed here.

Current messages are, when Whonix Debian Packages are outdated:

Whonix News Download Result: Installed Whonix Debian Package $whonix_deb_package_version is outdated! You can automatically update using Whonix's internal updater. Please update using: sudo apt-get update && sudo apt-get dist-upgrade

Or when Whonix’s Build Version is outdated (This is what happened when Whonix moved from Debian testing [Whonix 7] to Debian stable [Whonix 8] and updating using apt-get Whonix Debian Packages wasn’t supported, the whole build version was declared deprecated. The goal is not to do this again, but still, you’ll never know and it’s good having this option around.)

Whonix News Download Result: Whonix Build $whonix_build_version is outdated! Sorry, automatically updating this Whonix version is not possible. You have to manually download a new Whonix image.

Both messages doesn’t say “no devs are putting thought into these versions which are declared outdated anymore, for security reasons you should update”, because “outdated” doesn’t mean “not safe”.

(This is implemented in https://github.com/Whonix/Whonix/blob/master/whonix_shared/usr/lib/whonix/whonixcheck/50_check-whonix-news.)

Any suggestions?

JasonJAyalaP · March 1, 2014, 10:17pm

It is safe to not be updated? When it is OK to have outdate whonix debian packages?

Patrick · March 1, 2014, 11:15pm

Not safe since no one is spending thought on these versions anymore. But doesn’t mean a remotely exploitable security issue has been found. (In the case, a Whonix News and Blog Post will be posted.)

JasonJAyalaP · March 2, 2014, 12:29am

It seems to me that this is a distinction without a difference. As well as a distinction that other software developers don’t make:

Whether you’re “outdated, but no known vulnerabilities” or “outdated and known vulnerabilities”, the solution is the same “stop working and update now”.

Are you worried about, hypothetically, someone is in the middle of their work or simply can’t update right now… then they see the message and case themselves unnecessary stress? “Not being able to stop and update is bad, but it’s not like you’re already being spied on” ?

Patrick · March 2, 2014, 1:36am

No.

The story behind this is, that a user contacted me and said “outdated doesn’t mean not safe” or “you should update”. And I must agree, in the strict sense, “outdated” indeed doesn’t mean “should update”. This also matches my non-Whonix (Windows users) related experiences, why I was asked “What are these updates about? Should I care?”

What about this…

“You can automatically update using Whonix’s internal updater.” -> “You should update. You can automatically update using Whonix’s internal updater.”

“You have to manually download a new Whonix image.” -> “You should manually download a new Whonix image.”

Occq · March 4, 2014, 1:09pm

Outdated=notsafe mentality is actually good . It’s a motivator for people to update therefore reducing any support needed for the obsolete versions.

"You should update. You can automatically update using Whonix's internal updater."
“You should manually download a new Whonix image.”

Good.