I am an experienced Linux developer with some familiarity with Tor. I have tried an older version of Whonix in the past, but I am new to Qubes OS. Last week I installed Qubes OS 3.0 with Whonix templates. Things worked well until I installed security updates in all template VMs.
First whonixcheck alerted me to the fact that unwanted packages had been pulled in by the updates, namely [tt]ntpdate[/tt] and [tt]chrony[/tt]. So I purged them as recommended by whonixcheck. Bug report: This whonixcheck advice was not Qubes-aware, so it wrongly told me to remove these packages from the AppVM dom0 → Start Menu → ‘whonix’ → Konsole instead of the TemplateVMs whonix-ws and whonix-gw.
In order to avoid pulling in undesired packages, it might be wise to modify the [tt]apt[/tt] configuration as recommended by Zwiebelfreunde for Tor Exit servers <[url=https://www.torservers.net/wiki/setup/server]https://www.torservers.net/wiki/setup/server[/url]>:
# disable debian default that pulls in recommended packages:
cd /etc/apt/apt.conf.d
wget https://raw.githubusercontent.com/torservers/server-config-templates/master/06norecommends
At the same time, whonixcheck complained about an unexpected timezone setting, and I am unable to correct it. Even after changing the contents of /etc/timezone from UTC to Etc/UTC in both template VMs, the old value is back after a reboot, and whonixcheck complains again.
Then I noticed that TorBrowser was gone. Whonix offered to re-install it using its TorBrowser-Updater. That was denied by AppArmor, so I disabled it. Now I can use TorBrowser, but whonixcheck keeps complaining about the timezone even after reboots.
It is possible that AppArmor plays a role in this mess. I had enabled it two days ago, and it generated DENIED entries in the kernel.log of whonix-gw for [tt]/usr/sbin/cpfpd[/tt] not being allowed to read from “/rw/usrlocal/lib/python2.7/dist-packages/”. I would paste the exact warning here, but copy & paste does not work (yes, I tried the three-step dance ctrl-shift-c ctrl-shift-v ctrl-v but the destination clipboard still contained an old value).
These are my package sources:
user@host~$ egrep -rv '^#|^$' /etc/apt/sources.list.d/
/etc/apt/sources.list.d/debian.list:deb http://security.debian.org jessie/updates main contrib non-free
/etc/apt/sources.list.d/debian.list:deb http://ftp.us.debian.org/debian jessie main contrib non-free
/etc/apt/sources.list.d/whonix.list:deb http://mirror.whonix.de/whonixdevelopermetafiles/internal/ testers main
/etc/apt/sources.list.d/torproject.list:deb http://deb.torproject.org/torproject.org jessie main
/etc/apt/sources.list.d/qubes-r3.list:deb [arch=amd64] http://deb.qubes-os.org/r3.0/vm jessie main