WS problems after recent upgrade

Since upgrading to the latest distribution I have several annoying Qubes-Whonix interaction problems that affect my workstation but not whonix gateway.

(1) Update icon does not appear in Qubes “State” column for WS template. Works for Gateway template and all other non-whonix templates.
(2) VMs based upon Whonix WS template not inheriting program list. Every new VM forces me to go into anon-whonix/add new short cut/add tor browser. Tor browser is not appearing in VM based upon Whonix WS template by default.
(3) Whonix upgrade “apt-get” is not recognizing that TBB is already installed on Template VM. Such that if a person manually downloads the update using Tor’s own update function apt-get-upgrade will download the program again. Further, booting template VM will cause an auto pop-up stating that Tor bowser is not installed even after Tor has already been downloaded twice (both manually and by apt-get).

None of these are major problems but annoyances.

thefoc:

(1) Update icon does not appear in Qubes “State” column for WS
template. Works for Gateway template and all other non-whonix templates.

Did you upgrade using
Release Upgrade ?

And did you upgrade to Qubes R3.1?

(2) VMs based upon Whonix WS template not inheriting program list.
Every new VM forces me to go into anon-whonix/add new short cut/add tor
browser. Tor browser is not appearing in VM based upon Whonix WS
template by default.

I just now documented this, please check:

Release Upgrade

(3) Whonix upgrade “apt-get” is not recognizing that TBB is already
installed on Template VM. Such that if a person manually downloads
the update using Tor’s own update function apt-get-upgrade will
download the program again. Further, booting template VM will cause
an auto pop-up stating that Tor bowser is not installed even after
Tor has already been downloaded twice (both manually and by
apt-get).

Know Tor Browser Essentials already?

Not easy to document. An alternative explanation…

Whonix upgrade “apt-get” is not recognizing that TBB is already
installed on Template VM.

On new TBB released, a new tb-updater version file gets released, the
tb-updater package updated. This results in updating TBB in the
TemplateVM. This is useful so newly created AppVMs based on whonix-ws
will come with an up to date TBB.

Such that if a person manually downloads
the update using Tor’s own update function apt-get-upgrade will
download the program again.

TBB in AppVMs should still be updated using TBB internal updater.

[ Technically (economically) not possible to do that for the user from
within the TemplateVM. ]

Further, booting template VM will cause
an auto pop-up stating that Tor bowser is not installed even after
Tor has already been downloaded twice (both manually and by
apt-get).

Steps to reproduce? QVMM → start whonix-ws → Tor Browser is not
installed popup? That’s all? I cannot imagine. Any steps missing?

YES

YES

The problem is not in the AppVM, it is in the template VM.

You have the steps correctly.

(a) I boot TemplateVM
(b) I run apt-get update/upgrade
(c) at the end of upgrade it downloads new TBB
(d) I then close terminal and stop TemplateVm
(e) reboot TemplateVM, run TBB (not TBB updater)
(f) get popup screen telling me TBB not installed and asking if I want to install it.
(g) I click ok and then get screen asking me which version I want to install.
(h) I must download TBB all over again.

To be clear this all happens in templateVM no AppVm involved.

Don’t start Tor Browser in the TemplateVM. It is not expected to be done that way and wrong.

Huh? Why? How I am to pass my custom TBB settings to each of my App VM then? There has to be some way to modify TBB settings in Template VM or it defeats most of the purpose of having a template.

I created an appVM off the template VM and it correctly is using the proper version of Tor without me updating TBB manually in the TemplateVM.

Yet that is a terrible result because it means I have to spend 15 minutes reconfiguring TBB settings every time I create a new AppVM.

I honestly don’t understand why you would do this. It is poor operational security to defeat inheritance in this manner.

Actually, you do:

tb-updater is designed to provide a secure (up-to-date) browser to “most” users, including those that may not be technically inclined / motivated.

I’m not sure how you came to that conclusion. If you require 15 mins to reconfigure Tor Browser, you may not be following “best practices” in terms of anonymity. Tor Browser was designed to be used virtually “stock”.

Having said that, Whonix (& Tor Browser) is an open project. You can use your system however you want.

You have several options:

1. Rewrite Whonix scripts to do what you want. (Hard)
2. Leave default Whonix alone and do what you want
   Choices:
   a. Install a 2nd Tor Browser in your TemplateVM as per: Docs: Multiple Tor Browsers. Install to a directory other than /home/user/.tb/ since that one belongs to Whonix. (Not my personal preference since I don’t like running apps in the Template if I don’t have to.)
   -or-
   b. Proceed as you have done already. Configure Tor Browser in a clean AppVM exactly the way you want it. Copy this Tor Browser to each of your new AppVMs. (Tor Browser is entirely contained in /home/user/.tb)
   In myCleanAppVM:
   qvm-copy-to-vm myNewAppVM /home/user/.tb
   In myNewAppVM:
   mv /home/user/QubesIncoming/myCleanAppVM/.tb /home/user/

As you probably know already, future configuration changes (to Tor Browser) will not propagate to child VMs (like any other App that stores config files in /home/user/).
This aspect is not a Whonix issue at all. It’s a property of Qubes: /home/user/ is copied from Template to AppVM upon creation and then cut loose to be independent.
For this reason, you might want to keep a separate AppVM to serve as a pseudo-Tor Browser Template.

Don’t start Tor Browser in the TemplateVM. It is not expected to be done that way and wrong.

• You are expected to use Tor Browser as stock as possible with as few modifications as per upstream recommendations by The Tor Project.
• You risk connecting to the internet with the browser (open issue: ⚓ T372 Qubes-Whonix Whonix-Workstation TemplateVMs block access to (torified) open internet ) thereby compromising the TemplateVM and thereby all TemplateBasedVMs based on that TemplateVM.
• By starting Tor Browser it creates various files. Although it should not, one or another file might make you pseudonymous rather than anonymous. You do not want all TemplateBasedVMs based on that TemplateVM be linked to the same pseudonym. You are a lot better of starting Tor Browser for the first time in the TemplateBasedVM rather than TemplateVM. Otherwise you are expecting Tor Browser to be perfect and to no such bug be revealed later. If you look at current and past Tor Browser issues, this seems to me like a very bad idea:
• The Tor Project / Organization · GitLab
• The Tor Project / Organization · GitLab

Actually, anything should still be possible. tb-updater is configureable enough.

1. You could perhaps customize Tor Browser in the whonix-ws TemplateVM by manually starting it from /var/cache/tb-binary/.tb/tor-browser. Go to this folder by using command line or a file manager (dolphin).

2. Then disable tb-updater automatically updating Tor Browser in the TemplateVM /var/cache/tb-binary.

(This is because you cannot have it both ways. tb-updater has always been incapable of preserving user modifications. So keeping Tor Browser in /var/cache/tb-binary up to date would be your task. Either tb-updater automatically updates Tor Browser in /var/cache/tb-binary and you manually re-add customizations or tb-updater does not touch /var/cache/tb-binary, you keep your customizations, but updating Tor Browser using Tor Browser internal updater would be your task.)

In the whonix-ws TemplateVM, create a file /etc/torbrowser.d/50_user.conf.

kdesudo /etc/torbrowser.d/50_user.conf

Add.

tb_install_follow=false

Save.

tb-starter git master / for Whonix 14: