Dev/Automatic Updates

From Kicksecure
< Dev
Jump to navigation Jump to search

Why does Kicksecure (not) use Automatic Updates? Why does Kicksecure (not) use a GUI Update Notifier or GUI Updater?

Introduction[edit]

APT upstream bugs[edit]

Security Issues when using apt-get update in Scripts[edit]

Scripts need to use apt-get with --error-on=any. Otherwise, network errors do not result in a non-zero exit code. APT sources that failed would not be noticed. Security updates might be missing.

Simplified Assisted Updates[edit]

One-Click Upgrade Button for Debian Packages[edit]

This is a very difficult problem. Unspecific to Kicksecure. It applies to any APT-based distribution.

Automation is very challenging due to issues introduced at a higher level (Debian).

APT is not good at conflict resolution with configuration files. For instance, the user may have installed arbitrary packages and modified their configurations, while upstream may have updated the configuration files. In such cases, dpkg will prompt the user to decide whether to keep the old or adopt the new configuration file. I.e., APT triggers a dpkg interactive conflict resolution dialog. See also Configuration Files.

Additionally, other issues can arise, such as:

  • Problems with GPG verification
  • Expired package list metadata (e.g., valid-until) [2]
  • General system issues caused by interruptions during previous updates

Dedicated projects have also failed at simplifying APT, such as Synaptic, Apper [3], PackageKit, and Software Center. All of these efforts failed to implement a universal solution for all scenarios. When higher-level initiatives (Linux distributions) struggle with user-friendliness, it becomes nearly impossible to address these issues at a lower level in Kicksecure.

See also these related #APT upstream bugs, which would make implementing an automated script more difficult. Additionally, consider this issue with packages lacking full security supportarchive.org, even though these are in the Debian stable repository.

For further complexity, refer to Operating System Software and Updates, where issues such as unsigned packages and required restarts are currently documented.

The challenges of securely and reliably implementing an automated one- or zero-click update utility have been extensively discussed. For instance:

This is a massive undertaking equivalent to a standalone project.archive.org (Not Kicksecure specific, although discussed in the Kicksecure tracker!)

During Release Upgrades, the APT command autoremove is required. 

Err:4 http://HTTPS///fasttrack.debian.net/debian bullseye-fasttrack InRelease
  500  SSL error: wrong version number [IP: 127.0.0.1 3142]

For more information on this specific issue, refer to: Update issue: FastTrack 500 SSL error - wrong version number.archive.org

Automatic Updates[edit]

Unattended upgrades in background for Debian packages[edit]

Reasons for Automatic Updates:

  • Better usability.

Reasons against Automatic Updates:

  • Apparently mysterious [4] system load: Depending on system performance and other tasks concurrently performed by the user (such as on the host and/or in other VMs), this might make the user's machine unsuspectingly seem slow during upgrades. In the past, there was an issue of VMs freezing during upgrades (kernel module compilation)archive.org due to a too low default RAM setting.
  • Apparently mysterious [4] network load: On already slow (Tor) connections, downloads could make online tasks performed by the user slower than usual or even unusable.
  • Metered connections: Some people may be on different kinds of internet connections. Sometimes they may use a connection with unlimited quota and want to postpone downloading updates.
  • Security: Due to the apt security bug CVE-2016-1252archive.org, it was better to Stay Tuned and manually upgrade rather than upgrading automatically. [5]
  • Backdoors and compromises: If Debian's update mechanism ever gets compromised [6], then it would make sense for users to read Kicksecure News before manually updating. Quote Old discussionarchive.org:

Automatic updates are dangerous. All updates are dangerous. They are remote root backdoors (with some restrictions and checks of course). The problem is, if "something" goes wrong, it will automatically propagate across all users in a very short amount of time. On the other hand, if you update manually a day later or so, it's likely that someone else has noticed the problem and notified Canonical, and you stay safe. Lots of things can "go wrong": a dev system, a build system, the key, or the crypto system could become compromised. It has happened several times, such as the openssl issue, Fedora/RedHat, kernel.org, and Flame malware. Not all of them would be mitigated by using manual updates (only downloading the patches, reviewing them, and manually applying them would). Sadly, for that to be usable, the TCB is too complex and large, it just wouldn't scale. Software updates are messy but right now a necessary evil. I feel more comfortable not letting them run in the background without any verbose output. The one day more or not will not impact security. With Linux distros, it already takes time anyway between upstream fixes and downstream release. Further, if it's a 0day, you already lost that one (and have to rely on the additional security that aos provides). A single security issue should never impact security in a fatal way. It still does in aos 0.* but I hope that can be changed. i.e., we need to migrate away from using the same OS for t-w and t-g. This includes the kernel, and I'm not really sure what alternatives there are. Essentially, there's only *BSD. See new ticket...

  • Locked APT database usability issue: When APT is already fetching or installing upgrades in the background and the user starts it manually, the user will see the following error message. This is happening in Qubes Debian and Kicksecure for Qubes templates. APT would need to give better feedback to the user or abort the background process and start the foreground process.
sudo apt update
Reading package lists... Done
E: Could not get lock /var/lib/apt/lists/lock - open (11: Resource temporarily unavailable)
E: Unable to lock directory /var/lib/apt/lists/
  • Anonymity specific: If the user is using Debian as a host operating system or connecting to the same mirror, "Connect to a Server Anonymously and Non-anonymously at the Same Time" applies. (Since using stream isolation, in the worst case, as far as I can see, the server only knows what packages you wanted to download, if that happens.)

Needs Research:

  • What happens when a stale mirror is detected? Will the user be informed?
  • Is a stale mirror attack a concern, since exit relays change anyway?
  • Are times when "apt update" is run randomized to prevent a clear network fingerprint? If not, this needs a custom implementation/diverting some scripts.
  • Are times when "apt full-upgrade" is run randomized to prevent a clear network fingerprint? If not, this needs a custom implementation/diverting some scripts.
  • What are the reasons why distributions such as Debian/Ubuntu/Qubes OS are not using automatic updates by default?

Non-issues:

Forum discussion:

Auto Upgrading Tor Browser[edit]

Update Tor Browser

Update Notifier / GUI Updater[edit]

Rejects ideas[edit]

apper (kde) package[edit]

Apper is user-friendly since there is only one big update button and it also honors proxy settings in /etc/apt/apt.conf, which are required for Tor stream isolation.

Automatic update checks have been disabled in /etc/apt/apt.conf.d/10periodic because the execution time would be too predictable. systemcheck runs at startup (non-predictable) and every day at a random time.

Apper / Synaptic was removed in Kicksecure 8. See: https://web.archive.org/web/20201214130721/https://github.com/Whonix/Whonix/issues/104archive.org

Too many bugs, too confusing. [7]

update-notifier (gnome) package[edit]

The overall user interface is very good. However, it asks a confusing question to update "safely" without removing packages. After updating "safely," it still reports updates. Open question: how to provide update-notifier in several languages? Would all GNOME language packages be needed?

Would require configuration with something like: 

gconftool-2 --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory

Would also require: 

cp /etc/xdg/autostart/update-notifier.desktop /etc/xdg/autostart/update.desktop

And removing `shownotin=kde` from `/etc/xdg/autostart/update.desktop`.

update-notifier-kde package[edit]

This package is confusing. It shows how many updates are available, but it only provides one button: "Later."

Conclusion[edit]

As long there are no tools which can handle always all cases for all users, it is the best of the worse choices to teach users how to update using the CLI tools. Those always work reliably.

Footnotes[edit]

  2. https://blog.ganneff.de/blog/2008/09/23/valid-until-field-in-release-f.htmlarchive.org
  3. Bugs such as Apper recommending a restart while APT (command line) is still processing.
  4. 4.0 4.1 to those who don't know that automatic updates are enabled by default; would result in questions such as this: Broken link: [[Special:AWCforum/st/id178/Weird_traffic_display_in_arm.html]]
  5. During APT upgrading, signature verification can be tricked, resulting in arbitrary package installation and system compromise. Sources:
  6. If a malicious package was uploaded to Debian's APT repository or if there was a critical bug in APT.
    • Broken link: [[Special:AWCforum/st/id166/Gateway_update_errors.html]]
    • Broken link: [[Special:AWCforum/st/id42/You_have_194_updates_(can't_be_a....html]]
Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!

Retrieved from "https://www.kicksecure.com/w/index.php?title=Dev/Automatic_Updates&oldid=88757"