Template:Operating System Updates

From Kicksecure
Jump to navigation Jump to search

1. Save Progress and Backup

On rare occasions [1] the machine might freeze during the upgrade process. In this case any materials already in progress might be lost, for example documents or other drafts that were created. If this is applicable, save the progress before installing operating system updates. If required, backup all user data -- it is ideal to have a copy of the VM(s) so it is possible to try again (if necessary).

2. Flatpak Update

This step is only required if the user previously manually installed any software using flatpak. Can be skipped otherwise.

  • Kicksecure Click = Copy Copied to clipboard! flatpak update
  • Kicksecure for Qubes Template: Click = Copy Copied to clipboard! http_proxy=http://127.0.0.1:8082 https_proxy=http://127.0.0.1:8082 flatpak update

3. Update the APT Package Lists

System package lists should be updated at least once per day [2] [3] with the latest version information for new/updated packages that are available. To update Kicksecure packages lists, run.

Click = Copy Copied to clipboard! sudo apt update

The output should be similar to this.

Click = Copy Copied to clipboard! Hit:1 tor+https://deb.debian.org/debian bookworm InRelease Hit:2 tor+https://deb.kicksecure.com bullseye bookworm Hit:3 tor+https://deb.debian.org/debian bookworm-updates InRelease Hit:4 tor+https://fasttrack.debian.net/debian bookworm-fasttrack InRelease Hit:5 tor+https://deb.debian.org/debian-security bookworm-security InRelease Hit:6 tor+https://deb.debian.org/debian bookworm-backports InRelease Reading package lists... Done

If an error message like this appears:

Click = Copy Copied to clipboard! W: Failed to fetch https://ftp.us.debian.org/debian/dist/bookworm/contrib/binary-amd64/Packages 404 Not Found W: Failed to fetch https://ftp.us.debian.org/debian/dist/bookworm/non-free/binary-amd64/Packages 404 Not Found E: Some index files failed to download. They have been ignored, or old ones used instead. Err https://ftp.us.debian.org bookworm Release.gpg Could not resolve 'ftp.us.debian.org' Err https://deb.torproject.org bookworm Release.gpg Could not resolve 'deb.torproject.org' Err https://security.debian.org bookworm/updates Release.gpg Could not resolve 'security.debian.org' Reading package lists... Done W: Failed to fetch https://security.debian.org/dists/bookworm/updates/Release.gpg Could not resolve 'security.debian.org' W: Failed to fetch https://ftp.us.debian.org/debian/dists/bookworm/Release.gpg Could not resolve 'ftp.us.debian.org' W: Failed to fetch https://deb.torproject.org/torproject.org/dists/bookworm/Release.gpg Could not resolve 'deb.torproject.org' W: Some index files failed to download. They have been ignored, or old ones used instead.

Or this.

Click = Copy Copied to clipboard! 500 Unable to connect

Then something went wrong. It could be a temporary Tor exit relay or server failure that should resolve itself. Check if the network connection is functional by changing the Tor circuit and trying again. Running systemcheck might also help to diagnose the problem.

Sometimes a message like this will appear.

Click = Copy Copied to clipboard! Could not resolve 'security.debian.org'

It that case, it helps to run.

Click = Copy Copied to clipboard! nslookup security.debian.org

And then try again.

4. APT Upgrade

To install the newest versions of the current packages installed on the system, run.

Click = Copy Copied to clipboard! sudo apt full-upgrade

Please note that if the Kicksecure APT Repository was disabled (see Disable Kicksecure APT Repository), then manual checks are required for new Kicksecure releases and manual installation from source code.

5. Never Install Unsigned Packages!

If a message like this appears.

Click = Copy Copied to clipboard! WARNING: The following packages cannot be authenticated! thunderbird Install these packages without verification [y/N]?

Then do not proceed! Press N and <enter>. Running apt update again should fix the problem. If not, something is broken or it might be a man-in-the-middle attack, which is not that unlikely because updates are retrieved via Tor exit relays and some are malicious. Changing the Tor circuit is recommended if this message appears.

6. Signature Verification Warnings

No signature verification warnings should appear. If it does occur, it will look similar to the following. 

W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://deb.torproject.org stable Release: The following signatures were invalid: KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681

E: Release file for tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion/dists/bullseye/InRelease has expired (invalid since 1 d 20 h 41 min 7 s). Updates for this depot are not applied.

Caution is warranted even though APT will automatically ignore repositories with expired keys or signatures, and no upgrades will be received from that repository. Unless the issue is already known or documented, it should be reported for further investigation.

There are two possible reasons for this occurrence. Either there is a problem with the repository that is unfixed by contributors or a man-in-the-middle attack has taken place. [4] The latter is not a big issue, since no malicious packages are installed. It may also automatically resolve itself after a period of time when a different, non-malicious Tor exit relay is used, or following a manual change of the Tor circuit.

In the past, various apt repositories were signed with an expired key. To see how the documentation looked at that point, please click on Expand on the right.

7. Changed Configuration Files Direct link

Be careful if a message like this appears.

Click = Copy Copied to clipboard! Setting up ifupdown ... Configuration file `/etc/network/interfaces' ==> Modified (by you or by a script) since installation. ==> Package distributor has shipped an updated version. What would you like to do about it ? Your options are: Y or I : install the package contributor's version N or O : keep your currently-installed version D : show the differences between the versions Z : background this process to examine the situation The default action is to keep your current version. *** interfaces (Y/I/N/O/D/Z) [default=N] ? N

It is safest to press y, but any customized settings will be lost (these can be re-added afterwards). [5] [6]

Conflicts like these should be rare if modular flexible .d style configuration folders are used.

See also:

8. If APT reports packages that can be autoremoved, safely run APT autoremove.

9. Restart Services After Updating

To restart services after updating, either reboot.

Click = Copy Copied to clipboard! sudo reboot

Or use the (harder) needrestart method to avoid rebooting. For readers interested in the needrestart method, please click on Expand on the right side.

10. Restart After Kernel Updates

When linux-image-... is upgraded, a reboot is required for any security updates to be in effect.

Footnotes[edit]

  1. https://forums.whonix.org/t/whonix-xfce-for-virtualbox-users-ram-increase-required/8993archive.org iconarchive.today icon
  2. In Kicksecure and on the host.
    • Unfortunately, constant updates are required due to ecosystem-wide issues: About Computer (In)Security
    • Kicksecure is based on Debian. Therefore, it inherits many of the same issues of Debian. Debian itself inherits these issues from upstreams, which consists of thousands of individual software projects that are packaged by Debian.
  4. Rollback or indefinite freeze attacks as defined by The Update Framework (TUF) - Threat Model - Attacks and Weaknesses - https://github.com/theupdateframework/tuf/blob/develop/docs/SECURITY.mdarchive.org iconarchive.today icon -.
  5. Or Kicksecure changes can be delayed, inspected, and then backported if the effort is worth it.
  6. Kicksecure uses package config-package-devarchive.org iconarchive.today icon which assumes ownership of configuration files coming from “other distributions” (mostly Debian, although third party repositories might be added by users). (Kicksecure on config-package-dev)
Notification image
Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!

Retrieved from "https://www.kicksecure.com/w/index.php?title=Template:Operating_System_Updates&oldid=92863"