End-of-life Software[edit]

It is inadvisable to run software that has reached end-of-life status. Developers do not fix existing defects, bugs or vulnerabilities in this case, leading to serious security risks.

For example, in 2018 VLC Media Player in Debian jessie ^[archive] had reached end-of-life status in May of that year. In that case, Whonix ™ users who did not utilize a different media player were at risk, because VLC in Debian jessie has unpatched security vulnerabilities. This VLC vulnerability does not apply to the current stable Whonix ™ 16 release which is based on Debian bullseye.

Installing Additional Software[edit]

See Install Additional Software Safely.

Updates[edit]

Introduction[edit]

All packages must stay up-to-date for security and anonymity purposes.

Qubes Whonix ™: Follow the Qubes-Whonix ™ Update Guide.
All other Whonix ™ OS builds: Follow the update instructions below.

Frozen Packages[edit]

As Whonix ™ is based on the stable Debian distribution, software is normally "frozen" to the stable Debian version ^[archive] at the point of each major Debian release ^[archive]. The Debian packages page notes: ^[1]

This is the latest official release of the Debian distribution. This is stable and well tested software, which changes only if major security or usability fixes are incorporated.

As a distribution, Debian's compilation of software is mostly acquired from "upstream" third parties (the original software vendors). Debian has embraced the principle of software stability which means each major release "freezes" software versions. As a result the stable distribution software is not regularly updated except for critical security fixes. This is called "security support" and only leads to minimal changes across the entire distribution. The intent is to improve stability by reducing the overall number of system changes.

The frozen packages policy means the versions of software installed from Debian package sources will not usually change when a newer release is made available by upstream. ^[2]

Standard Update vs Release Upgrade[edit]

There are two different types of updates.

Standard Update
Release Upgrade

This procedure on this wiki page is for standard ("everyday") updating of Non-Qubes-Whonix and will not perform a Release Upgrade.

It is recommended to first complete a standard update before applying a release upgrade.

Update vs Image Re-Installation[edit]

The standard ("everyday") update procedure for Non-Qubes-Whonix is more convenient than a complete re-installation of Whonix ™ images because all VM settings and user data are persistent. Backups are possible using VM clones and/or snapshots.

In contrast, a complete re-installation of Whonix ™ images requires Whonix ™ to be completely removed and then re-installed, similar to newcomers installing the platform for the first time. This is "cleaner" and elaborated on the Factory Reset page. Obviously all VM settings and data are lost during this procedure. If this is necessary, follow these steps:

Qubes-Whonix: uninstall Qubes-Whonix and then install Qubes-Whonix.
Non-Qubes-Whonix: remove any Whonix ™ VMs and then re-install them.

Developers periodically announce a newer Whonix ™ Point Release or major release. To stay informed about releases, see: Follow Whonix ™ Developments. It is recommended to subscribe to relevant news channels for this purpose.

Standard updates are generally easier, but image re-installation can completely avoid technical issues that might emerge during upgrades.

Standard Update Steps[edit]

1. Save Progress and Backup

On rare occasions ^[3] the machine might freeze during the upgrade process. In this case any materials already in progress might be lost, for example documents or other drafts that were created. If this is applicable, save the progress before installing operating system updates. If required, backup all user data -- it is ideal to have a copy of the VM(s) so it is possible to try again (if necessary).

2. Flatpak Update

This step is only required if the user previously manually installed any software using flatpak. Can be skipped otherwise.

Non-Qubes-Whonix ™
```
flatpak update
```
flatpak update
Qubes-Whonix ™ Template:
```
http_proxy=http://127.0.0.1:8082 flatpak update
```
http_proxy=http://127.0.0.1:8082 flatpak update

3. Update the APT Package Lists

System package lists should be updated at least once per day ^[4] with the latest version information for new/updated packages that are available. To update Whonix-Gateway ™ and Whonix-Workstation ™ packages lists, run.

sudo apt update

sudo apt update

The output should be similar to this.

Hit:1 tor+https://deb.debian.org/debian bullseye InRelease                     
Hit:2 tor+https://deb.whonix.org bullseye bullseye                            
Hit:3 tor+https://deb.debian.org/debian bullseye-updates InRelease             
Hit:4 tor+https://fasttrack.debian.net/debian bullseye-fasttrack InRelease
Hit:5 tor+https://deb.debian.org/debian-security bullseye-security InRelease
Hit:6 tor+https://deb.debian.org/debian bullseye-backports InRelease
Reading package lists... Done

Hit:1 tor+https://deb.debian.org/debian bullseye InRelease                     
Hit:2 tor+https://deb.whonix.org bullseye bullseye                            
Hit:3 tor+https://deb.debian.org/debian bullseye-updates InRelease             
Hit:4 tor+https://fasttrack.debian.net/debian bullseye-fasttrack InRelease
Hit:5 tor+https://deb.debian.org/debian-security bullseye-security InRelease
Hit:6 tor+https://deb.debian.org/debian bullseye-backports InRelease
Reading package lists... Done

If an error message like this appears.

W: Failed to fetch http://ftp.us.debian.org/debian/dist/bullseye/contrib/binary-amd64/Packages 404 Not Found

W: Failed to fetch http://ftp.us.debian.org/debian/dist/bullseye/non-free/binary-amd64/Packages 404 Not Found

E: Some index files failed to download. They have been ignored, or old ones used instead.

Err http://ftp.us.debian.org bullseye Release.gpg
  Could not resolve 'ftp.us.debian.org'
Err http://deb.torproject.org bullseye Release.gpg
  Could not resolve 'deb.torproject.org'
Err http://security.debian.org bullseye/updates Release.gpg
  Could not resolve 'security.debian.org'
Reading package lists... Done
W: Failed to fetch http://security.debian.org/dists/bullseye/updates/Release.gpg  Could not resolve 'security.debian.org'

W: Failed to fetch http://ftp.us.debian.org/debian/dists/bullseye/Release.gpg  Could not resolve 'ftp.us.debian.org'

W: Failed to fetch http://deb.torproject.org/torproject.org/dists/bullseye/Release.gpg  Could not resolve 'deb.torproject.org'

W: Some index files failed to download. They have been ignored, or old ones used instead.

W: Failed to fetch http://ftp.us.debian.org/debian/dist/bullseye/contrib/binary-amd64/Packages 404 Not Found

W: Failed to fetch http://ftp.us.debian.org/debian/dist/bullseye/non-free/binary-amd64/Packages 404 Not Found

E: Some index files failed to download. They have been ignored, or old ones used instead.

Err http://ftp.us.debian.org bullseye Release.gpg
  Could not resolve 'ftp.us.debian.org'
Err http://deb.torproject.org bullseye Release.gpg
  Could not resolve 'deb.torproject.org'
Err http://security.debian.org bullseye/updates Release.gpg
  Could not resolve 'security.debian.org'
Reading package lists... Done
W: Failed to fetch http://security.debian.org/dists/bullseye/updates/Release.gpg  Could not resolve 'security.debian.org'

W: Failed to fetch http://ftp.us.debian.org/debian/dists/bullseye/Release.gpg  Could not resolve 'ftp.us.debian.org'

W: Failed to fetch http://deb.torproject.org/torproject.org/dists/bullseye/Release.gpg  Could not resolve 'deb.torproject.org'

W: Some index files failed to download. They have been ignored, or old ones used instead.

Or this.

500  Unable to connect

500  Unable to connect

Then something went wrong. It could be a temporary Tor exit relay or server failure that should resolve itself. Check if the network connection is functional by changing the Tor circuit and trying again. Running systemcheck might also help to diagnose the problem.

Sometimes a message like this will appear.

Could not resolve 'security.debian.org'

Could not resolve 'security.debian.org'

It that case, it helps to run.

nslookup security.debian.org

nslookup security.debian.org

And then try again.

4. APT Upgrade

To install the newest versions of the current packages installed on the system, run.

sudo apt full-upgrade

sudo apt full-upgrade

Please note that if the Whonix ™ APT Repository was disabled (see Disable Whonix ™ APT Repository), then manual checks are required for new Whonix ™ releases and manual installation from source code.

5. Never Install Unsigned Packages!

If a message like this appears.

WARNING: The following packages cannot be authenticated!
  thunderbird
Install these packages without verification [y/N]?

WARNING: The following packages cannot be authenticated!
  thunderbird
Install these packages without verification [y/N]?

Then do not proceed! Press N and <enter>. Running apt update again should fix the problem. If not, something is broken or it might be a man-in-the-middle attack, which is not that unlikely because updates are retrieved via Tor exit relays and some are malicious. Changing the Tor circuit is recommended if this message appears.

6. Signature Verification Warnings

No signature verification warnings should appear. If it does occur, it will look like this.

W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.torproject.org stable Release: The following signatures were invalid: KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681

W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.torproject.org stable Release: The following signatures were invalid: KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681

Caution is warranted even though APT will automatically ignore repositories with expired keys or signatures, and no upgrades will be received from that repository. Unless the issue is already known or documented, it should be reported for further investigation.

There are two possible reasons for this occurrence. Either there is a problem with the repository that is unfixed by contributors or a man-in-the-middle attack has taken place. ^[5] The latter is not a big issue, since no malicious packages are installed. It may also automatically resolve itself after a period of time when a different, non-malicious Tor exit relay is used, or following a manual change of the Tor circuit.

In the past, various apt repositories were signed with an expired key. To see how the documentation looked at that point, please click on Expand on the right.

For instance, the Tor Project's apt repository key had expired ^[archive] and the following warning appeared.

W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.torproject.org stable Release: The following signatures were invalid: KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681

W: Failed to fetch http://deb.torproject.org/torproject.org/dists/stable/Release  

W: Some index files failed to download. They have been ignored, or old ones used instead.

W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.torproject.org stable Release: The following signatures were invalid: KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681

W: Failed to fetch http://deb.torproject.org/torproject.org/dists/stable/Release  

W: Some index files failed to download. They have been ignored, or old ones used instead.

This issue was quickly reported ^[archive]. There was no immediate danger and the message could be safely ignored. As a reminder, never install unsigned packages as explained above.

For a more recent example, see the Whonix apt repository keyexpired error.

Please report any other signature verification errors if/when they appear, even though this is fairly rare.

7. Changed Configuration Files [ link]

Be careful if a message like this appears.

Setting up ifupdown ...
Configuration file `/etc/network/interfaces'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package contributor's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : background this process to examine the situation
 The default action is to keep your current version.
*** interfaces (Y/I/N/O/D/Z) [default=N] ? N

Setting up ifupdown ...
Configuration file `/etc/network/interfaces'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package contributor's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : background this process to examine the situation
 The default action is to keep your current version.
*** interfaces (Y/I/N/O/D/Z) [default=N] ? N

It is safest to press y, but any customized settings will be lost (these can be re-added afterwards). ^[6] ^[7]

Conflicts like these should be rare if modular flexible .d style configuration folders are used.

APT Hash Sum Mismatch[edit]

A hash sum mismatch can look like this.

W: Failed to fetch https://deb.debian.org/debian/dists/stable/main/i18n/Translation-enIndex  Hash Sum mismatch

This might occur due to Tor and/or network unreliability issues. If this warning message is transient, it can be safely ignored. Otherwise, try one of the fixes below.

Change the Tor circuit and/or try again later.
If the warning message still persists, deleting the package lists should solve it. ^[8]

To delete the package lists, run:

sudo rm -rf /var/lib/apt/lists/*

sudo rm -rf /var/lib/apt/lists/*

To check everything is functional, update the package lists and then upgrade the distribution. It is likely that previous update/upgrade attempts failed due to the mismatch.

sudo apt update && sudo apt full-upgrade

sudo apt update && sudo apt full-upgrade

Windows 10, VirtualBox users only: refer to the Hash Sum mismatch? ^[archive] forum thread.

Non-functional Onion Services[edit]

Sometimes the Debian, Whonix ™ or Qubes onion servers are non-functional. This means updates cannot be completed automatically and an error message similar to below will appear.

user@host:~$ sudo apt update
Hit:1 http://security.debian.org bullseye/updates InRelease
Hit:2 tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion bullseye InRelease
Ign:3 http://ftp.us.debian.org/debian bullseye InRelease
Hit:4 http://deb.whonix.org bullseye InRelease
Hit:5 http://ftp.us.debian.org/debian bullseye Release
Err:7 tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion bullseye/updates InRelease
SOCKS proxy socks5h://localhost:9050 could not connect to 5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion (0.0.0.0:0) due to: Host unreachable (6)
Err:8 tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye InRelease
SOCKS proxy socks5h://localhost:9050 could not connect to 2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion (0.0.0.0:0) due to: Host unreachable (6)
Reading package lists… Done
W: Failed to fetch tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion/dists/bullseye/updates/InRelease SOCKS proxy socks5h://localhost:9050 could not connect to 5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion (0.0.0.0:0) due to: Host unreachable (6)
W: Failed to fetch tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian/dists/bullseye/InRelease SOCKS proxy socks5h://localhost:9050 could not connect to 2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion (0.0.0.0:0) due to: Host unreachable (6)
W: Some index files failed to download. They have been ignored, or old ones used instead.

user@host:~$ sudo apt update
Hit:1 http://security.debian.org bullseye/updates InRelease
Hit:2 tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion bullseye InRelease
Ign:3 http://ftp.us.debian.org/debian bullseye InRelease
Hit:4 http://deb.whonix.org bullseye InRelease
Hit:5 http://ftp.us.debian.org/debian bullseye Release
Err:7 tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion bullseye/updates InRelease
SOCKS proxy socks5h://localhost:9050 could not connect to 5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion (0.0.0.0:0) due to: Host unreachable (6)
Err:8 tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye InRelease
SOCKS proxy socks5h://localhost:9050 could not connect to 2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion (0.0.0.0:0) due to: Host unreachable (6)
Reading package lists… Done
W: Failed to fetch tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion/dists/bullseye/updates/InRelease SOCKS proxy socks5h://localhost:9050 could not connect to 5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion (0.0.0.0:0) due to: Host unreachable (6)
W: Failed to fetch tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian/dists/bullseye/InRelease SOCKS proxy socks5h://localhost:9050 could not connect to 2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion (0.0.0.0:0) due to: Host unreachable (6)
W: Some index files failed to download. They have been ignored, or old ones used instead.

Until the onion service is re-established, complete the following steps in Whonix-Gateway ™ (whonix-gw-16) and Whonix-Workstation ™ (whonix-ws-16) to circumvent the issue. ^[9] ^[10]

1. Open Debian sources.list in an editor.

Open file /etc/apt/sources.list.d/debian.list in an editor with root rights.

This box uses sudoedit for better security ^[archive]. This is an example and other tools can also achieve the same goal. If this example does not work for you or if you are not using Whonix ™, please refer to this link.

sudoedit /etc/apt/sources.list.d/debian.list

sudoedit /etc/apt/sources.list.d/debian.list

2. Comment (#) the .onion address lines and uncomment the clearnet address lines.

The code blocks should look like this; only these entries require editing. ^[11]

deb tor+https://deb.debian.org/debian bullseye main contrib non-free
deb tor+https://deb.debian.org/debian bullseye-updates main contrib non-free
deb tor+https://deb.debian.org/debian-security bullseye-security main contrib non-free
deb tor+https://deb.debian.org/debian bullseye-backports main contrib non-free
deb tor+https://fasttrack.debian.net/debian bullseye-fasttrack main contrib non-free

#deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye main contrib non-free
#deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye-updates main contrib non-free
#deb tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion/debian-security bullseye-security main contrib non-free
#deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye-backports main contrib non-free

deb tor+https://deb.debian.org/debian bullseye main contrib non-free
deb tor+https://deb.debian.org/debian bullseye-updates main contrib non-free
deb tor+https://deb.debian.org/debian-security bullseye-security main contrib non-free
deb tor+https://deb.debian.org/debian bullseye-backports main contrib non-free
deb tor+https://fasttrack.debian.net/debian bullseye-fasttrack main contrib non-free

#deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye main contrib non-free
#deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye-updates main contrib non-free
#deb tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion/debian-security bullseye-security main contrib non-free
#deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye-backports main contrib non-free

Save and exit.

3. Confirm the clearnet repositories are functional.

sudo apt update

sudo apt update

4. Optional: Revert and update the package lists.

Consider reverting these changes later on because onion repositories have various security advantages. Afterwards, apply Updates to refresh the package lists.