Page MenuHomePhabricator

test if Qubes-Whonix TemplateMVs can upgrade in timesync-fail-closed mode (should not be possible)
Closed, ResolvedPublic


timesync-fail-closed means sdwdate did not succeed yet. Networking for all but Tor and sdwdate should still be locked.



Event Timeline

Patrick triaged this task as Normal priority.Sep 20 2018, 9:52 AM
Patrick created this task.

Not sure how to test this. I read through T533 and found this command but it does not restrict Apt traffic.

sudo rm /var/run/sdwdate/* && sudo service sdwdate restart && sudo service tor restart && whonixcheck_tor_bootstrap_wait_max=10 whonixcheck --gui --cli

Also edited :


Changed firewall_mode=full -> firewall_mode=timesync-fail-closed but Apt traffic still possible.

Obviously I'm not going in the right directions with this. Or doing something wrong?

Got it. Set firewall_mode=timesync-fail-closed in sys-whonix and reload whonix_firewall. When that is done both whonix-ws-14 and whonix-gw-14 upgrades fail.

Ign:1 tor+http://sgvtcaew4bxjd7ln.onion stretch/updates InRelease
Ign:2 http://vwakviie2ienjx6t.onion/debian stretch-backports InRelease                    
Err:3 tor+http://sgvtcaew4bxjd7ln.onion stretch/updates Release                           
  500  Unable to connect
E: The repository 'tor+http://sgvtcaew4bxjd7ln.onion stretch/updates Release' does no longer have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

Yes. To simulate being in timesync-fail-closed mode:

In sys-whonix:

sudo firewall_mode=timesync-fail-closed whonix_firewall

Looks like ticket is closeable?

Yes (closeable), updates were not possible in timesyc-fail-closed mode. Nothing more to do with this ticket.