Coordinate release of Whonix for R4.2

[marmarek]

How to file a helpful issue

Qubes OS release (if applicable)

4.2

Brief summary

This is place to coordinate release of Whonix for Qubes R4.2 with @adrelanos

I'll be doing some test template builds, but those aren't meant to be final.

Generally, I don't expect any compatibility issues, but that needs to be tested.

[adrelanos]

Please let me know when signed Qubes R4.2 releases are available. Once available, I could look into Qubes-Whonix testing.

[andrewdavidwong]

@adrelanos: Just letting you know that Qubes OS 4.2.0-rc1 is now available for testing.

[adrelanos]

Quote myself from #7134 (comment)

This is blocking the release of Whonix 17 (based on Debian bookworm).

When is Qubes Debian bookworm expected?

May I suggest we skip the release Qubes-Whonix 17 for Qubes 4.1?

Qubes-Whonix 17 would be released for Qubes 4.2 only.

[marmarek]

May I suggest we skip the release Qubes-Whonix 17 for Qubes 4.1?

Fine with me as long as Qubes-Whonix 16 would be supported until EOL of Qubes 4.1 (6 months after final release of R4.2).

When is Qubes Debian bookworm expected?

Testing template in R4.1 repositories is available for a month already. There will be one in R4.2 testing repos this week, and since bookworm is officially released now, I'll expected the template to be moved to stable not long after (unless some severe issues are detected, ofc).

[adrelanos]

Testing template in R4.1 repositories is available for a month already. There will be one in R4.2 testing repos this week, and since bookworm is officially released now,

This is most helpful!

[adrelanos]

• Debian 12 (bookworm) Template has broken DNS resolution when using http_proxy=http://127.0.0.1:8082/ (Qubes UpdatesProxy) (tinyproxy) #8279 is an issue for Qubes-Whonix 17, because internally used by tb-updater in Template.

[adrelanos]

• Stop using abbreviations for Whonix templates #1778 (comment)

[marmarek]

I tried a local test build of Whonix 17 (bookworm based) and it fails on missing salt-ssh, which is know, rather sad, development. We dropped the dependency in bookworm template (until upstream Debian starts supporting it again), but Whonix needs an adjustment too:

• Drop salt dependency Whonix/qubes-whonix#1

[adrelanos]

Thank you! Above change was merged and the package repository has been updated.

Does the build pass now? To find out, started a remote build just now.

(https://www.whonix.org/wiki/Dev/Qubes#Official_Builds)

[marmarek]

The build failed, I see this in the log:

2023-06-28 14:22:32.816689 +0000 build-fedora42: output: + echo 'deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.kicksecure.com bullseye-testers main'
2023-06-28 14:22:32.816777 +0000 build-fedora42: output: + echo 'deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.whonix.org bullseye-testers main'

Maybe it didn't updated template-whonix repo to new version. I'm doing test build locally now and will let you know.

[marmarek]

Local build worked now, I'll (re)start public one.

[marmarek]

Not sure if you are watching updates-status repo, but the build succeeded this time.

[adrelanos]

Next steps, please correct me if I am wrong:

1. Wait for Stop using abbreviations for Whonix templates #1778 to be completed (which might be already) (not a blocker for my further progress but a release blocker).
2. I'll do a quick test of Qubes-Whonix 16 in Qubes R4.2 since the template is already available in the community testing repository.
3. I'll test a Qubes-Whonix 16 to Qubes-Whonix 17 release upgrade on Qubes R4.2. (This should be optional, and I don't foresee many issues.)
4. I'll test the new Qubes-Whonix 17 templates and see if any fixes are required.
5. I'll migrate the Qubes-Whonix 17 templates to R4.2 community stable repository.
6. Send a PR to update the Whonix version number for salt in file /srv/formulas/base/virtual-machines-formula/qvm/whonix.jinja.
7. Announce the release of Whonix 17.

Anything else that needs coordination?

[marmarek]

Send a PR to update the Whonix version number for salt in file /srv/formulas/base/virtual-machines-formula/qvm/whonix.jinja.

At this point (or before it), there needs also to be an update of https://github.com/QubesOS/qubes-meta-packages/blob/main/comps/comps-dom0.xml#L1740 (templates included on the ISO). And possibly minor adjustments to the installer for new naming scheme (this I'd track under #1778 )

[adrelanos]

QubesOS/qubes-mgmt-salt-dom0-virtual-machines#55

[adrelanos]

2. I'll do a quick test of Qubes-Whonix 16 in Qubes R4.2 since the template is already available in the community testing repository.

Done.

3. I'll test a Qubes-Whonix 16 to Qubes-Whonix 17 release upgrade on Qubes R4.2. (This should be optional, and I don't foresee many issues.)

Done.

4. I'll test the new Qubes-Whonix 17 templates and see if any fixes are required.

The already existing template was tested. Was quite good already. A few smaller bugs fixed. New template build command was issues just now.

5. I'll migrate the Qubes-Whonix 17 templates to R4.2 community stable repository.

TODO

6. Send a PR to update the Whonix version number for salt in file /srv/formulas/base/virtual-machines-formula/qvm/whonix.jinja.

Done.

[adrelanos]

blocker which probably only @marmarek can help with:

• Qubes official Template build failed without success or error issue being created #8325

update: resolved

[adrelanos]

another (probably) stable release blocker which affects Whonix because unwanted extraneous packages are installed by default:

• debian-12-minimal packages has unwanted extraneous packages installed #8330

update: resolved

[adrelanos]

Qubes-Whonix 17 for Qubes R4.2 is available! (Debian 12 bookworm based) - Major Release - Testers Wanted!

[adrelanos]

Qubes-Whonix 17 for Qubes R4.2 is available! (Debian 12 bookworm based) - Major Release - Testers Wanted!

• qubes-template-whonix-gateway-17 4.2.0-202307131323 (r4.2) updates-status#3863
• qubes-template-whonix-workstation-17 4.2.0-202307131323 (r4.2) updates-status#3864

If all goes good enough during testing (no issues foreseen), the Template can be moved to the qubes-templates-community (stable) repository in 4 days.

[marmarek]

Ok, since templates are moved to stable, I'm merging installer and salt changes.

[adrelanos]

Whonix 17 has been Released! (Debian 12 bookworm based) - Major Release

Ok, since templates are moved to stable, I'm merging installer and salt changes.

Perfect!

[k4r4b3y]

Can I use Whonix 17 on Qubes 4.1?

[adrelanos]

No.

[adrelanos]

From the Whonix side, this is completed.

On the Qubes side, the salt upgrade (#7931 (comment), QubesOS/qubes-mgmt-salt-dom0-virtual-machines#55, QubesOS/qubes-mgmt-salt-dom0-virtual-machines#55) is important, because without the updates salt, installation is difficult for users. (New Whonix version number and #1778)

Waiting for QubesOS/updates-status#3915 to hit Qubes dom0 stable repository.