Adds dist_upgrade to pkg.upgrade command

Without `dist_upgrade=true`, the pkg.upgrade wasn't forcing all packages to their latest versions. This approach works well on Debian-based VMs, as all the SecureDrop Workstation components currently are, but there's a significant drawback: it silently fails on Fedora-based VMs, stating that the "--dist_upgrade" option is not valid for dnf. You must pass `--show-output` in order to observe the dnf failures; without it, the tasks are reported as "OK". Tried to use the "pkg.uptodate" Salt module rather than "pkg.uptodate", but the Qubes VMs reported that module wasn't available. The "dist_upgrade" option isn't explicitly documented [0], but presumably gets inherited via Salt magic from the aptpkg.upgrade module [1]. Adding `--skip-dom0` since we already upgraded dom0 packages via a previous step (qubes-dom0-update). [0] https://docs.saltstack.com/en/2017.7/ref/states/all/salt.states.pkg.html#salt.states.pkg.uptodate [1] https://docs.saltstack.com/en/2017.7/ref/modules/all/salt.modules.aptpkg.html#salt.modules.aptpkg.upgrade
freedomofpress · Oct 31, 2018 · 4c75e27 · 4c75e27
1 parent 2ee0d93
commit 4c75e27
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/dom0/securedrop-update b/dom0/securedrop-update
@@ -38,9 +38,9 @@ securedrop-update-feedback "Updating dom0 configuration..."
 sudo qubes-dom0-update -y
 
 securedrop-update-feedback "Updating application..."
-qubesctl --templates \
+qubesctl --skip-dom0 --templates \
     --max-concurrency "$SECUREDROP_MAX_CONCURRENCY" \
-    pkg.upgrade refresh=true
+    pkg.upgrade refresh=true dist_upgrade=true
 
 securedrop-update-feedback "Updating VM configuration..."
 qubesctl \