qubes-issues
qubes-issues copied to clipboard
QubesOS
When upgrading to a new Qubes release, it's too easy for users to miss when the new release doesn't support their existing pre-EOL templates
Qubes OS release
4.2
Brief summary
Qubes 4.2 does not support Debian 11 templates, but users who use Debian 11 templates on 4.1 can upgrade to 4.2 without realizing this (real example).
Steps to reproduce
- The user is using Debian 11 templates on 4.1.
- The user upgrades from 4.1 to 4.2.
- The user is now using Debian 11 templates on 4.2.
Expected behavior
Qubes OS warns the user that 4.2 does not support Debian 11 templates and that the Debian 11 templates should be upgraded to Debian 12 (or something along these lines).
Actual behavior
The user can use Debian 11 templates on 4.2 without being aware that this combination is unsupported. EOL announcements don't help here, because Debian 11 hasn't reached EOL yet and is still supported on 4.1. It's just that Debian 11 was never supported on 4.2 to begin with. This has always been reflected on the supported template releases (and now also the 4.2 release notes), but I'm guessing many users don't check these.
Indeed, the updater should mark debian-11 template as "obsolete"
Right, but only in 4.2, not 4.1, since Deb 11 is still supported in 4.1. (Just wanted to make this part explicit for others reading this issue.)
On Tue, Apr 16, 2024 at 07:49:40AM -0700, Marek Marczykowski-Górecki wrote:
Indeed, the updater should mark debian-11 template as "obsolete"
but why? I also need to use a debian-11 template and I would like to update to Qubes 4.2 :/
-- cheers, Holger
⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C ⠈⠳⣄
Homosexual behavior has been found in over 1,500 species. Homophobia is found in only one.
Too old pipewire (known buggy), too old python3-fido2 for qubes-ctap (and even shipping updated python3-fido2 via our repos is not an option, as its dependencies are missing/too old too), too old rpm for newer rpmdb format (needed for dom0 updates), the list goes on...
I don't know what specifically you need debian-11 template for, but as a workaround I recommend using debian-12 (or anything else really) and debian-11 docker container for the app you need.
Hi Marek,
thanks for those explainations, especially with the too old rpm this very much makes sense now.
& thanks for the suggested workarounds, I'll use some such when the time comes.
-- cheers, Holger
⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C ⠈⠳⣄
"... the premise [is] that privacy is about hiding a wrong. It's not. Privacy is an inherent human right, and a requirement for maintaining the human condition with dignity and respect." (Bruce Schneier)
What versions of fedora-based templates (including ones made from fedora-minimal) are expected to work and not work on R4.2 after upgrading from R4.1?
What versions of fedora-based templates (including ones made from fedora-minimal) are expected to work and not work on R4.2 after upgrading from R4.1?
See: https://www.qubes-os.org/doc/supported-releases/#templates
Indeed, the updater should mark debian-11 template as "obsolete"
Since we are approaching Qubes OS 4.3 release in a foreseeable future, this feature could be added to qubes-dist-upgrade. This could be easily done via os-distribution and os-version features of templates. Whether the checks should be hard-coded into applicable qubes-dist-upgrade branch or a flexible approach for future releases is developed is the lesser detail.
It is necessary to decide if the warning should appear at --update stage or at --template-standalone-upgrade stage.
Related: #9317
