securedrop-workstation Ensure Support and Transition to Qubes 4.3

Description

Ensure support and timely transition to Qubes 4.3.

Stage 1: #1458

Stage 2: Minimal support - ensure SDW can be clean installed and upgraded to Qubes 4.3

Stage 3: Implement features identified in stage 1

Stage 4: Inplace migration

[ ] Create strategy for migrating existing users:
- [ ] UX / docs flow for admins
- [ ] Should we have a phased approach like for the server's Focal -> Noble transition?
[ ] Re-confirm that (4.2 -> 4.3) using qubes-dist-upgrade is working
[ ] Integrate Qubes GUI components for inplace upgrade
[ ] Update docs
[ ] Comms about update process

How will this impact SecureDrop/SecureDrop Workstation users?

There will be an in-place upgrade. It may require some admin follow-up.

How would this affect the SecureDrop Workstation threat model?

It shouldn't unless some fundamental Qubes behavior changes in a way that breaks some of our assumptions.

Feb 12 '25 13:02 deeplow

I ran the installation in OpenQA and it had challenges finding python3.11 and python3-qt. And this is odd, since supposedly this is available in Fedora 41 (the likely dom0 candidate).

Feb 12 '25 13:02 deeplow

IIRC sudo dnf install in dom0 does not resolve dependencies (per https://github.com/freedomofpress/securedrop-workstation/issues/1063).

Presumably those were always pre-installed in dom0 so it happened to work, if you sudo qubes-dom0-update -y python3-qt5 what happens?

Also note that the default Python version on Fedora 41 is actually 3.13; we should just install python3. Fedora provides all the different versions of Python to make testing easier, but per https://developer.fedoraproject.org/tech/languages/python/multiple-pythons.html:

Warning: For production purposes you should use the python3 package only. Other CPython versions might be unstable or even dangerous (either because they are extremely old or quite the contrary alpha/beta quality) and are intended solely for development.

Feb 12 '25 14:02 legoktm

Presumably those were always pre-installed in dom0 so it happened to work, if you sudo qubes-dom0-update -y python3-qt5 what happens?

That's what I was testing, but something went wrong, apparently. Doing it now.

Also note that the default Python version on Fedora 41 is actually 3.13; we should just install python3.

💯

Feb 12 '25 15:02 deeplow

The current plan is to add this to our current CI to help us steer towards Qubes 4.3.

Mar 12 '25 15:03 deeplow

[x] read the release changelog (as of RC2) and open issues for SDW-relevant features

[x] repeat for RC3 for any new changes

from my understanding the big change here was including Whonix 18 templates

[ ] repeat for RCX for any new changes

[x] Look for 4.3 features/bugfixes that didn't make it to the "release notes" (use this link)

I have now documented how I went about checking for SDW-relevant feature changes / bugfixes.

Oct 28 '25 11:10 deeplow