Faliling to update 3quel OS & downloading software
- Anmelden oder Registrieren um Kommentare zu schreiben
Hello everyone
Since I first installed ny Trisquel at the beginning of this year, I have been neglecting to update it except a few times immediately after the install. However, another problem, which I believe is also related to that, started to creep up lately, namely downloading software using the usual sudo apt install ... command. At this point I need to mention, that this used to work just fine. It is only recently, that I consistently get the behaviour like the following, for example in this instance, attempting to download the Python3's IDE (idle3):
$> sudo apt install idle3 Err:1 https://archive.trisquel.info/trisquel etiona/main \\s\ amd64 libtcl8.6 amd64 8.6.8+dfsg-3 Certificate verification failed: The certificate is NOT \\s\ trusted. The certificate chain uses expired \\s\ certificate. Could not handshake: Error in the \\s\ certificate verification. [IP: 209.51.188.51 443] Err:2 ... Err:3 ... o o o
Does anybody know what went wrong here?
Happy holidays and a very happy New Year.
This is what Trisquel 9.0.1 is for:
https://trisquel.info/en/release-announcement-trisquel-901-etiona-security-update
In the meantime a workaround with Trisquel 9 is to edit /etc/apt/sources.list and change all of the HTTPS to HTTP, then do the upgrade, and then change them back.
jxself, thankyou very much for prompt reply. I am a bit skeptical about changing https to http, and running the Software Update after that. Can you please tell me if doing so opens a window of possible cyber attack?
Another question I have is how do I upgrade the Trisquel OS to 9.0.1. I tried the following, but it did not work.
$> sudo apt update $> reboot $> sudo apt upgrade $> sudo apt full-upgrade $> reboot
Running the command {{ lsb_release -a }} after all this still shows {{ Trisquel GNU/LInux 9.0 Etiona }}.
"Can you please tell me if doing so opens a window of possible cyber attack?"
The apt repositories are GPG signed so even if a download was tampered with this will be detected. Cryptographically signed repositories is where the real security lays at, not on the use of HTTPS. apt-key finger will show you which keys your computer is set to trust.
Hi, jxself & Gnu-Bro
With regards to the HTTPS issue, it needs to be said, that doing anything over plain HTTP exposes what you are doing to sniffers at ISPs and other Internet nodes. That is the reason everybody switched to HTTPS. Moreover, one of the thumb privacy and security rules today is, if a site does not use HTTPS blacklist them and do not work with them! I hate to see this rule being sabotaged by Trisquel! The fact, the GPG signature does not depend on the type of HTTP used is irrelevant, and as pointed out above does unnecessarily expose info to potential culprits about the activities and about users as well as Trisquel on otherwise hidden / tunneled pathways between us, that is info which, I believe, is happily collected by big-brother, cyber criminals and other FSF enemies!
The connection isn't really "hidden." If someone were monitoring your connection, even using HTTPS, they can still determine where your connection is going so it would still be clear that you're accessing the Triquel repositories since the destination would be known unless you're adding in another layer like TOR. Perhaps not what specific packages are being transferred, but that it's still being the Trisquel repositories being accessed could still be determined.
It may be worth nothing that the issue you're raising here is a different issue from the question of "I am a bit skeptical about changing https to http, and running the Software Update after that. Can you please tell me if doing so opens a window of possible cyber attack?" Does it open you up to potentially downloading untrusted packages that have been maliciously modified? No, because even without HTTPS the packages are signed. That people may be able to monitor the connection and know which packages are being downloaded is a different issue that doesn't affect the integrity of the actual packages to attack your system with a malicious modified version. *That* specific thing will be detected. It would be updating 1 package (ca-certificates) over HTTP (sudo apt update and sudo apt install ca-certificates) and from that you could then switch them back to HTTPS. But if it is sufficiently concerning, then by all means please do a complete reinstall of Trisquel using the 9.0.1 install ISO instead since that ISO will already come with the updated ca-certificates package on it. Either way, you're out of the situation.
What's going on is not really a Trisquel-specific issue though. The underlying issue, if you have not been keeping up on the news, is a root certificate expiration from Let's Encrypt (well, technically the DST Root CA X3 certificate that Let's Encrypt uses) which expired several months ago on September 30, 2021: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
These are *major* events and affect lots of people but they are well-known in advance. Sadly, not everyone handles them well. For an example: "Dozens of websites and services reported issues late last month thanks to the expiration of a root certificate provided by Let's Encrypt, one of the largest providers of HTTPS certificates."
https://www.zdnet.com/article/lets-encrypt-explains-those-outages-last-month/
I'm sure you can find lots more news on the internet about it because the Let's Encrypt/DST Root CA X3 certificate expiration was a big deal.
As it relates to Trisquel, for those that regularly update their packages using an already installed copy of Trisquel would have pulled in the updated packages as part of that process since the updates have been available in Trisquel for a time already. But what about new installs, that would have had the old packages on the ISO still? They'd have problems updating because the ISO itself still has the old packages. So a new ISO was needed for new installs. So everyone should use the 9.0.1 install ISOs for new Trisquel deployments, not the older 9.0 ones.
jxself, I believe, as you pointed out, the complete solution to all these update and software download problems should end in upgrading 3squel OS from 9.0 to 9.0.1. However, there are no hints on how to accomplish that, namely, the upgrading, (not the updating). Trying to use the upgrade commands found for either Ubuntu systems or the Debian both fail. Hence, short of re-installing Trisquel 9.0.1 there appears to be no easy way out of the 3squel "update and additional software download" problems discussed in this thread:( Or am I missing something, perhaps pressing a "magic key combination" during booting or at some other point.
I'm not really sure what "3quel OS" is. Is it some other GNU/Linux distro? I'm talking of Trisquel which is pronounced as https://trisquel.info/en/how-trisquel-pronounced using "Tri" as in "trim", not like "try", not a reference to the number 3.) But the "way out" (if you don't want to reinstall) is literally just this: https://trisquel.info/en/forum/faliling-update-3quel-os-downloading-software#comment-163774
If you do that (again: edit /etc/apt/sources.list and change all of the HTTPS to HTTP, then do the upgrade via the normal sudo apt update followed by sudo apt upgrade, and then change them back) you'll be fine and get all of the updates and upgrades and up-things. :)
Perhaps part of the confusion comes from thinking it's a new version. It's not. It's still Etiona. Just with updated packages on the ISO (the package ca-certificates.) And that's all you need too: An updated package to get the updated certificates (look at the error message referring to "The certificate chain uses expired certificate" and see my other comment about not this not being a Trisquel-specific issue and about the whole root certificate expiration problem.) But the new ISOs need a different version number to differentiate them from the old ones. If there were 2 sets of ISOs out there, each called 9.0, imagine the confusion that would ensue.
jxself, I am sorry for the confusion my abbreviation of Trisquel introduced to our discussion. Indeed I do mean Trisquel OS, though linguistically the meaning for Celtic symbol is derived from the Greek word "Triskeles" meaning "three legs", or by ancient European Slavs ancient Greek, Etruscan as well as Celtic contemporaries, a.k.a. Veneti, tree-head (Mount Triglav in the Alps, Venetic and Celtic god with three heads, found also in Scandinavia, Berlin, ...), and has nothing to do with the Spanish interpretation, though I can't argue what was on the Trisquel OS inventor's mind when they picked up the name for this OS, might have as well been the Spanish meaning, and choosing the Celtic symbol could have just as well been a coincidence that through a word-game became associated with the Spanish Triskelion or Triskele:)
However, as far as the Trisquel upgrade procedure goes, I did exactly as you said. I thought my original post in this thread would be sufficiently clear, though I dropped out quite a few steps like renaming HTTPS to HTTP in the /etc/apt/sources.list before I ran the {{ sudo apt update }} and subsequently the {{ sudo apt upgrade }} and reboot, and after that {{ lsb_release -a }} still listed OS release as 9.0 rather than 9.0.1. After that I also tried to follow the upgrade procedures used on Ubuntu platforms since Ubuntu 16.04 to Ubuntu 20.04, as well as the upgrade procedure used on the Debian, i.e. using {{ sudo apt full-upgrade }}. And again verifying the current OS release with {{ lsb_release -a }} prints Description:Trisquel GNU/Linux 9.0, Etiona, Release: 9.0, Codename: etiona.
Moreover, after restoring the /etc/apt/sources.list to again contain HTTPS entries rather than temporarily HTTP for the update & upgrade procedure which according to you both have been successful, though {{ lsb_release -a }} clearly denies your claim, running the {{ sudo apt install idle3 }} again blows up, albeit this time with different errors, namely
$> sudo apt install idle3 Reading package lists... Done Building dependency tree Reading state information... Done E: Enable to locate package idle3
rather than as before the upgrade:
$> sudo apt install idle3 Err:1 https://archive.trisquel.info/trisquel etiona/main \\s\ amd64 libtcl8.6 amd64 8.6.8+dfsg-3 Certificate verification failed: The certificate is NOT \\s\ trusted. The certificate chain uses expired \\s\ certificate. Could not handshake: Error in the \\s\ certificate verification. [IP: 209.51.188.51 443] Err:2 ... Err:3 ... o o o
Now, this does indicate a different problem than identification of e-signature and or GPG authorization problem, namely, that either package is not available or that an adequate repository is missing. So, I decided to download the sys5 banner, that should be part of the all traditional free Linux distributions, on Trisquel known as {{ sysvbanner }}, but that too throws {{ E: Enable to locate package sysvbanner }} error.
So, beside opening the door to big-brother to steal the encryption keys in the plain HTTP exchanges of keys during software installation procedures, giving them a chance to implant Tojans, let me stand by what also {{ Gnu-Bro }} said above! What is really going on here?
> What is really going on here?
> "The certificate chain uses expired certificate."
It appears that you still do not have the updated ca-certificates package. When working over HTTPS, please expect that message about the certificate chain having an expired certificate to continue until you do.
What does "apt list -a ca-certificates" print out?
What is the contents of your /etc/apt/sources.list?
Problem questionably and insecurely solved
I managed to solve the update/upgrade and download problem in here discussed questionable and most alarming insecure manner, though respectable member, jxself, disagrees with my security objections. But another disturbing fact is that the {{ E: Enable to locate package }} error did not elicit a correct response. Obviously, this error is the result of inaccessible repos, however, the fault is on user's side and not Trisquel's! But I do not quite understand why, in the past before the alleged certificate expiration problem, this error never popped up. Namely, when I checked the certificate keys and their associated creation dates, there is no indication that the famous non-workiong upgrade updated anything at all, at least it looks not the certificate keys! Now may be I am wrong because the keys are either hard-coded or hidden in some other way away from user access.
But again this should not concern users experiencing these rather suspicious problems with expired Trisquel's certificates, and inability to securely update and upgrade Trisquel, as well as download additional software packages, as suggested in this thread. Anybody who needs to use Trisquel in a secure maner, better does not play with fire. Changing HTTPS to insecure HTTP, because tools exist, that can assemble unencrypted communications packets in a way, that transmitted data and files can be stolen, and replaced during the time of transfer, eventually allowing a culprit to implant Trojans into user's system. True, likely-hood of this happening is slim, nevertheless, it's a real threat and danger!
I did take the risk, because my Trisquel is an experimental test box.
So anybody, who does not use Trisquel 9.0 to manipulate security sensitive information or has it sitting on a network, where such information exists, go ahead and folow the steps described in this thread, indeed with the final addition of the steps that were for some reason missed and omitted in the above replies. Namely, in order for the updates and additional software downloads to work, you need to check that the settings in {{ Software & Updates }} include at the minimum the folowing check-boxes checked (1) {{ Officialy Supported (main) }} on the {{ Trisquel Software }} tab, and (2) in the same {{ Software & Updates }} app on tab dubbed {{ Updates }} check-boxes next to {{ Important security updates (etiona-security) }}, and {{ Recomended updates (etiona-updates) }}.
To open {{ Software & Updates }} app, do the following:
Trisquel::System->Administration->{Software & Updates}
I hope this discussion was helpful to those experiencing problems addressed here.
Cheers!
> expired Trisquel's certificates
To be sure, it's not a Trisquel certificate that expired but the IdenTrust DST Root CA X3 which is used by lots of people, and also used by Let's Encrypt. https://www.identrust.com/support/announcements
So more like the provider of a provider's certificate, several level up the certificate chain from Trisquel itself.
> "Changing HTTPS to insecure HTTP, because tools exist, that can assemble unencrypted communications packets in a
> way, that transmitted data and files can be stolen, and replaced during the time of transfer, eventually
> allowing a culprit to implant Trojans into user's system. True, likely-hood of this happening is slim,
> nevertheless, it's a real threat and danger!"
Indeed it is a potential - This is why the Trisquel software packages are signed with strong crypto. That addresses the entire problem, which I fear you do not understand. The cryprographic signing completely blocks that particular avenue of attack entirely. Being able to modify the .deb files when going over HTTP is one thing. Being able to do that *while also not invalidating the crypto signature* is another thing entirely. Good crypto that can only work over a differently-encrypted connection isn't good at all. Good crypto can work over all kinds, even open and unexposed without being invalidated. Until we have sufficiently large quantum computers that can use Shor's algorithm to factor RSA (the algorithm that the package signing depends on) that avenue of attack where someone sends you a modified .deb with over plain HTTP (which yes *could* be done in theory with a trojan horse), which then get blindly installed into your computer isn't happening. The package manager will detect this and report the error because it is computationally infeasible at this time to break RSA with traditional computers (hence the wait until we have sufficiently large quantum computers.)
And even in that future where we have sufficiently large quantum computers and RSA is then broken and no longer secure: NIST is already working to standardized new crypto algorithms that would be safe in such a world: https://csrc.nist.gov/projects/post-quantum-cryptography
Once the standardization process is over I expect that some future version of the package manager will implement post-quantum cryptography, thereby continuing to safeguard things.
So, really, within the context of updating your distro's packages, the use of HTTP does not propose a problem. I'm not giving the all-clear to all uses of HTTP, to be sure, just within this one context only.
> I did take the risk, because my Trisquel is an experimental test box.
If you deploy Trisquel in any scenario my recommendation it to use the install media for version 9.0.1, which will come with the updated ca-certificates package and avoid the entire matter from the beginning.
the alleged {{ apt upgrade }} is actually a fake one and no ISO image signed with Trisquel's private key, that should never leave Trisquel site was used in our case.
It is a real apt upgrade ("$ lsb-release -a" should say 9.0, even with this ISO 9.0.1) and the packets (including the one with updated certificates) must be signed with Trisquel's maintainers private key.
Instead the {{ apt update }} did all the repairs, i.e., transfered the new certificate file to a Trisquel user's as well as MTTM's (man in the middle's) computer, who can now install the updates on his/her system, (namely, they are pretending to be you), replace them with their versions (Trojans) and push them onto your system without you noticing.
If the GPG private key of Trisquel's maintainers was not stolen and if you have the right public key on your system, any wrong package sent to your computer, no matter whether http or https is used for that (or even whether you get them from some fake ISO), will get rejected by your computer.
if the key-pair is stolen, which opened/plain HTTP allows a sophisticated attacker to do
Can you provide some reference about this?
good examples of just mentioned security holes, that can open à la carte, [] {{ seahorse }} app and developers there, that infiltrated, and basically "own" Linux ecosystem
Same question about seahorse here.
>> It is a real apt upgrade ("$ lsb-release -a" should say 9.0, even with this ISO 9.0.1) and the packets (including the one with updated certificates) must be signed with Trisquel's maintainers private key.
Indeed, the {{ apt upgrade }} is a real module of the {{ apt }} system, what it does in our case here is fake! It is not only very convenient that {{ apt update }} needs to be run before {{ apt upgrade }} with insecure HTTP, that is when the certificate upload can be stolen, by the potential MITM. and indeed the ISO image is signed by the developers private key, I said that already above (search for: Trisquel's private key). Even if the iso image is protected with the strongest encryption that would take hundreds of millions of years to brake with brute force, is here irrelevant, because it is not the iso image that is the culprit here, it is the {{ apt update }} that transfers individual files and the new certificate, that conveniently expired for this ploy to be possible. This is my own experience, my dear Avron and no other proof or reference can be given at this time. Have you even run the update/upgrade? It is clear allegedly unbreakable encryption scheme used to sign it the iso image has no role in this security fraud! The same goes for GNOME, and seahorse. The best reference here is IBM. Now that does not mean that there are no good things in this, GObject system, Glib, Gtk, OpenGPG, Vala, ... are all far superior to anything coming from M$, Apple,...; though it is precisely the superiority of these projects that hides cancerous items like DBus, ("kworker/#:#"), gpg-key management tools, etc. As long as GitHub is the central gathering point of development resources and development talent pool, backed up by FIAT money and the corrupt corporate monopolies, we should be skeptical of everything coming out of there, as well as be vigilant about who's involved in FSF's projects!
The certificate did not "conveniently expire", people who installed their systems before the expiry and regularly updated them had no such problem (and that is my case too).
As far as I understand, update does not change any certificate, apt upgrade does, by getting a new ca-certificates package.
If your understanding is that apt update can changes certificates, you should provide some kind of plausible evidence of that. I cannot see how there could be no evidence, especially as this is free software.
jxself gave you straight answers to your questions. HTTP doesn't allow the packages to be tampered with, because they are cryptographically signed. No one here is being fraudulent.
Legimet, I am not accusing anyone in particular of being fraudulent. Fraudulent is the opinion, that cryptographically signed files prevent the abuse caused by using HTTP, and assuming that everyone in the process is an honest player, especially when safeguards like HTTPS are removed without warning about possible abuse. The problem here is solved and that is more important than arguing about irrelevant opinions including mine if you so wish!
Gnu-Bro, thank you for kudos, however do not blame Legimet for that, we all got carried away into spheres that have nothing to do with the problems you and I originally pointed out to. I apologize, I did not pay any attention to your question, I thought I also answered to you. Namely, I believe, my answer
Problem questionably and insecurely solved addresses the following: .
However, this
may need to be explained by Trisquel web administrator, but be ware that that may not necessarily be the case, since TOR could be blocked elsewere too! Besides, downloading and installing software with TOR may be problematic all together, since those who provide the software have all the rights to demand they know who you are!
Cheers!
Someone already posted these, I think.
Why am I denied access to edit my previous post? Indeed fiat controls everything today, this is fraud I am talking about here, unless this was a synch/timeing problem, however the privileged users are able to edit their posts even after there are new posts added to the thread! Also a hallmark of infiltration of corporate interests, stifling equality and freedom of expression. Indeed, showing the world what the real issue here is, is also undesirable:(
Hey, gnuTqPpantr, just curious, but I think most people here, are having trouble following what you are saying, not to be rude... but I assume english is not your first language.
Right?
I don't think you understand how this forum works and how the majority of them work. Not trying to insult you, it just puzzles me the way you posted, I had trouble following what you said/you seemed to get irritated as the thread went on.
Also, Gnu-Bro, you and him should really chill out... when people flame other people, it makes people not want to help them.
Just an observation, also, to both of you, as much as I have criticized Trisquel for certain things in the past, aka my dislike of certain redhat services being built into it aka... I won't
go into more details unless I have to... Long story short, this is NOT a Trisquel ISSUE... but yeah, this is an issue you would run into on debian, ubuntu, fedora, etc... if you don't
upgrade more often, you will run into this issue over and over again. I suggest in the future upgrading every week.
Or as you say, you may just have to use another distro...
Regardless, try to take it easy, life isn't worth stressing to that level of paranoia, honestly, gnu/linux can't in my opinion and indeed even the BSD's cannot solve this issue either.
If you cannot trust even libre software, then you are friggin screwed. Also, you will lose your sanity. Try to keep this in mind and think on it for a while, okay?
Legimet posted on Tue, 12/28/2021 - 18:18.
>>>> Your problem with Tor was ignored because ...
>>>> o o o
>>>> As far as I know, Trisquel is maintained by a small
>>>> group of volunteers (including Ark74). They are not
>>>> paid for their work.
As shown above Legimet posted this post two hours after my reply explaining the ignored questions and particularly the Tor related question, on which the smear campaign is built after the fact, for whom, not surprisingly, unlike for lanun users helping each other, which is the triumph of this thread, simply do not exist! Indeed, altering the time line and reality, effectively stealing credit from those users here who, beside the "kernel-authority without proof-of-work, to use Bitcoin lingo, truly helped. Every user here is welcome and in a way contributes to the project voluntarily, without pay, even those of us who are insulting to the too sensitive, not only those behind the nicks spending 24/7 online!
Cheers, and piece to all!
Smear campaign? What are you talking about?
>> Smear campaign? What are you talking about?
Everything obfuscating resolved problem in concert. Tor just happens to be a trigger. If there's nothing else then even the location of, where a question can be asked will do. Not to mention the abuse of the ability of the privileged user, to edit and even insert new posts after and above where previous posts were created or replied to, which has the effect of altering the context of what was said, usually making the partner in conversation look incompetent. The fact that the issues do not appear related does not mean that they are not. Turning the question, why the installation of software or the software update failed for the user, into a location issue here is contemptuous. Not to mention the unacceptable derogatory comments about my language, and other nonsense about my being irritated throughout the discourse above ...
The purpose of all this is to discredit the work and all the efforts to come to the answers and the solution of the problem of all of us who worked to the best of our abilities and with best intentions in mind.
> the ability of the privileged user, to edit and even insert new posts after and above where previous posts were created or replied to
I have always wanted to become a privileged user, but all my applications so far have been flatly denied.
Still not sure what you are talking about...
I don't think most of what you said is true here, meh...
W/e
I do not understand your sentences very well. But I can tell you that the comments by most users in this thread are well-intentioned, not meant to be insulting.
No problem, Legimet, as long as we all have our best intentions at heart, understanding each other also should not be a problem:) It was fun talking to you, like to everyone here, which gave me also an amazing the opportunity to get off the chest some of the things that can not be easily said in public. And I believe should be as much as possible, if we want to stand a chance to counter with the corrupt fiat money supported corrupt if not outright criminal activities by segments of tech monopolies, as well as the rest of establishment. Like the Tor for you guys, the HTTP/HTTPS issue for me was just a trigger to express my discontent about some players in the computer industry as well as within the Linux ecosystem, without whom there would be no problems with whistle-blowers, freedom of the press and with our democracy. And again, I do not mean that Trisquel and its team of developers, support staff or anyone supporting the project are engaged in dubious activities, contrary Trisquel is one of the few bright stars in the industry!
Cheers, ttyl
oops, how to delete an accidentally created post?
Oh, so you managed to edit your post. Have you now become privileged user? How? I want to know, I want to be privileged user!
> I had questions related to a critical vulnerability of a program that I downloaded from the trisquel repository
What vulnerability?
> I was very sorry to hear your respond in such a rude way as Trisquel's forum is not a company's hotline...
It wasn't rude, it's just a statement of fact. While there are a lot of helpful people on this forum, we are just random people on the Internet, so there's no guarantee that someone will help you with your issues. It's unlikely that you can get more reliable support without paying.
What exactly is the problem? You have not been very clear. Throughout this thread you are complaining that people are rude and unhelpful, but we don't even know what you want us to help you with.
> otherwise you have to write 9,000 more answers to common questions that the user could have seen in the documentation
This is clearly either wishful thinking or self-deprecation. Experience tells that most users never read the documentation, and some of them prefer to create a new thread to ask a question that has already been answered, sometimes 9,009 times, sometimes quite recently, a bit like you might have been doing yourself. If you cannot trust them to make a simple search in the forum before posting, what makes you think they would ever read the doc, however nicely written, beautifully adorned and frequently updated it might be?
Documentation is well known to be a critical part of any computer related project, and at the same time one of the most neglected and feared. If you had or were to have any idea how these things are sometimes dealt with in very large projects in no less large companies with big bucks, I bet you would consider the Trisquel documentation to be very actively maintained indeed. I am sure you would even find it hard to believe that this is made by a relatively small community of unpaid contributors. In six languages.
"I hope, we will stop poisoning a rather useful and helpful thread, that actually solves the upgrade/update and new software download issues."
https://trisquel.info/en/forum/faliling-update-3quel-os-downloading-software#comment-163835
- Anmelden oder Registrieren um Kommentare zu schreiben