debian: disable timer-based apt-get

Debian stretch in default configuration calls apt-get update every 24h. And additionally, have automatic unattended security updates enabled. Generally it would be good thing on standalone system, but in AppVM which loose its rootfs changes after restart it is a waste of resources. Especially when it kicks in on multiple VMs simultaneously, while on battery (apt-daily.service have ConditionACPower=true, but VM don't have that information...). It would make some sense on TemplateVM/StandaloneVM, but then it kicks in just at VM startup. Which conflicts with starting the update manually then (by clicking "update VM" button in manager for example, or using salt). So, disable this feature completely. The actual solution is based on pkg-manager-no-autoupdate by @adrelanos. Fixes QubesOS/qubes-issues#2621
2017-10-19 15:03:06 +02:00 · 2017-10-19 15:03:06 +02:00 · 128af0d191
commit 128af0d191
parent d84886d477
3 changed files with 28 additions and 0 deletions
--- a/1
+++ b/1
@ -326,6 +326,7 @@ install-deb: install-common install-systemd install-systemd-dropins
 	install -d $(DESTDIR)/etc/needrestart/conf.d
 	install -D -m 0644 misc/50_qubes.conf $(DESTDIR)/etc/needrestart/conf.d/50_qubes.conf
 	install -D -m 0644 misc/grub.qubes $(DESTDIR)/etc/default/grub.d/30-qubes.cfg
+	install -D -m 0644 misc/apt-conf-70no-unattended $(DESTDIR)/etc/apt/apt.conf.d/70no-unattended

 	mkdir -p $(DESTDIR)/etc/systemd/system/
 	install -m 0644 vm-systemd/haveged.service  $(DESTDIR)/etc/systemd/system/
--- a/debian/qubes-core-agent.install
+++ b/debian/qubes-core-agent.install
@ -1,5 +1,6 @@
 etc/X11/xorg-preload-apps.conf
 etc/apt/apt.conf.d/00notify-hook
+etc/apt/apt.conf.d/70no-unattended
 etc/apt/sources.list.d/qubes-r4.list
 etc/apt/trusted.gpg.d/qubes-archive-keyring.gpg
 etc/default/grub.d/30-qubes.cfg
--- a/misc/apt-conf-70no-unattended
+++ b/misc/apt-conf-70no-unattended
@ -0,0 +1,26 @@
+## Based on pkg-manager-no-autoupdate by Patrick Schleizer <adrelanos@riseup.net>
+## https://github.com/Whonix/pkg-manager-no-autoupdate
+
+## Disable automatic update check APT::Periodic::Update-Package-Lists
+## which is the Debian default in /etc/apt/apt.conf.d/10periodic.
+##
+## The execution time would be too predictable, thus make us fingerprintable.
+##
+## 20noperiodic comes after 10periodic in alphabet so it takes precedence.
+##
+## Quoted from the Debian Handbook
+## http://debian-handbook.info/browse/wheezy/sect.apt-get.html
+##
+## "[...] Each directory represents a configuration file which is split over multiple
+## files. In this sense, all of the files in /etc/apt/apt.conf.d/ are instructions
+## for the configuration of APT. APT includes them in alphabetical order, so that the
+## last ones can modify a configuration element defined in one of the first ones. [...]
+##
+## That changes take effect can be verified using:
+## apt-config dump
+
+APT::Periodic::Update-Package-Lists "0";
+APT::Periodic::Download-Upgradeable-Packages "0";
+APT::Periodic::AutocleanInterval "0";
+APT::Periodic::Unattended-Upgrade "0";
+APT::Periodic::Enable "0";