The update script...

Tired to attach the update script, and it failed twice. Tried to cut and paste it, and it was flagged as malicious.
Basically, it:
Removes unattended-upgrades, /etc/apt/apt.conf.d/50unattended-upgrades, /etc/apt/apt.conf.d/10periodic
Modifies /etc/apt/apt.conf.d/20auto-upgrades, /etc/apt/apt.conf.d/99synaptic, /usr/lib/apt/apt.systemd.daily
gsettings set org.gnome.software download-updates false
gsettings set org.gnome.software download-updates-notify false

Thanks for the helpful feedback. We will look into fixing this in the live image and thus in the default installation.

The gsettings are the most important for the GNOME desktop. But the apt package also has its own daily update mechanism that we can likely just disable at the systemd level by disabling/masking apt-daily.timer and apt-daily-upgrade.timer.

As for unattended-upgrades, I believe it's no longer installed by default with the latest debian-installer. Will have to double check though.

I also don't see why synaptic comes into play, is that a package that you install on your own? It should not be in the default image.

Yes, we install Synaptic as part of our standard build - feel free to ignore it.

I renamed every instance of apt-daily.timer and apt-daily-upgrade.timer along with our changes, and I am still seeing "Software Updates Available" on a vanilla install.

It looks like adding an additional Gnome setting at least shuts off the notification (although it may not shut off all beaconing for updates).

The three that we've found so far are:
gsettings set org.gnome.software download-updates false
gsettings set org.gnome.software download-updates-notify false
gsettings set org.gnome.software allow-updates false

That is not sufficient, you need to deal with packagekit:

systemctl mask packagekit
rm /etc/apt/apt.conf.d/20packagekit

On my systems i have :

• Disable services apt-daily and apt-daily-upgrade
• Set to foase the three Gnome settings (see below)
• Mask packagekit and remove the packagekit apt hook file (to remove the warnings)
• disable ntp: timedatectl set-ntp false

to finely have quiet Kali systems.

“The quieter you become, the more you are able to hear.” :)

The situation is even worse nowadays:

• there's also "fwupd" which is connecting to cdn.fwupd.org (might be triggered by GNOME software too)
• something is connecting to extensions.gnome.org (might be GNOME software too)
• GNOME software is still asking for a refresh of the metadata despite the 3 gsettings
• GNOME software is also connecting to odrs.gnome.org
• GNOME calculator is making requests to www.imf.org every time that you do a search in the dashboard !

I filed a new wishlist issue against gnome-software to request a working option to disable network connections in the background: https://gitlab.gnome.org/GNOME/gnome-software/issues/748

I made a quick try by dropping /etc/xdg/autostart/gnome-software-service.desktop and it was enough to disable all network connections I had seen on session startup.

kali-defaults 2019.3.9 now disables gnome-software-service on session startup (by diverting the file in /etc/xdg/autostart/), it also contains supplementary gsettings to cope with the other issues... base-files 2019.3.0 disables the APT timers by default (will only work on new ISO).