{{Header}}
{{title|title=
ToDo for Developers
}}
{{#seo:
|description=TODO
}}
{{devwiki}}
{{intro|
TODO
}}
= TODO DEV =
== 3mdeb verified boot discussion ==
* https://github.com/3mdeb/verified-boot/pull/31
== Qubes R4.3 - Tor Browser Template Build Installation Issue ==
* https://forums.whonix.org/t/tor-browser-not-installed-by-default-in-qubes-template-whonix-workstation-17-4-3-0-202505132012-r4-3/21612
== permission hardener - review ==
* https://github.com/Kicksecure/security-misc/pull/307
* https://github.com/Kicksecure/security-misc/pull/308
== ISO - calamares bootloader issue ==
* https://forums.kicksecure.com/t/kicksecure-17-3-9-9-error-installing-on-a-usb-drive/1047
* considered resolved thanks to your reply. can be moved to archived.
== stcat - stdin bugfix review ==
* please review: https://github.com/Kicksecure/helper-scripts/pull/27
== live mode systray in python ==
* keep re-using most of live-check.sh, if sane (keep tested logic and implementation, change variables, output format, refactor, etc.)
* cli + gui separate?
== user-sysmaint-split - minor improvements ==
* consider test -s
-z "$(cat
== sysmaint-panel - allow running in dev mode ==
* when [[Sysmaint#enable_sudo_access_in_USER_session|enable sudo access in USER session]] has been enabled, allow running sysmaint
* i.e. check if privilege escalation tool is actually unavailable. Only if actually unavailable and sysmaint mode required, show the error popup.
== privleap - redesign command line tool names name and add group ==
* for better multi-user support
** https://forums.kicksecure.com/t/multi-user-privleap-issue-systemcheck-updatecheck/1046
* group leaprun-users - kinda confusing (comparable to group "sudo")
* or should we call this group leaprun for simplicity?
* even even simpler: privleap
* while at it, the different tool names might be confusing. privleap vs leaprun.
* rename:
** privleapd -> privleap-daemon
** leaprun -> privleap
** Linux group name: privleap
== kicksecure Qubes Template - sdwdate qrexec Denied message ==
* [https://github.com/QubesOS/qubes-issues/issues/7447 Kicksecure inside Debian Template sdwdate qrexec Denied message]
== kicksecure Qubes Template - app menu ==
* Qubes start menu: remove Firefox from Qubes Template default app menu (because Firefox should not be started inside Template) (not from App Qube App Menu)
== browser choice - design ==
* wiki text only
* please review, improve [[Dev/browser-choice]]
* Fleshed out both internal and user-facing design quite a bit more, including creating UI mockups.
* please review wiki history (Patrick made changes)
* change to "always cards design" for installation method
* show installation command (even if hidden behind expand box) before execution (for transparency and so that advanced users can stay in the loop what is actually happening, less "magic")
** Aaron: Reviewed and added requested changes.
* boilerplate: https://github.com/Kicksecure/browser-choice
* Patrick:
** open-link-confirmation might need a better error message if no browser is installed yet
** Please point out that "Open Source browser only" and link to criteria. If too much text, perhaps a link to the criteria only.
** Please re-review changes.
** Maybe the tool could indicated somewhere how the browser is currently installed? - Like either "Firefox is not installed" or "Firefox is installed as Firefox Stable from Flathub"
* Aaron:
** Re-reviewed changes, made adjustments as appropriate and added requested adjustments from this task.
** open-link-confirmation can be dealt with once we start actually implementing code, however the code implementation task should have a note about it once we get to that point
* Patrick:
** How to handle user-sysmaint-split?
*** Are we going towards rootless appstore? [https://forums.whonix.org/t/user-sysmaint-split-role-based-boot-modes-persistent-user-live-user-persistent-sysmaint-system-maintenance/7708/59 No.]
** How to handle Qubes Template implementation?
*** If run inside Template based App Qube: point out that browser choice will be functional but browser will not persist due to Qubes default Template implementation.
*** If run inside Qubes Template: point out being run inside Qubes Template. Prepend required http_proxy variable as documented in [[Install_Software#Install_from_Flatpak|Install from Flatpak]]?
*** If run inside Qubes Standalone: point out being run inside Qubes Standalone.
== chat messenger research ==
* https://forums.whonix.org/t/recommended-private-chats-and-social-networks-for-whonix/21561/14
* For inspiration on the best messenger:
** https://privacyspreadsheet.com/messaging-apps
** https://www.securemessagingapps.com/#
** https://www.privacyguides.org/en/real-time-communication/
* review, improve https://www.whonix.org/wiki/Chat
== bash seatbelt ==
* please watch: {{VideoLink
|videoid=DvDu8_A2uhs
|text=Seat Belts and Airbags for bash
}}
** https://github.com/pottmi/stringent.sh
* edit [[Dev/bash]] if something is missing
== wayland - gui applications with root rights ==
sudo XDG_RUNTIME_DIR=$XDG_RUNTIME_DIR application-name
* [[Root#Wayland|Wayland]]
* should use lxsudo
* or sudo --set-home?
== user-sysmaint-split - Whonix-Gateway ==
* think through what verified_boot=on versus verified_boot=off should do on Whonix-Gateway
* document on [[Dev/user-sysmaint-split]]
== investigate Debian Rolling ==
* investigate why Debian Rolling initiative failed
** From initial research:
*** Lots of disagreement about how exactly to implement it, although https://lists.debian.org/debian-devel/2011/05/msg00275.html had a very large amount of positive feedback compared to other proposals
**** See also DEP-10 (https://dep-team.pages.debian.net/deps/dep10/) which is somewhat orthogonal but related
*** Limited manpower, no one appears to have tried to actually do it
*** Need to cope with the activity occurring in Debian's unstable and testing repositories, which have some turbulence and can cause issues if one isn't careful
*** Likely worth trying to resurrect
* contact people involved previously, if that makes sense
* suggest prospective developers
* Started to write tooling for this: https://github.com/ArrayBolt3/drk Very incomplete, nowhere near usable. Will keep developing this.
== ISO - btrfs versus grub-live bug - real fix ==
* todo
* report bug upstream
* systemd bug report: https://github.com/systemd/systemd/issues/35540
* fix in dracut
** Cannot be fixed in dracut, dracut doesn't handle mounting /home. Instead opting to fix in grub-live.
** Might use kernel parameters using systemd features that may be available in trixie?
* since no response from systemd, needs to be fixed without systemd upstream support
* in case a reliable, solid implementation is not easy or not possible, this should either not be implemented or needs runtime sanity tests
* Current implementation plan:
** Create script (or augment existing script) that will look at all mounted filesystems, detect unsafe read/write mounts and report the system as either being fully persistent, semi-persistent, or fully live.
** Make livecheck recheck the system regularly (perhaps with an event-based mechanism if possible) and update messaging and the icon as necessary to indicate the system's state. Popups should be sent with notify-send to alert the user when something happens that affects the system's live state.
*** If no writable drives are mounted, show a green light. If writable, ''removable'' drives are mounted under /mnt or /media, show a yellow light. If non-removable drives of any kind are mounted, or if removable drives are mounted anywhere other than /mnt or /media, show a red light. NFS is considered a removable drive.
*** We should reimplement livecheck in Python + PyQt5. Use a system tray icon to indicate the live state, use a poll on /proc/self/mounts to detect when mounts change and rescan for possible danger.
** Create a systemd unit that will scan /etc/fstab on boot and mount overlayfs filesystems over the top of most persistent filesystems listed in /etc/fstab, with the exception of mounts under /media and /mnt and filesystems that should always be persistent (NFS specifically). This should run early during boot and block boot, and should not run unless the system is booted in live mode.
** Research how Tails live mode works in this regard and take inspiration from them if possible.
*** Won't boot unless it is booting from a USB medium with the removable media bit enabled
**** Idea - disks mounted that have the removable media bit set are probably OK to mark as yellow, use red when there are mounted "non-removable" disks which are more likely to be internal or external (semi-)permanent hard drives
*** Cannot mount non-removable drives without setting an administrator password on the initial setup screen and then providing that password when prompted
*** Removable media is automounted even without clicking on it in the file manager (?!)
== emergent shutdown discussion ==
* please read, comment if applicable
* https://forums.kicksecure.com/t/unplugging-external-drive-doesnt-trigger-a-shutdown/994
* https://forums.whonix.org/t/panic-button-panic-shutdown-buskill-the-usb-kill-cord-for-your-laptop/13755
* Implemented, but may need further polish:
** security-misc: https://github.com/ArrayBolt3/security-misc/tree/arraybolt3/emerg-shutdown
*** On my test system, this reliably causes the screen to black out and the OS to become inaccessible when I unplug the root filesystem device, but sometimes the power LED will remain lit and the fans will keep running. This happens about 50% of the time, the other 50% of the time a proper shutdown is done. Because of the shutdown method being used, I currently suspect this is the fault of my hardware and not of the implementation, but further testing will be needed to confirm that and documentation should indicate that users must test this feature thoroughly before relying on it in a security-sensitive situation.
*** This is supposed to work even if Kicksecure is burned to an optical disc and that disc is ejected, but I believe is currently will not work. I believe the kernel sends a different event for an ejected optical disc than for a removed USB drive.
*** Panic button support not yet implemented.
** helper-scripts: https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/emerg-shutdown
*** The root device finding script could use more thorough testing and could be expanded to support more scenarios.
** user-sysmaint-split: https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/emerg-shutdown
== emergency shutdown implementation ==
* when the boot USB drive is removed
* when panic key is pressed (most obviously probably the power button)
* https://github.com/NobodySpecial256/panic-wipe/blob/main/panic.c
== live mode enhancements ==
* related to [[Grub-live#Comparison_between_grub-live_and_Tails|Comparison between grub-live and Tails]]
* research, compare with Tails
* Avoid writing to arbitrary (non-boot) host disks
* Disables removable drives auto-mounting
* Disabled virtual machine shared folders
== permission-hardener - live bug ==
* got a bug report by e-mail
sudo apt install network-manager-openvpn-gnome
security-misc (3:44.4-1) ...
INFO: triggered security-misc: 'security-misc' security-misc DPKG_MAINTSCRIPT_
NAME: 'postinst' $\*: 'triggered /usr' 2: '/usr'
/usr/libexec/security-misc/mmap-rnd-bits: INFO: Successfully written ASLR map
config file:
/etc/sysctl.d/30_security-misc_aslr-mmap.conf
Running SUID Disabler and Permission Hardener... See also:
https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener
/var/lib/dpkg/info/security-misc.postinst: INFO: running: permission-hardener
enable
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root shadow 744 /usr/lib/live/mount/rootfs/filesystem/usr/sbin/unix_chkpwd
dpkg-statoverride: : `/usr/lib/live/mount/rootfs/filesystem/usr/sbin/unix_chkpwd'
permission-hardener: [ERROR]: Command 'dpkg-statoverride --add --update root shadow 744 /usr/lib/live/mount/rootfs/filesystem/usr/sbin/unix_chkpwd' failed with exit code '2'! calling functio
n name: 'commit_policy'
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener-v2/new_mode --add root shadow 744 /usr/lib/live/mount/rootfs/filesystem/usr/sbin/unix_chkp
wd
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/rootfs/filesystem/usr/bin/pkexec
dpkg-statoverride: : `/usr/lib/live/mount/rootfs/filesystem/usr/bin/pkexec'
permission-hardener: [ERROR]: Command 'dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/rootfs/filesystem/usr/bin/pkexec' failed with exit code '2'! calling function name:
'commit_policy'
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener-v2/new_mode --add root root 744 /usr/lib/live/mount/rootfs/filesystem/usr/bin/pkexec
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/rootfs/filesystem/usr/bin/sudo
dpkg-statoverride: : `/usr/lib/live/mount/rootfs/filesystem/usr/bin/sudo'
permission-hardener: [ERROR]: Command 'dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/rootfs/filesystem/usr/bin/sudo' failed with exit code '2'! calling function name: 'c
ommit_policy'
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener-v2/new_mode --add root root 744 /usr/lib/live/mount/rootfs/filesystem/usr/bin/sudo
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root shadow 744 /usr/lib/live/mount/medium/usr/sbin/unix_chkpwd
dpkg-statoverride: : `/usr/lib/live/mount/medium/usr/sbin/unix_chkpwd'
permission-hardener: [ERROR]: Command 'dpkg-statoverride --add --update root shadow 744 /usr/lib/live/mount/medium/usr/sbin/unix_chkpwd' failed with exit code '2'! calling function name: 'co
mmit_policy'
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener-v2/new_mode --add root shadow 744 /usr/lib/live/mount/medium/usr/sbin/unix_chkpwd
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/medium/usr/bin/pkexec
dpkg-statoverride: : `/usr/lib/live/mount/medium/usr/bin/pkexec'
permission-hardener: [ERROR]: Command 'dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/medium/usr/bin/pkexec' failed with exit code '2'! calling function name: 'commit_pol
icy'
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener-v2/new_mode --add root root 744 /usr/lib/live/mount/medium/usr/bin/pkexec
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/medium/usr/bin/sudo
dpkg-statoverride: : `/usr/lib/live/mount/medium/usr/bin/sudo'
permission-hardener: [ERROR]: Command 'dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/medium/usr/bin/sudo' failed with exit code '2'! calling function name: 'commit_polic
y'
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener-v2/new_mode --add root root 744 /usr/lib/live/mount/medium/usr/bin/sudo
permission-hardener: [NOTICE]: To compare the current and previous permission modes, install 'meld' (or preferred diff tool) for comparison of file mode changes:
sudo apt install --no-install-recommends meld
meld /var/lib/permission-hardener-v2/existing_mode/statoverride /var/lib/permission-hardener-v2/new_mode/statoverride
permission-hardener: [ERROR]: Exiting with non-zero exit code: '203'
/var/lib/dpkg/info/security-misc.postinst: ERROR: Permission hardening failed.
* random guess: Could there be issues with non-latin language settings?
* Why is it /usr/lib/live/mount/rootfs/filesystem?
* Could it be that the user booted into live mode?
* Maybe a case of low RAM where no further writes to RAM were possible?
* Booting into live mode and using APT should be supported as much as feasible.
* In case of insufficient information, could you please add debug code to provide more information in the future?
* Unsure if further information can be requested form the reporter, but I could try.
* Useful to add:
test -w "${file_name_from_stat}"
* permission hardener might not be the cause of this issue. However, ideally it would show a better error message pointing out the issue.
* Aaron: Cannot reproduce on ISO or in LIVE mode USER.
** The /usr/lib/live/mount path suggests that the issue is the result of attempting to distribution-morph a vanilla Debian Live session. This, IMO, is not something we should support, because:
*** All changes will be lost on reboot, meaning someone who uses this in production will be downloading a lot of Kicksecure packages from our infra every time they start the system.
*** We already offer a live Kicksecure ISO.
*** None of the kernel hardening options will be enabled, and they can't be enabled, because that would require a reboot which will discard everything.
*** And of course, permission-hardener doesn't expect anything under /usr to be read-only.
** Would suggest adding a warning to the distribution morphing documentation that a live Debian ISO session can't be morphed, and that one should download a live Kicksecure ISO if they need a Kicksecure-enhanced live system.
* Patrick: Done. Documented.
* Could you please add better error handling in this case?
== audio ==
=== audio generally ===
* https://forums.whonix.org/t/port-from-pulseaudio-to-pipewire-for-audio-support/16879/40
* please read, comment if something useful to share
=== VirtualBox Intel HD Audio and PipeWire Incompatibility / Audio broken after increasing ram to 5 GB / No sound after latest updates - PipeWire Bug? ===
* https://forums.whonix.org/t/virtualbox-intel-hd-audio-and-pipewire-incompatibility-audio-broken-after-increasing-ram-to-5-gb-no-sound-after-latest-updates-pipewire-bug/18211
* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081965
* please investigate if doable with reasonable effort
* Tried switching between Pulseaudio and Pipewire on a booted VM, discovered I could "initialize" the speakers with Pulseaudio and then Pipewire would work thereafter
* Virtually certain this is an upstream bug, was able to reproduce with both Ubuntu 24.04 and Arch Linux.
* Suggest switching to AC97 audio (even Arch Linux defaults to this under Virtualbox).
* Need to investigate upstream code
* Could not get any meaningful hints from pipewire, wireplumber, and pipewire-pulse logs. Pulseaudio shows an "alsa woke us up to write new data to the device but there was actually nothing to write" error in its logs. At this point this is likely to be a bug in VirtualBox or the snd-hda-intel kernel driver.
== live-build - test lb config --dm-verity ==
* Does the ISO still function if build with lb config --dm-verity?
* Does it break apt-get install pkg-name? It might not break it due to overlayfs.
* Lacks live-build support when used with dracut:
** lb config won't even run if you try to enable verity and dracut at the same time, unless you override live-build by commenting that sanity check out
** The ISO won't build initially because the dm-verity building code is trying to find the live filesystem in the wrong location
** dracut isn't configured to include systemd-veritysetup-generator, needed for verifying the root FS in the first place
** No kernel command line options are added to the ISO for verity setup
== package refactoring - kicksecure-meta-packages vs qubes-whonix - #2 ==
* TODO: Reduce packages in https://github.com/Whonix/qubes-whonix/blob/master/debian/control thanks to the improved Qubes support by kicksecure-meta-packages, if applicable.
** https://github.com/ArrayBolt3/qubes-whonix/tree/arraybolt3/kicksecure-qubes-merge
** https://github.com/ArrayBolt3/kicksecure-meta-packages/tree/arraybolt3/kicksecure-qubes-merge
* Patrick: merged, tested and reverted
* Gateway:
sudo apt dist-upgrade --no-install-recommends
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following package was automatically installed and is no longer required:
qubes-core-agent-passwordless-root
Use 'sudo apt autoremove' to remove it.
The following NEW packages will be installed:
codecrypt cython3 diceware dmeventd dosfstools extrepo fuse3 geoip-database kicksecure-cli kicksecure-default-applications-cli
kicksecure-qubes-cli libaio1 libbytes-random-secure-perl libclone-perl libcrypt-passwdmd5-perl libcrypt-random-seed-perl
libcrypto++8 libcryptx-perl libdevmapper-event1.02.1 libfftw3-double3 libfile-listing-perl libfuse3-3 libgeoip1 libhtml-parser-perl
libhtml-tagset-perl libhtml-tree-perl libhttp-cookies-perl libhttp-date-perl libhttp-message-perl libhttp-negotiate-perl
libio-html-perl libio-socket-ssl-perl liblvm2cmd2.03 liblwp-mediatypes-perl liblwp-protocol-https-perl libmath-random-isaac-perl
libnet-http-perl libnet-ssleay-perl libntfs-3g89 libsnappy1v5 libtry-tiny-perl libwww-perl libwww-robotrules-perl
libyaml-libyaml-perl lvm2 magic-wormhole makepasswd ntfs-3g perl-openssl-defaults pwgen python3-attr python3-autobahn
python3-automat python3-base58 python3-bcrypt python3-cbor python3-click python3-colorama python3-constantly python3-cryptography
python3-ecdsa python3-flatbuffers python3-geoip python3-hamcrest python3-hkdf python3-humanize python3-hyperlink
python3-incremental python3-lz4 python3-mnemonic python3-msgpack python3-nacl python3-openssl python3-packaging python3-passlib
python3-pyasn1 python3-pyasn1-modules python3-pyqrcode python3-service-identity python3-setuptools python3-snappy
python3-sortedcontainers python3-spake2 python3-tqdm python3-trie python3-twisted python3-txaio python3-txtorcon python3-u-msgpack
python3-ubjson python3-ujson python3-wsaccel python3-zope.interface
* Workstation:
sudo apt dist-upgrade --no-install-recommends
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following package was automatically installed and is no longer required:
qubes-core-agent-passwordless-root
Use 'sudo apt autoremove' to remove it.
The following NEW packages will be installed:
dmeventd dosfstools firefox-esr kicksecure-cli kicksecure-desktop-applications-recommended kicksecure-qubes-cli kicksecure-qubes-gui libaio1 libdevmapper-event1.02.1 libgarcon-1-0
libgarcon-common liblvm2cmd2.03 libntfs-3g89 libupower-glib3 libxklavier16 lvm2 ntfs-3g xfce4-helpers xfce4-settings
== Split the security-misc into security-misc-shared, security-misc-desktop and security-misc-server ==
* https://github.com/Kicksecure/security-misc/issues/187
* This is in preparation for the next task.
* Discussion on how best to do this posted at https://forums.kicksecure.com/t/splitting-security-misc-into-shared-desktop-and-server-packages/674
* keep https://github.com/Kicksecure/security-misc/issues/184 in mind
== Kicksecure Firewall ==
https://forums.kicksecure.com/t/kicksecure-firewall/378/10
== Meta Packages, Kicksecure, Whonix - Desktop versus Server ==
https://forums.kicksecure.com/t/meta-packages-kicksecure-desktop-versus-kicksecure-server/415
== Secure Mount Options for better Security Hardening ==
* review discussions, wiki
* comment
* improve the solutions research
* https://www.kicksecure.com/wiki/Dev/remount-secure
* https://www.kicksecure.com/wiki/Noexec
* https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707
* vm-config-dist chmod 777 on /mnt/shared conflicts with noexec
== wipe video RAM ==
* add wipe video RAM support to [[ram-wipe]]
* maybe based on https://wiki.archlinux.org/title/Swap_on_video_RAM
* maybe also based on https://github.com/divestedcg/Brace/blob/master/brace/etc/profile.d/brace-env-overrides.sh
# zero video RAM to prevent leakage
# see (CC BY-SA 4.0): https://www.adlerweb.info/blog/2012/06/20/nvidia-x-org-video-ram-information-leak
export R600_DEBUG=zerovram;
export AMD_DEBUG=zerovram;
export RADV_DEBUG=zerovram;
* if doable with reasonable effort
== Tor 0.4.8.9 broken in combination with vanguards ==
* https://gitlab.torproject.org/tpo/core/tor/-/issues/40892
* write a script to use git bisect to auto test which commit introduced this issue maybe based on https://forums.whonix.org/t/vanguards-additional-protections-for-tor-onion-services/8064/64
* if not done by upstream yet
* if doable with reasonable effort
== VirtualBox serial console ==
* {{CodeSelect|inline=true|code=
sudo apt install serial-console-enable
}}
* [[Recovery#Serial_Console|Serial Console]]
* causes bug (spam of journal)
* https://forums.whonix.org/t/serial-console-in-virtualbox/8021/13
* fixable? upstream bug report?
* would installation by default be sane or a security issue?
== KVM related ==
=== KVM - 3D Graphics Acceleration - SPICE - Testing - drm ===
* please test: https://www.whonix.org/wiki/KVM#3D_Graphics_Acceleration_-_Testing_-_drm
* please mention your configuration (still using SPICE), quote Patrick and report here: https://forums.whonix.org/t/how-to-enable-3d-acceleration-in-kvm/16501/22
* test if DRM (direct rendering manager) is enabled as per https://www.whonix.org/wiki/KVM#3D_Graphics_Acceleration_-_Testing_-_drm
* test performance as per https://www.whonix.org/wiki/KVM#3D_Graphics_Acceleration_-_Testing_-_Performance
=== KVM - 3D Graphics Acceleration - Performance Test - Display SDL ===
* https://forums.whonix.org/t/how-to-enable-3d-acceleration-in-kvm/16501/22
* test SDL
* test if DRM (direct rendering manager) is enabled as per https://www.whonix.org/wiki/KVM#3D_Graphics_Acceleration_-_Testing_-_drm
* test performance as per https://www.whonix.org/wiki/KVM#3D_Graphics_Acceleration_-_Testing_-_Performance
=== KVM - 3D Graphics Acceleration - Performance Test - Display GDK ===
* https://forums.whonix.org/t/how-to-enable-3d-acceleration-in-kvm/16501/22
* test GTK
* test if DRM (direct rendering manager) is enabled as per https://www.whonix.org/wiki/KVM#3D_Graphics_Acceleration_-_Testing_-_drm
* test performance as per https://www.whonix.org/wiki/KVM#3D_Graphics_Acceleration_-_Testing_-_Performance
=== KVM - verify AppArmor sVirt confinement operation ===
* https://forums.whonix.org/t/help-welcome-kvm-development-staying-the-course/166/593
=== KVM - use rootless ===
* https://forums.whonix.org/t/rootless-virtual-machines-with-kvm-and-qemu/20952
* port documentation (and XML files, if needed) to qemu:///session, if sane
* search Kicksecure; and Whonix wiki - using [[Special:ReplaceText]]
* re-check if sVirt is still functional
=== KVM - port to unix domain socket based internal networking for Whonix-Gateway to Whonix-Workstation connections ===
* https://forums.whonix.org/t/help-welcome-kvm-development-staying-the-course/166/594
* update documentation
** https://www.whonix.org/wiki/Multiple_Whonix-Workstation#How-to:_Use_more_than_One_Whonix-Workstation_-_Easy
** https://www.whonix.org/wiki/KVM#Creating_Multiple_Internal_Networks
** https://www.whonix.org/wiki/Multiple_Whonix-Gateway#KVM
== machine-id research ==
* in preparation for the next task
* please read prior discussions
* https://www.whonix.org/wiki/Protocol-Leak-Protection_and_Fingerprinting-Protection#Identifiers_Design_Goals
* https://forums.whonix.org/t/revisit-handling-of-var-lib-dbus-machine-id/18827
* https://forums.whonix.org/t/anonymize-etc-machine-id/7721
* https://gitlab.tails.boum.org/tails/tails/-/issues/7100
* nowadays implemented in dist-base-files
** ./packages/kicksecure/dist-base-files/var/lib/dbus/machine-id
** ./packages/kicksecure/dist-base-files/etc/machine-id
* but maybe needs to be moved back to anon-base-files when porting to Debian trixie? (hard to migrate within the same release codename)
* The machine-id files should not be shipped by a package. They are intended to be generated, not hardcoded, thus Debian's code is probably not going to cope well when a package ships these files. Case in point, live-build deleting them to avoid machines with duplicate IDs in the wild, when we want machines with duplicate IDs in the wild.
* Calamares is designed to write the machine-id files at instalation time. It has a dedicated module for this purpose. However, it does not permit specifying a hardcoded machine-id other than a literal "uninitialized" value or an empty file. So we will have to resort to using a shellprocess for Whonix-Host that will detect when Whonix is in use, and overwrite the machine-id files with a static machine-id. Calamares is the proper location to do this at IMO, since it's designed for this, systemd's docs suggest using the installer for this, and I fear we could run into problems trying to do this on first boot with a systemd unit.
** Patrick: Please implement.
** Patrick: Note, Whonix VMs are built using grml-debootstrap. While using a package to handle these files might be the wrong way. Whonix VMs still need these.
== stackable wrappers ==
* in preparation for the next two tasks
* https://forums.whonix.org/t/stackable-wrappers/7944
* https://github.com/Kicksecure/proposals/blob/master/634-stackable-wrappers.txt
* https://forums.whonix.org/t/write-draft-for-stackable-wrappers-on-debian-devel/18776
* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=822693
* review, comment, pull request where applicable
* draft and/or open a discussion on debian-devel
== check out bubblejail ==
* https://github.com/igo95862/bubblejail
* in preparation for next task
== sandbox-app-launcher ==
* [[sandbox-app-launcher]]
* review
* promising? worth bringing back to life, polishing?
* at odds with apparmor.d?
* better using bubblejail?
== automated test suite - cli version ==
* todo: discuss
== apparmor.d review ==
* https://github.com/roddhjav/apparmor.d
* https://forums.whonix.org/t/apparmor-d-full-set-of-apparmor-profiles-1500-profiles/17389
** review
* https://github.com/roddhjav/apparmor.d/issues?q=is%3Aissue+author%3Aadrelanos
** check ticket status
* lightweight security review
** conceivable or too much effort?
== improved server support ==
* documentation
** rebrand wiki CLI for server
* Linux account passwords?
* cloudinit?
* vm-config-dist versus autologin CLI vs GUI vs server
== hidepid ==
* general information: https://www.kicksecure.com/wiki/Security-misc#hidepid
* enable by default for users of user-sysmaint-split?
* hidepid seems to make most sense if using user-sysmaint-split, because then account "user" cannot use sudo/pkexec anyhow
* test and implement https://github.com/systemd/systemd/issues/29893#issuecomment-2757436101 if sane
== research shred ==
* research if shred is still useful nowadays
* if not, should be replaced by safe-rm
= WAITING ON =
== user-sysmaint-split - sysmaint user versus R4.3 issue ==
* https://github.com/Whonix/updates-status/issues/240
* Upstream fix in progress: https://github.com/QubesOS/qubes-core-admin/pull/681
* Kicksecure change to go with upstream fix, '''DO NOT MERGE UNTIL UPSTREAM PART IS MERGED''': https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/default-user
== helper-scripts - stecho - review ==
* please review: https://github.com/Kicksecure/helper-scripts/pull/25
* Review submitted.
== grml-debootstrap - grub issue ==
* https://github.com/grml/grml-debootstrap/issues/339
** Fix for remaining issue: https://github.com/grml/grml-debootstrap/pull/341
== dracut - upstream generic initrd default ==
* in reference to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078792#80
* does dracut upstream currently use hostonly=no by default, i.e creates generic initrd by default?
* if not, that is what dracut should do. please write a feature request.
* reasons: reproducible builds, universal boot (install once, boot anyhwere), [https://0pointer.net/blog/fitting-everything-together.html ecosystem direction]
* bug: dracut upstream hostonly=yes + hostonly_mode=sloppy has better support than hostonly=no (generic initrd)?
* Discussion: https://github.com/dracut-ng/dracut-ng/pull/1238
* https://github.com/dracut-ng/dracut-ng/issues/748
* https://github.com/dracut-ng/dracut-ng/pull/1283#pullrequestreview-2785669230
== grml-debootstrap - upstream sgdisk typecode changes ==
* please upstream to grml-debootstrap, if sensible
## Change the partition type of the root partition so systemd identifies it
## as a root partition.
##
## The type code used for the root partition differs depending on machine
## architecture. See
## https://www.toomanyatoms.com/computer/gpt_partition_type_guids.html for
## info on what code to use for which architecture.
##
## grml-debootstrap's generated partition layout will also depend on the
## architecture, so we may have to change a different partition depending
## on the CPU type we're building for.
type_code=""
case "$dist_build_target_arch" in
amd64)
$SUDO_TO_ROOT sgdisk --typecode='3:4F68BCE3-E8CD-4DB1-96E7-FBCAF984B709' "$binary_image_raw_file"
;;
arm64)
$SUDO_TO_ROOT sgdisk --typecode='2:B921B045-1DF0-41C3-AF44-4C6F280D3FAE' "$binary_image_raw_file"
;;
esac
* Encountered issues trying to implement this, asked for input at https://github.com/grml/grml-debootstrap/issues/336
** If a response is not received in a couple days (April 17), just try implementing this with parted in chroot-script and submit a PR
== RPi GRUB - contribute to Debian ==
* Start a discussion and contribute to https://raspi.debian.net/ if accepted by upstream.
* This and the above ticket might result in implementation feedback, such as for options in config.txt.
* Combined this and the debian-arm notification ticket into a single email.
* https://lists.debian.org/debian-arm/2025/04/msg00012.html
* Found:
** https://salsa.debian.org/raspi-team
** https://salsa.debian.org/raspi-team
** Seems active as per: https://salsa.debian.org/raspi-team/image-specs/-/issues/74
** https://salsa.debian.org/raspi-team/image-specs/-/issues
*** Please consider posting a feature request there for RPi GRUB support, if that is sensible. Draft:
add support for GRUB as bootloader for RPi
I've recently succeeded in converting an existing Debian Trixie RPi image to boot using GRUB on the RPi 4B and extensively documented how to do that. [1] I also posted about this on the debian-arm mailing list. [2]
Booting in this way has several substantial advantages over the current Raspberry Pi boot process:
* The kernel command line can be modified via /etc/default/grub and files under /etc/default/grub.d. Some software requires or benefits from such modifications and leverages this mechanism in GRUB to make non-invasive changes to the command line. With direct kernel boot, these changes are silently ignored, while with U-Boot + GRUB, they are correctly applied.
* In the event of a bad kernel update, users can easily boot into older kernels as they would on a typical desktop system.
* Recovering from a broken boot without a secondary system becomes much easier, as users can use the GRUB and U-Boot consoles to debug and manually boot the system.
* Multiboot installations on the Pi become possible.
Is this a feature for which you would welcome a merge request here, either as an option or even as the default?
Obviously, at this point, RPi GRUB support could only be added to Forky and later.
(I've also recently submitted a pull request to `grml-debootstrap` (a Debian bootable image builder tool) [3] [4] implementing "basic" RPi support.)
* [1] https://www.kicksecure.com/wiki/Dev/boot#Booting_Debian_Trixie_with_GRUB_+_u-boot_on_Raspberry_Pi_4
* [2] https://lists.debian.org/debian-arm/2025/04/msg00012.html
* [3] http://packages.debian.org/grml-debootstrap
* [4] https://github.com/grml/grml-debootstrap/pull/335
* Aaron: Filed issue upstream using template: [https://salsa.debian.org/raspi-team/image-specs/-/issues/78 Support U-Boot + grub-efi boot flow]
** Also filed a bug report against raspi-firmware: [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1102607 Add support for U-Boot + grub-arm64-efi boot flow]
== RPi grml-debootstrap ==
* https://github.com/grml/grml-debootstrap/issues/114
* Draft PR at https://github.com/grml/grml-debootstrap/pull/335, needs more testing and work
* Tested and polished PR and marked it as ready for review.
* Added question about future support for U-Boot + grub-efi-arm64.
== qubes boot modes - in-vm kernel support ==
* todo
* Submitted to Qubes: https://github.com/QubesOS/qubes-linux-pvgrub2/pull/16
* Submitted to FSF: https://lists.gnu.org/archive/html/grub-devel/2025-04/msg00050.html
** Attempt to get attention for the patch again on April 11, try to smooth out some of the possible issues with the patch before sending if at all possible.
** If a second attempt at submitting the patch results in complete silence, return to Qubes and explain that attempts to upstream the patch weren't acknowledged.
== grml-debootstrap - EFI partition size ==
* https://github.com/grml/grml-debootstrap/issues/221
* zeha currently does not want to implement this until systemd-boot "happens" (I'm guessing this means until it is supported by grml-debootstrap).
== calamares - enable GRUB force_efi_extra_removable ==
* todo
* if applicable
* PR: https://github.com/calamares/calamares/pull/2446
* Pending discussion.
== GRUB - Debian packages grub-pc and grub-efi co-install-ability ==
* please submit a patch to Debian to make grub-pc and grub-efi co-installable
* [https://bugs-devel.debian.org/cgi-bin/bugreport.cgi?bug=904062 Allow concurrent installation of grub-pc and grub-efi-amd64]
* Submitted and awaiting review: [https://salsa.debian.org/grub-team/grub/-/merge_requests/76#note_590495 Remove ucf conffile conflict between grub-pc and grub-efi-{amd64,ia32}]
* Unfortunately this is not going to be able to make it into Trixie, it will have to wait for Forky before it makes it into Debian Stable.
== trixie port - misc ==
* might need to split this into multiple tasks
* waiting for trixie to get frozen and stable enough
* 1) SSH configurations
** move configuration snippets from [[SSH]] wiki page to security-misc [not completed at time of writing in end of 2024 but should be early next year]
** https://github.com/Kicksecure/legacy-dist/blob/master/usr/sbin/release-upgrade
*** add ominous message to release-upgrade script if SSH client or server is installed
*** point out in distribution morphing instructions
* 2) repository codename split project names
** update repository origin value as per https://www.kicksecure.com/wiki/Dev/APT#changed_its_'Origin'_value_from_'whonix'_to_'kicksecure'
** (revert the revert of https://github.com/Kicksecure/derivative-maker/commit/25f5c7e11afd23f58f40286be1fd9097c31a705e)
* 3) move from usability-misc and security-misc to to helper-scripts
** upgrade-nonroot
** other APT related scripts
** this will allow sysmaint-panel to remove dependency on usability-misc and security-misc
* 4) convert user-sysmaint-split and sysmaint-panel from "loose packages" to dependencies of the respective meta packages
** add ominous message to release-upgrade script
* 5) Check if /etc/grub.d/10_linux was updated in Debian. If so, update our fork in dist-base-files.
* 6) https://www.whonix.org/wiki/Dev/Redistribution#Major_Upgrade
* 7) port all sources.list files to DEB822-Style Format (can be postponed if needed)
* 8) ram-wipe: re-add Depends: systemd-cryptsetup
== trixie port - dracut - hostonly yes versus no ==
* after Dracut fixes... should Kicksecure images (in trixie) use a different hostonly mode?
* Yes, we should switch to hostonly sloppy mode, which is now being substantially improved to be a lot more generic upstream.
== trixie port - GRUB_DEVICE vs dracut vs initramfs-tools ==
* The following is required for initramfs-tools only:
GRUB_DEVICE="/dev/disk/by-uuid/${GRUB_DEVICE_UUID}"
unset GRUB_DEVICE_UUID
* grep the source code for this and move it below the following condition because it is not required by dracut:
if pkg_installed initramfs-tools ; then?
* related: [[dracut]]
== trixie port - deprecate initramfs-tools support - consider making dracut a dependency ==
* todo
* hard depend on dracut?
* if so, must also hard depend on systemd-cryptsetup
* do this during release-upgrade
* related: [[dracut]]
== trixie port - port to Wayland ==
* https://github.com/Kicksecure/kicksecure-meta-packages/pull/2
== trixie port - update derivative signing key derivative.asc ==
* plan how to use a new signing key
== trixie port - meta packages ==
* implement [[Dev/Metapackages]] when porting to trixie
== calamares - make 3.3.12 available in Bookworm ==
* necessary to fix bugs related to the disk encryption user interface
* Sid and Trixie are still at 3.3.9, does maintainer need help packaging 3.3.12?
** Maintainer uploaded 3.3.12 to Sid, should migrate to Testing relatively soon.
** 3.3.11 was hung up on calamares-extensions 3.3.1, and while calamares-extensions 3.3.11 is technically available, a real release of it hasn't been made. Pinged the Calamares devs to see if they could do that, after than I'll ping the Debian Qt/KDE team to get them to package it and that should release calamares into Trixie.
** 3.3.12 was uploaded but was slightly wonky, wasn't migrating, maintainer wasn't fixing the issue yet. Got a DD friend to sponsor an NMU to fix the problem, should hopefully migrate on December 22nd if all goes well. (Thanks to Simon Quigley for sponsorship!)
* Backport 3.3.12 after it is available in Trixie
** Backport submitted to Debian Mentors, review requested from maintainer.
== ISO - GRUB - silence cosmetic errors in live ISO GRUB ==
* Earlier attempts to fix cosmetic errors in GRUB failed, since they introduced bugs into the live-build-provided boot screen.
* Investigate how to fix this, potentially make an upstream feature request or patch if needed
* Errors include loadfont issues, Secure Boot loading issues
* Sent email to grub-devel mailing list to investigate this
== ISO - memtest86+ ==
error: bad shim signature
* Fixable?
* Apparently requires a security review: [https://github.com/rhboot/shim-review/issues/314 Meta: Signing memtest86+ v6.10]
* [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032375 memtest86+: fails to work with Secure Boot enabled]
* Asked about what contributions would allow this to move forward on the debian-efi mailing list: [https://lists.debian.org/debian-efi/2024/12/msg00021.html Memtest86+ Secure Boot signing]
== test SysRq keys under LXQt Wayland ==
* ensure SysRq+unraw, SysRq+k behave as expected in context of [[Login spoofing]]
* Has issues, wlroots bug reported at https://gitlab.freedesktop.org/wlroots/wlroots/-/issues/3930
== ISO - changed files issues ==
(annoted)
+ debsums --silent
debsums: changed file /usr/sbin/sources-media (from calamares-settings-debian package) - issue for future verified boot
debsums: missing file /var/lib/dbus/machine-id (from dist-base-files package) - issue for Whonix-Host, non-ideal for Kicksecure but not a blocker
+ debsums --config --silent
debsums: changed file /etc/calamares/modules/unpackfs.conf (from calamares-settings-debian package) - issue for future verified boot
debsums: changed file /etc/cryptsetup-initramfs/conf-hook (from cryptsetup-initramfs package) - issue for future verified boot
debsums: changed file /etc/machine-id (from dist-base-files package) - issue for Whonix-Host, non-ideal for Kicksecure but not a blocker
* All of these are modified by live-build itself:
** /usr/sbin/sources-media is modified by live-build/share/hooks/normal/5050-dracut.hook.chroot so that it points to the proper location of the on-ISO apt repo when dracut is in use (the location is different when initramfs-tools is used). The need for this could potentially be removed by modifying the sources-media script to autodetect the correct location, though this requires upstream to be receptive to the idea.
*** Please discuss upstream. Since there is already some sort of dm-verity support in upstream live-build (scripts/build/binary_dm-verity), upstream might be receiptive.
**** Feature request filed: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089618
** /var/lib/dbus/machine-id is deleted by live-build/share/hooks/normal/8020-remove-dbus-machine-id.hook.chroot, which has a note in it as follows: "This removes dbus machine id that cache that makes each system unique." This seems important and I can't think of an obvious way to avoid needing to do this. My Kicksecure VMs appear to have machine IDs, but it's unclear how they're being generated originally, so it may be worth enabling the machineid module in our Calamares configuration to ensure that the machine ID is properly generated.
*** See also: https://www.whonix.org/wiki/Protocol-Leak-Protection_and_Fingerprinting-Protection#Identifiers_Design_Goals
*** TODO: Discuss.
**** Proposal for fixing this made.
** /etc/calamares/modules/unpackfs.conf is modified by live-build/share/hooks/normal/5050-dracut.hook.chroot so that it points to the proper location of the on-ISO squashfs containing the operating system. Again, the location is different when initramfs-tools is used. This is a "hardcoded" configuration file, there isn't a way to add autodetection logic here. It might be possible to make a pull request to Calamares that would allow it to skip squashfses that didn't exist?
*** Yes, please discuss upstream.
**** Feature request filed: https://github.com/calamares/calamares/issues/2409
** /etc/cryptsetup-initramfs/conf-hook is modified by live-build/share/hooks/normal/1010-enable-cryptsetup.hook.chroot, where it is used to enable cryptsetup in initramfs-tools. Assuming this isn't legacy configuration, this seems important and I can't think of an obvious way to avoid needing to do this. Might be worth testing to see if this is still necessary though.
*** Yes, please.
**** Bug report made: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089624
** /etc/machine-id is deleted by live-build/share/hooks/normal/8020-remove-dbus-machine-id.hook.chroot. Has a very similar note to the other machine ID deletion hook. Same concerns apply.
*** Proposal for fixing this made.
== ISO - Finish Module Action Follow-Up ==
* https://github.com/calamares/calamares/issues/2321
* please follow-up
* Followed up on Matrix, will follow up again soon on Github if I don't get a response.
* Was informed by Adriaan de Groot that the code is still unfinished, and also on his radar.
== lightdm ssdm ==
* bug report: https://forums.kicksecure.com/t/kicksecure-inside-lmde-5/46/11
* cause of bug could be in rads or security-misc
* Unable to reproduce bug, request for more information at https://forums.kicksecure.com/t/kicksecure-inside-lmde-5/46/13
* More information received, need to retry this one more time
* Tested, finally managed to partially reproduce. Issue appears to be in SDDM.
* Debugging complete, bug report with fix filed. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089004
== live-build - add mmdebstrap support ==
* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031932
* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031929
* Merge request: https://salsa.debian.org/live-team/live-build/-/merge_requests/370
== live-build - use APT with error-on-any ==
* use option apt --error-on=any for all invocations of apt-get (update)
* only needed for apt-get update, otherwise superfluous but non-issue
* this is a security feature
* this is to prevent inconsistent images that succeeded connecting to the "normal" repository but failed to connect to the security repository
* can be implemented using already existing live-build option --apt-options OPTION|"OPTIONS"?
* Requires a patch to live-build. Using --apt-options results in a build failure with E: Command line option --error-on=any is not understood in combination with the other options
* Patch written, submitted upstream as https://salsa.debian.org/live-team/live-build/-/merge_requests/371. New configuration option now used in my branch of live-build.
== security-misc - investigate PAM ==
* there is /etc/pam.d/sudo-i for interactive and /etc/pam.d/sudo
* pam has concepts of common-session-noninteractive vs common-session (non-interactive)
* how could we on the PAM level notice if faillock is used interactively or non-interactively?
* if non-interactive, skip faillock
* if interactive, do not skip faillock
* Bug reports:
** https://github.com/linux-pam/linux-pam/issues/842
** https://github.com/sudo-project/sudo/issues/415
* Once we go sudoless, this will no longer be a concern except for VMs that aren't sudoless.
== live-build - grub.cfg GRUB configuration - loopback.cfg ==
* add https://www.supergrubdisk.org/wiki/Loopback.cfg compatibility (as as Debian Live ISO)
* Requires fixes in live-build and Dracut to make work:
** live-build is specifying the wrong kernel parameter for loopback booting when using dracut - it's using findiso when it should be using iso-scan/filename. A fix for this has been integrated into my fork of live-build. MR to upstream here: https://salsa.debian.org/live-team/live-build/-/merge_requests/376
** dracut is failing to run udevadm trigger during its device scanning, so even when it finds the ISO and attaches it as a loopback device, it never finds it. Only appears to be a problem on Debian Bookworm, Trixie works just fine.
*** Task is on hold until we migrate to Trixie.
** (Side note: At least on QEMU, loopback mounts in GRUB fail with out-of-memory errors if the system uses UEFI. With BIOS it works fine. Not quite sure why this happens, very well may be an issue with QEMU's implementation of UEFI hardware or my usage thereof.)
== live-build - lb-binary should not run apt-get update ==
* todo
* Bug filed at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1087470
* Note that the use of apt-get in the binary stage appears to be very baked into live-build's logic. It's pretty unlikely this will change.
= REVIEW PLEASE =
== mouse fingerprinting ==
* todo
* https://forums.whonix.org/t/better-mouse-obfuscation/21445
* notify https://github.com/QubesOS/qubes-gui-daemon/pull/149#issuecomment-2477848847 if fixed
* update [[Keystroke_and_Mouse_Deanonymization|Keystroke and Mouse Deanonymization]]
* Current implementation: https://github.com/ArrayBolt3/kloak/tree/arraybolt3/anon-mouse
** Left some notes on the Whonix forums about this implementation's effects and shortcomings.
** Currently have prototype mouse implementation working and published, and prototype touchpad implementation kind of working, but this is not suitable for final release.
** Remaining work:
*** Hook all pointing devices and handle them with libinput (do NOT try to use evdev directly here)
*** Translate all movements into absolute coordinates that can be reported to the kernel (note: relative coordinates might also be acceptable as long as we can perfectly predict where the pointer is going to end up)
*** Use normal kloak buffering to obfuscate mouse movements and timings
*** Display a virtual pointer instead of (or in addition to) the real pointer that shows where the mouse actually is so the user can control it smoothly
* research reading list:
** https://www.mimic.sbs/
** https://github.com/MIMIC-LOGICS/Mouse-Synthesizer/blob/main/MIMIC%20A%20Kinematic%20Theory-Based%20Synthesizer-Alessandro%20Nicola%20Capriati.pdf
** https://www.mimic.sbs/antibot/On-Anti-Bot-Biometric-Protections.md/
*** Aaron: These look potentially useful, but I'm not experienced enough with the math being used here to really understand how this works. Given the final equations and a sufficiently powerful math library however, it might be possible to wrap the algorithms into a library which could then be made part of an application, where the user could define where to click, what area to move the mouse in, and the time period during which the mouse should move, then click a "play" button that would move the mouse and execute the clicks using these synthesized movements. It might even be possible to somehow integrate this into kloak, though I'm unsure if that would actually be advantageous or not.
* test page:
** http://jcarlosnorte.com/assets/fingerprint/
*** please document, if useful
**** Aaron: Does not appear particularly useful, only runs tests on scroll wheel behavior.
* Aaron: Current alpha-quality implementation: https://github.com/ArrayBolt3/kloak-v2
== review and test IPv6 support pull requests ==
* https://forums.whonix.org/t/add-ipv6-support/19893
* https://www.whonix.org/wiki/Dev/ipv6
* please review for Non-Qubes-Whonix, Qubes-Whonix
* goal: merge as much as doable/possible without breaking networking
* enabling IPv6 support in Qubes-Whonix might only be possible during release upgrade to trixie based and orchestration with Qubes
* Waiting for planned fixes to land in PRs.
* Update 1:
** Please recheck.
** Notes:
*** square brackets aren't supported in systemd: https://github.com/systemd/systemd/issues/35621
*** quote "The only issue is that VirtualBox only supports IPv6 if we switch to bridged interface, which exposes whonix gateway to the network. libvirt requires adding custom NAT rules for IPv6, which are only automatically managed for IPv4. If we want to add this, we'd need to add a static IP configuration and give the user instructions on how to add NAT rules on the host. So for now only Qubes will have direct support for IPv6 for outgoing transactions, without further instructions a user needs to do on the host."
* Can't get it working in VBox (even with bridged networking), libvirt (even with a custom network interface), or Qubes (apparent bug in Qubes R4.3 prevents me from making a new network-providing qube). See https://forum.qubes-os.org/t/qubes-4-3-cannot-create-a-new-appvm-that-provides-network-to-other-qubes/30906/2.
* Update 2:
** https://github.com/Whonix/whonix-gw-network-conf/pull/1#discussion_r1903385107
** https://github.com/Whonix/whonix-gw-network-conf/pull/1#discussion_r1903385335
** please direct questions, issues to Daniel (such as by adding these to https://www.whonix.org/wiki/Dev/ipv6 or commenting on a pull request)
* Aaron: Left Daniel some feedback on things that didn't work. If not fixed in a week (so around April 4th), our plan is to merge as-is and fix bugs after.
= ARCHIVED =
== grub-live - systemd-repart error message inside VM during boot ==
* fix attempt https://github.com/Kicksecure/grub-live/blob/master/usr/lib/systemd/system/systemd-repart.service.d/30_grub-live.conf
* dracut issue. dracut does not pick up systemd-repart.service.d/30_grub-live.conf
* please report a bug against dracut, if applicable
* https://github.com/openzfs/zfs/issues/14075
* https://github.com/dracut-ng/dracut-ng/blob/main/modules.d/01systemd-repart/module-setup.sh
* maybe fixed by Patrick in grub-live package
* [https://github.com/dracut-ng/dracut-ng/issues/1328 some dracut modules fail to copy systemd system drop-in configuration snippets]
== bash livecheck.sh systray broken ==
* unit test is broken
* shows read-only mode in live mode while not read-only
* sometimes even shows read-only while booting into persistent mode
* maybe fixing not required depending on bug cause (backend or frontend) and depending on below
* some changes by Patrick, maybe fixed
== user-sysmaint-split - review sysmaint-boot.target ==
* /usr/lib/systemd/system/sysmaint-boot.target
* Reviewed, updated: https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/sysmaint-boot-wants
** Patrick: Merged.
== user-sysmaint-split - user login without autologin broken ==
* Default login session for non-sysmaint accounts ends up being the sysmaint login session
* Fix: https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/login-fix
** Patrick: Merged.
== live mode detection improvements ==
* https://github.com/Kicksecure/helper-scripts/blob/master/usr/libexec/helper-scripts/live-mode.sh
* Currently only based on grepping kernel command line.
* However, a different or the wrong initramfs generator might be in use. Or some other unexpected use case.
* Ideas on how to make live mode detection more reliable?
* Aaron: It might be possible to rely on the mount info for the root filesystem, which can be seen by running LC_ALL='C' mount | grep ' on / '. This returns a distinctly different string for each of persistent mode, live mode, and ISO live mode.
** PERSISTENT mode: /dev/mapper/luks-65abae64-dea9-4e54-b75f-0f545ed4a053 on / type ext4 (rw,relatime)
** LIVE mode (dracut): overlay on / type overlay (rw,noatime,lowerdir=/live/image,upperdir=/cow/rw,workdir=/cow/work,default_permissions)
** LIVE mode (initramfs-tools): overlay on / type overlay (rw,noatime,lowerdir=/run/live/rootfs/filesystem/,upperdir=/run/live/overlay/rw,workdir=/run/live/overlay/work,redirect_dir=on)
** ISO live mode: LiveOS_rootfs on / type overlay (rw,relatime,lowerdir=/run/rootfsbase,upperdir=/run/overlayfs,workdir=/run/ovlwork)
* Based on the above, we could say "if the string starts with overlay on / type overlay, then we're in GRUB live mode. If it starts with LiveOS_rootfs, we're in ISO live mode. Otherwise, we're in persistent mode.
* Notes:
** LiveOS_rootfs appears to be hardcoded throughout dracut, thus I believe this is a string we can rely on to be accurate.
** For Dracut, overlay for GRUB live mode is hardcoded in the Debian-specific 90overlay-root module and thus can likely be relied upon, see /usr/lib/dracut/modules.d/90overlay-root/overlay-mount.sh.
** For initramfs-tools, overlay for GRUB live mode is ''sorta'' hardcoded in live-boot, but not exactly, aufs is also supported and that might change the mount line. This may or may not be completely reliable.
* Patrick:
** Should we combine the existing kernel command line parameters based test with the new mount based test?
*** Aaron: IMO, no, the logic will become too complicated. Notably, if the mount info and kernel parameters say different things, we'll risk either telling the user that their changes will persist when they won't, or telling the user that their changes won't persist when they will. The mount info is likely to be more reliable and there's no need to check the kernel parameters too.
** Any way for to catch also the BTRFS home folder unexpected persistence bug (live mode indicator said "live" but /home folder was actually persistent bug)? Related: [[Dev/todo#ISO_-_btrfs_versus_grub-live_bug_-_real_fix|ISO - btrfs versus grub-live bug - real fix]]
*** Aaron: That is possible.
* Implemented both enhanced live mode detection and the ability to detect semi-persistence:
** helper-scripts: https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/live-mode
*** Patrick: Merged.
** desktop-config-dist: https://github.com/ArrayBolt3/desktop-config-dist/tree/arraybolt3/live-mode
*** Patrick: Merged.
** systemcheck: https://github.com/ArrayBolt3/systemcheck/tree/arraybolt3/live-mode
*** Patrick: Merged.
** sysmaint-panel: https://github.com/ArrayBolt3/sysmaint-panel/commit/5ccc4218a0dd89c3a04ad4305fc6f7e088c24036
*** Patrick: Merged.
== umask bug - copy from user to sudo missing permission - others ==
* how to reproduce:
{{CodeSelect|code=
touch a
sudo cp a /etc/a
ls -la /etc/a
}}
* expected result: readable by "others" ("public")
* actual result: unreadable by "others"
* this is probably happening because file "a" is created unreadable by "others". When copying, permissions are preserved.
* problematic in context of use cases such as:
{{CodeSelect|code=
sudo overwrite /etc/apt/sources.list.d/cwtch.im.list 'deb [arch=amd64 signed-by=/usr/share/keyrings/deb.cwtch.im-keyring.gpg] https://deb.cwtch.im/cwtch.im/ stable main'
}}
* Aaron:
** This is two separate issues. The issue as described with cp is not a bug and isn't fixable - cp's behavior is to simply clone the file mode (permissions) of files it copies. This can be overridden using the --no-preserve=mode option.
** However, overwrite and other programs that use append-shared are indeed causing permission issues, they appear to be forcing the permissions of any file they touch to 0600. This is because we're creating a temporary file with the contents we want, then moving it into the location where the old file was. The permissions on the temporary file are 0600, so the final file ends up with the same (faulty) permissions.
*** Fix: https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/append-perms
**** Patrick: Merged.
* Patrick: created [[umask]]
== installation failure with en-gb locale ==
* https://forums.kicksecure.com/t/error-during-installation/1033
** Fix: https://github.com/ArrayBolt3/live-config-dist/tree/arraybolt3/locale
*** Patrick: Merged.
== sysmaint systray ==
* implement and already existing systray in sysmaint mode (ideally X11 + Wayland compatible)
* add NM systray by default
* Implemented:
** user-sysmaint-split: https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/systray
*** Patrick: Merged
** sysmaint-panel: https://github.com/ArrayBolt3/sysmaint-panel
*** Patrick: Merged
** NOTE: trayer must be added to a Kicksecure metapackage for this to work. Which metapackage is the best is unclear, non-qubes-enhancements-gui may be a good choice.
*** Patrick: Added to non-qubes-enhancements-gui
== sysmaint-panel - wifi setup ==
* todo
* Implemented: https://github.com/ArrayBolt3/sysmaint-panel/commit/82c9aa8ffb65f49215645abe9968cec02daebba8
** The network configuration button just calls nmtui, which reduces the maintenance burden on us and provides a hopefully much better-tested suite of features than we could provide ourselves.
* Patrick: Merged.
== verfied boot - specification pull request review ==
* https://github.com/3mdeb/verified-boot/pull/30
* Added review notes.
== Kicksecure homepage - search engines comment ==
* https://forums.kicksecure.com/t/add-searxng-and-startpage-buttons-to-kicksecure-welcome-page/992
* please have a look and opinion:
** https://searchengine.party/
** https://searx.space/
* Researched, left a comment.
== sysmaint-panel feature requests ==
* https://forums.kicksecure.com/t/testing-kicksecure-17-3-9-2/1027
** Implement log view and search features
*** Done: https://github.com/ArrayBolt3/sysmaint-panel/commit/0bac2a51162cf0c8301d7667829f7fbd896febb4
**** Patrick: Merged.
** Fix systemcheck to give proper update guidance when booted into a user session
*** Done: https://github.com/ArrayBolt3/systemcheck/tree/arraybolt3/fix-apt-update-msg
**** Patrick: Merged.
** (Possibly?) Allow the user to customize the desktop background
*** Argued against arbitrary images as a background in the sysmaint session, suggested gradient customization instead: https://forums.kicksecure.com/t/testing-kicksecure-17-3-9-2/1027/6
*** Patrick noted this is not important to develop.
== sysmaint-panel - distinct wallpapers for Whonix-Gateway and Whonix-Workstation ==
* sysmaint-panel shows a Kicksecure-like background image regardless of the underlying OS at the moment
* Whonix-Gateway and Whonix-Workstation VMs in sysmaint mode look confusing for this reason
* change the background to match the default Whonix-Gateway and Whonix-Workstation backgrounds on those respective systems
* Done: https://github.com/ArrayBolt3/sysmaint-panel/commit/04db8e25c4ecfb6d93ce013e805fc86eec445c3f
** Patrick: Merged.
* Also discovered systemcheck was broken under Whonix on VirtualBox due to onion-grater not running. Fixed: https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/whonix-systemcheck
** Patrick: Merged.
== security review and improve curl-prgrs ==
* /usr/libexec/helper-scripts/curl-prgrs
* Reviewed, made some improvements: https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/curl-prgrs
** Patrick: Merged.
== kvm mouse integration broken in sysmaint session ==
* https://forums.whonix.org/t/mouse-problem-in-new-test-version-in-kvm/21544
* Fix: https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/mouse-integration
** Patrick: Merged.
== Zarhus Developer Meetup 0x1 ==
* Includes presentation of Kicksecure ram-wipe test results
== ISO - boot menu text consistency ==
* if effort for the following is sensible...
* remove "GNU/Linux"
* remove "AMD64"
* make text in GRUB boot menu more similar to default Kicksecure with user-sysmaint-split
* make text in live-config-dist more consistent with user-sysmaint-split wording
* Fixed some other boot menu inconsistencies:
** kicksecure-base-files: https://github.com/ArrayBolt3/kicksecure-base-files/tree/arraybolt3/grub-menu
*** Patrick: Merged.
** anon-gw-base-files: https://github.com/ArrayBolt3/anon-gw-base-files/tree/arraybolt3/grub-menu
*** Patrick: Merged.
** anon-ws-base-files: https://github.com/ArrayBolt3/anon-ws-base-files/tree/arraybolt3/grub-menu
*** Patrick: Merged.
** user-sysmaint-split: https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/sysmaint-config
*** Patrick: Merged.
** dist-base-files: https://github.com/ArrayBolt3/dist-base-files/tree/arraybolt3/grub-menu
*** Patrick: Merged.
* Fixed ISO boot menu inconsistencies:
** live-build: https://salsa.debian.org/ArrayBolt3/live-build/-/tree/arraybolt3/lb-dracut?ref_type=heads
*** Patrick: Merged.
** derivative-maker (master branch, as usual)
*** Patrick: Merged.
** live-config-dist: https://github.com/ArrayBolt3/live-config-dist/tree/arraybolt3/wording
*** Patrick: Merged.
== GRUB - choose boot mode text too small ==
* non-Secure Boot version:
** boot menu entries looks OK, looks like text size 12 or 14
** "Choose boot mode" looks like text size 9 -> please check if reproducible and increase text size a bit, if sensible
** Fixed in boot menu text consistency task changes, I forgot to push an important commit.
* commit is part of "GRUB - choose boot mode text too small"
== libpam-tmpdir - PAM_tmpdir - /tmp/user/1000 owned by uid 0 instead of uid 1000 ==
* https://forums.whonix.org/t/systemcheck-fails-for-unclear-reason/21424/29
* please investigate unsafe ways to use TMP and similar env vars
* refactor TMP/security-misc-apt-get-update-pid
* Discussed with Patrick, we don't believe security-misc-apt-get-update-pid is the likely cause anymore. Can't identify a potential other cause yet.
* Aaron could not reproduce on Qubes R4.3. Reported to Marek.
* No response received, assuming not (or no longer) an issue.
== kloak upstream discussion ==
* https://github.com/vmonaco/kloak/issues/80
* Left a comment. Also did some research to find the correct Wayland protocols for passing emulated input to the compositor, those protocols being https://wayland.app/protocols/wlr-virtual-pointer-unstable-v1 and https://wayland.app/protocols/virtual-keyboard-unstable-v1
* Official repo switched over, feedback from vmonaco received and will be used in further development.
== grub - secure boot signed fonts ==
* discuss upstream, file feature request
* feature requests are unlikely to get implemented
* ITP might be possible in theory but too low priority
* closing
== verified boot chat ==
* done
== user-sysmaint-split - sysmaint-boot-cleanup.service error message during ISO shutdown ==
* reproduced where: Qubes HVM + ISO + unrestricted admin mode
* a systemd error message is shown during shutdown
* Fixed, needed to disable sysmaint-related systemd units when user-sysmaint-split is uninstalled: https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/sysmaint-config
** Patrick: Merged.
== user-sysmaint-split - Qubes - Selective sudo Access ==
* implement [https://github.com/QubesOS/qubes-issues/issues/9512 Selective `sudo` Access Enabling in VMs Without `qubes-core-agent-passwordless-root` via `qvm-service`]
* Likely going to end up implementing [https://github.com/QubesOS/qubes-issues/issues/2695 Automate vm sudo authorization setup]
** Need Qubes OS R4.3 for this, not able to install it on primary dev rig yet, awaiting arrival of an (already ordered) external drive enclosure.
*** Patrick: R4.2 should be sufficient?
**** Aaron: New major features cannot be introduced into R4.2. Needs to be developed for R4.3.
** Relveant Qubes OS tickets:
*** https://github.com/QubesOS/qubes-issues/issues/5840
*** https://github.com/QubesOS/qubes-issues/issues/5852
*** https://github.com/QubesOS/qubes-issues/issues/5853
*** https://github.com/QubesOS/qubes-issues/issues/2695
*** https://github.com/QubesOS/qubes-issues/issues/9512
* Waiting for feedback from HW42.
* Is a lightweight solution possible? If an App Qube is booting and /run/qubes/sudo exists, chmod o+x /usr/bin/sudo or better dummy-dependency --yes --purge user-sysmaint-split?
** Researched, implemented: https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/sysmaint-config
*** Patrick: Merged.
** Note, this will also be visible in TemplateVMs which could be confusing and could lead users to uninstall user-sysmaint-split in templates on accident. Feature request for fixing this: https://github.com/QubesOS/qubes-issues/issues/9920
== research wlroots layer-shell security ==
* as discussed
* Possible issues already known: https://github.com/labwc/labwc/discussions/1002#discussioncomment-6543362 "layershell (can grab keyboard focus)"
* [https://github.com/labwc/labwc/discussions/2698 Allow restricting layer-shell and emulated input protocol access to whitelisted applications]
* please document on https://www.kicksecure.com/wiki/Dev/Strong_Linux_User_Account_Isolation
* Documented. There are publicly known security shortcomings with the current approach.
== publish debian live-build security comment ==
* past private report, time to publish, if sensible
* Already published some time ago: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718225#115
== wiki editing - First-Time Source Code Contributor Policy ==
* [[First_Time_Source_Code_Contributor_Policy|First-Time Source Code Contributor Policy]]
* please review, improve, if applicable
* Reviewed, clarification suggested in chat, Patrick implemented it.
== grub skin - change text ==
* Please change from Choose an operating system to start to Choose boot mode.
** Done:
*** anon-gw-base-files: https://github.com/ArrayBolt3/anon-gw-base-files/tree/arrabolt3/grub-theme
*** anon-ws-base-files: https://github.com/ArrayBolt3/anon-ws-base-files/tree/arrabolt3/grub-theme
*** kicksecure-base-files: https://github.com/ArrayBolt3/kicksecure-base-files/tree/arrabolt3/grub-theme
* Ideally, that text would no longer be hardcoded but if it's a high effort or impossible, can hardcoded.
** Done without hardcoding.
== sysmaint-panel - add repository-dist-wizard ==
* todo
* Implemented: https://github.com/ArrayBolt3/sysmaint-panel/commit/b376aea4a312fcbb83f2dd1801c8081b1575cb6b
* Also discovered a bug where the apt configuration written by repository-dist-wizard was not world-readable. This was because our PAM config was not setting the umask to 022 for root when commands were run via pkexec. Fixed: https://github.com/ArrayBolt3/security-misc/tree/arraybolt3/fix-pkexec-umask
== tor-ctrl - security review ==
* please review
* based on git master
* Review complete, shared results in chat.
* please review again after changes made
* Re-reviewed, had an additional hardening improvement to make: https://github.com/ArrayBolt3/tor-ctrl/commit/39833c0172da2d67fc7a352d3845f96a14138577
== repart - systemd-growfs error ==
* /lib/systemd/systemd-growfs exists on the root filesystem but is missing inside the initramfs (found out using lsinitrd)
** perhaps a dracut bug?
* if difficult to fix / if fixed in Debian trixie, perhaps let's disable repart until Debian trixie?
* Fixed: https://github.com/ArrayBolt3/derivative-maker/commit/c519b88fa2667ab2a2bd393c03d7be77939cddc7
== git symlink research ==
* please research security impact of "the most interesting git symlink ever"
* please review, improve [[git]] as that wiki page might be used in case we send feature requests to projects to stop using git symlinks
* Researched, tweaked documentation slightly, this doesn't seem to be a major issue.
== ram-wipe improvements ==
* useful to implement? https://forums.kicksecure.com/t/unplugging-external-drive-doesnt-trigger-a-shutdown/994/7
* please review https://www.kicksecure.com/wiki/Dev/RAM_Wipe
* this is currently missing in testing by 3mdeb:
page_poison
passing "P" to slub_debug
zeroing heap memory at free time (init_on_free=1)
* maybe still time to add this before 3mdeb does ram-wipe testing?
* Aaron: Discussed in chat, we'd like 3mdeb to test the "plain" version without special kernel parameters set.
* Aaron: We should NOT pass "P" to slub_debug, see https://gitlab.tails.boum.org/tails/tails/-/issues/18858
== live-build - use /etc/dracut.conf.d method to speed up the build ==
* similar to how it is implemented in 3500_install-packages
* Done, also fixed a problem with the Dracut initramfs inhibition code not being removed for VM builds.
** live-build: https://salsa.debian.org/ArrayBolt3/live-build/-/tree/arraybolt3/lb-dracut?ref_type=heads
*** Patrick: Merged.
** derivative-maker: https://github.com/ArrayBolt3/derivative-maker/commit/6b87d731322d063fe21cc36da2409d4aed9d3254
*** Patrick: Merged.
== fix - leaprun sdwdate-log-viewer ==
* currently shows no output
* Probably due to somewhat broken stdout/stderr streaming from privleap. Fixed buffering issues and added the ability to terminate running actions from leaprun, then enabled --no-pager and -f options in sdwdate-log-viewer:
** sdwdate: https://github.com/ArrayBolt3/sdwdate/tree/arraybolt3/log-viewer
*** Patrick: Merged.
** privleap: https://github.com/ArrayBolt3/privleap
*** Patrick: Merged.
== user-sysmaint-split - enable in VM images ==
* currently user-sysmaint-split is only enabled on ISOs, enable it for VBox/KVM/etc. images as well
* already done
** please grep for user-sysmaint-split
* Patrick working on this.
* Done.
* Aaron: Code looks good, did a VM build and verified that this works.
== fix ram-wipe on plain Debian trixie ==
* https://github.com/Kicksecure/ram-wipe/issues/2
* report to Debian
* update [[ram-wipe]]
* Debugged, reported fixes and filed a Debiian bug, Patrick is implementing fixes.
* Debian bug for fixing dracut: [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103457 Unable to boot LUKS-encrypted system]
== systemd-repart Qubes error ==
sudo journalctl --boot -u systemd-repart
Apr 15 22:33:30 host systemd-repart[256]: Can't fit requested partitions into available free space (1004.0K), refusing.
Apr 15 22:33:30 host systemd-repart[256]: Automatically determined minimal disk image size as 20.0G, current image size is 20.0G.
Apr 15 22:33:30 host systemd[1]: systemd-repart.service: Main process exited, code=exited, status=1/FAILURE
Apr 15 22:33:30 host systemd[1]: systemd-repart.service: Failed with result 'exit-code'.
Apr 15 22:33:30 host systemd[1]: Failed to start systemd-repart.service - Repartition Root Disk.
* Possible to avoid disabling systemd-repart entirely inside Qubes? Because Qubes or users might start using it in theory.
* implement repart enabling similar to /usr/libexec/initializer-dist/chroot-scripts-post.d/75_setup-wizard-dist
* do not enable in Qubes
* Should be solved:
** dist-base-files: https://github.com/ArrayBolt3/dist-base-files/tree/arraybolt3/repart
*** Note: I do not yet know for sure if the marker-vm file this implementation depends on will be present when dist-base-files is installed into the template. Asked in the Qubes OS Matrix room.
**** Patrick: Should not matter since my revision. Now a chroot-script handles this which runs after package installation. This is easy to see in the Kicksecure Qubes Template code. First packages are installed and only after the chroot-scripts are executed.
** initializer-dist: https://github.com/ArrayBolt3/initializer-dist/tree/arraybolt3/repart
*** Patrick: Merged.
** derivative-maker: https://github.com/ArrayBolt3/derivative-maker/commit/cb961e90bb863665f5fe745c8da3547c32a4f64f
*** Patrick: Merged.
** Patrick: Please review my revision.
** Patrick: Please review my revision. #2
*** Aaron: Reviewed, looks good to me.
== user-sysmaint-split - unit fails on first sysmaint login ==
* the sysmaint account specific config routine is failing on the first sysmaint login, because PAM hasn't created the /home/sysmaint directory when this code attempts to run.
* move the code from sysmaint-boot to sysmaint-session and sysmaint-session-wayland
* Fixed, also refactored some duplicated code into a shared library: https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/sysmaint-config
** Patrick: Merged.
== helper-scripts - strange symlinks issue ==
* due to a mixup with the append/append-once/overwrite rewrite, we now an append-once symlink that points to a file with the contents of a script as its name (this script was intended to replace the symlink, not become the target file name).
* Replace the symlinks with the intended scripts.
* Fixed: https://github.com/ArrayBolt3/helper-scripts/commit/370bd938dd54f9a53f95913ac174189d6cf57a03
** Patrick: Merged.
== research systemd-repart ==
* please research systemd-repart on how to automatically resize the image at first boot to use the full size of the storage medium
* interesting in context of RPi
* systemd-repart might be interesting in any case, not just for RPi images.
* Users are confused by [[sparse files]]. Our "normal" (non-RPi) images have a size of 100 GB. They can grow up to 100 GB. [[Grow_Virtual_Harddisk|Virtual Hard Disk Size Increase]] is a non-trivial process for users. Could systemd-repart help us to ship smaller apparent size images that can be more easily grown by users after boot?
* Researched, turns out making it so that the root partition is resized any time the disk is resized is not particularly difficult, and the easy way of doing it makes it so that the resize works properly ''any'' time it's resized, not just on the first time.
* Implemented resize support:
** initializer-dist: https://github.com/ArrayBolt3/initializer-dist/tree/arraybolt3/repart
** dist-base-files: https://github.com/ArrayBolt3/dist-base-files/tree/arraybolt3/repart
** derivative-maker: https://github.com/ArrayBolt3/derivative-maker/commit/e3318ad701cca97d0defec5bf4cd73c78b06ebd7
== review and improve append-once ==
* [[append-once]]
** Aaron: Documentation updated to match the new implementation.
* https://github.com/Kicksecure/helper-scripts/blob/master/usr/bin/append-once
* Had some ideas for improving performance and reliability, shared in chat.
* use case: simplify writing to files while developing unrelated scripts (such as user-sysmaint-split)
* please rewrite in python as suggested
* the following tools should probably be separate tools
** these might however have shared code inside a library if that is sensible
* tool requirements:
** atomic writes
** error handling (unwriteable parent folder, unwriteable file)
* required functionality:
** only for already actually used use cases
* list of tools
** append (equivalent of: echo test >> testfile)
** append-once
** overwrite (equivalent of: echo test | sponge testfile)
* unneeded functionality for now:
** not adding a newline at the end (equivalent of: printf "test" > testfile)
** appending the the last line of the file (without starting a newline) (equivalent of: printf test >> a)
* Aaron: Implemented: https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/file-utils
** All tools implemented as a multicall executable append, with append-once and overwrite symlinks.
*** Patrick: Merged.
== sysmaint-panel - support change full disk encryption fde password ==
* cases to consider: disk not encrypted
* Implemented:
** helper-scripts: https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/pwchange
*** Patrick: Merged.
** sysmaint-panel: https://github.com/ArrayBolt3/sysmaint-panel/commit/4cae9d07ec439da362ebd616f8f8367c35fa32da
*** Patrick: Merged.
** Note that the disk passphrase button is always visible, this is because the user might have external encrypted devices they wish to access or change the passphrases of.
** The crypt-pwchange utility DOES NOT offer the ability to add new passphrases, or delete existing ones. Those might be valuable features to add in the future.
== sysmaint-panel - add grub bootloader password support ==
* please review and improve
** /usr/sbin/grub-password-status-check
** /usr/sbin/grub-pwchange
** systemcheck check_grub_security
** [[Protection_Against_Physical_Attacks#How_to_set_a_bootloader_password|How to set a bootloader password]]
** Aaron: Reviewed all of the above, sent comments in chat. Mostly looks good and appears to work on my end.
* add grub bootloader password support to sysmaint-panel
** do this on the host only, not inside VMs?
** Aaron: I don't think we need to restrict it like that - while bootloader passwords aren't theoretically useful in VMs, they might be practically useful against a low-skill adversary, and doing this would complicate development and make testing trickier.
*** Patrick: Agreed.
* Implemented: https://github.com/ArrayBolt3/sysmaint-panel/commit/0271a053bfc3d1457ff11fc8889d1f088b8068c5
** Patrick: Merged.
== pstore disabling - please comment ==
* https://github.com/Kicksecure/security-misc/pull/304
* Looks like a good change to me, reviewed and requested a README change.
* Reviewed latest changes, things look good to me and the pstore disabling appears to work in my testing.
== Debian feature request - Debian's shim signed by Debian's key ==
* Debian's shim signed by Debian's key on top of Microsoft's key
* Sent feature request against shim.
* [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1102680 Offer a shim-signed variant signed by Debian's Secure Boot key]
== Dev/boot wiki page - review ==
* Patrick made stylistic changes but commands remain all the same. Please review [[Dev/boot]].
** Aaron: Reviewed, made minor changes. Looked very good for the most part.
* This is in preparation for the next task.
* Is command grub-install --force-extra-removable correct? (Unchanged.) It looks a bit short.
** Aaron: This is the right command. GRUB will automatically figure out where to install the bootloader since we're installing an EFI bootloader. This applies even when the system is not booted with UEFI.
* Note: While testing to make very sure this command was correct, I discovered USB boot isn't working right with U-Boot in this setup. Noted down the issue, this will probably take further research to resolve.
** Was resolved in task below.
== RPi GRUB - research USB Boot Support ==
* todo
* Discovered this is a problem with Bookworm, and Trixie is not affected. Documented the likely cause of the issue.
== RPi GRUB - Post TLDR Instructions on Debian RPi Salsa Feature Request ==
* rationale, potential issues (speculation): people not wanting to visit external websites / Kicksecure wiki / TLDR / not enough time to read lengthy instructions, planning to look later, then forgetting, stunned by complexity, ...
* todo: Please review, improve the TLDR version of [[Dev/boot#Booting_Debian_Trixie_with_GRUB_.2B_u-boot_on_Raspberry_Pi_4|Booting Debian Trixie with GRUB + u-boot on Raspberry Pi 4]]
* can be posted on https://salsa.debian.org/raspi-team/image-specs/-/issues/78, if appropriate
* Aaron: Posted. Did ''not'' add the short version to the Wiki since it felt awfully redundant and I wasn't sure I was supposed to do that.
** Patrick: Redundant instructions not required indeed. Task is complete.
== FYI - CodeSelect versus pipes ==
* note: (you might already know this.) CodeSelect cannot use pipes ("|"). These need to be excaped as {{!}}.
{{CodeSelect|code=
xzcat raspi_4_trixie.img.xz {{!}} sudo dd of=/dev/mmcblk0 bs=4M
}}
* This gets rendered as expected as:
{{CodeSelect|code=
xzcat raspi_4_trixie.img.xz {{!}} sudo dd of=/dev/mmcblk0 bs=4M
}}
* Just mentioning this to avoid a copy/paste issue (if copying from wiki source code) in the over next task.
* This task can be moved to archived.
* Aaron: Did not know this, will keep this in mind in future edits.
== stcatv - review ==
* please review https://github.com/Kicksecure/helper-scripts/pull/19
* Reviewed, single minor change suggested, otherwise looks (and in my testing works) great.
== user-controlled verified boot UEFI Application review ==
* please review, improve: https://www.kicksecure.com/wiki/Verified_Boot#user-controlled_verified_boot_UEFI_Application
* Reviewed, added some changes, Patrick added some more changes and then submitted to 3mdeb.
== user-sysmaint-split - run updatecheck ==
* as discussed
* Done: https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/services
** Patrick: Merged.
== user-sysmaint-split - show persistent vs live status ==
* as discussed
* Done: https://github.com/ArrayBolt3/sysmaint-panel/commit/37065e0be2095f2e7dd5f6a461fefb701f0c2254
** Patrick: Merged.
== user-sysmaint-split - bug - prevent account user login in sysmaint mode ==
* as discussed
* Could not identify how the bad login could end up happening in the first place, did identify why the bad login became a lockout situation and fixed it.
** user-sysmaint-split: https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/fix-session-exit
*** Patrick: Merged.
* Realized that our terminology with "PERSISTENT mode USER", etc. was out of date in the process. Went through and mass-fixed it:
** security-misc: https://github.com/ArrayBolt3/security-misc/tree/arraybolt3/rename-boot-modes
** sysmaint-panel: https://github.com/ArrayBolt3/sysmaint-panel/tree/arraybolt3/rename-boot-modes
** dist-base-files: https://github.com/ArrayBolt3/dist-base-files/tree/arraybolt3/rename-boot-modes
** setup-wizard-dist: https://github.com/ArrayBolt3/setup-wizard-dist/tree/arraybolt3/rename-boot-modes
** tb-starter: https://github.com/ArrayBolt3/tb-starter/tree/arraybolt3/rename-boot-modes
** open-link-confirmation: https://github.com/ArrayBolt3/open-link-confirmation/tree/arraybolt3/rename-boot-modes
** whonix-base-files: https://github.com/ArrayBolt3/whonix-base-files/tree/arraybolt3/rename-boot-modes
* Patrick: All merged.
== unicode - sanitize suspicious characters in informative lines ==
* as discussed, avoid using repr
* might not need done after all, see chat
== grub-live - GRUB configuration not being regenerated when switching initramfs generator ==
* When installing initramfs-tools on Kicksecure, grub-live-dracut is swapped out for grub-live-initramfs-tools. This seems to work for the most part, however the GRUB configuration isn't regenerated, meaning live boot is broken until the next time the user (or some other part of the system) calls update-grub.
* This is because update-grub is only called when the master grub-live package is installed or removed. If one of grub-live-dracut or grub-live-initramfs-tools are installed or uninstalled, but the main grub-live package isn't, the GRUB configuration isn't regenerated. This is exactly what happens when switching initramfs engines usually.
* Fix: https://github.com/ArrayBolt3/grub-live/tree/arraybolt3/initramfs-switch-fix
== updatecheck, setup-wizard-dist - don't assume sysmaint components are present ==
* Patrick working on this.
* [DONE] updatecheck assumes sysmaint-panel is preinstalled and instructs the user to use it, even if it's not present
* setup-wizard-dist does things similarly
** Aaron: Fixed: https://github.com/ArrayBolt3/setup-wizard-dist/tree/arraybolt3/no-assume-sysmaint
*** Patrick: Merged.
* adjust both to only show sysmaint-related information if the corresponding components are installed
** Patrick did updatecheck, Aaron did setup-wizard-dist, so this is now solved.
== RPi GRUB - notify debian-arm mailing list ==
* todo
* Done.
* https://lists.debian.org/debian-arm/2025/04/msg00012.html
== user-sysmaint-split - documentation improvements - #2 ==
* document Qubes boot modes on [[Dev/user-sysmaint-split]]
* document difference for user-sysmaint-split installation on Qubes R4.2 versus Qubes R4.3
* Read through the document, fixed some errors and omissions and added the requested docs.
== review - lightweight update notifications - #2 ==
* Implemented by Patrick. Please review.
* [DONE] consider custom languages. Needs LC_ALL=C?
* [DONE] notify leaprun failures
* [DONE] consider if update_package_count is not a number?
* [DONE] grep APT output for errors and notify?
* [DONE] systemcheck function check_dpkg or equivalent useful? If apt/dpkg is broken due to broken packages, that does not really break apt update?
** Not needed. DPKG is irrelevant.
* [DONE] use systemcheck function check_package_manager_running or equivalent?
** [DONE] if running for a "reasonable time", wait
** [DONE] if running "forever", notify that update check is broken
* [DONE] consider systems running for 12 or 18 hours etc:
** [DONE] Do notifications pile up more and more? Avoidable?
** [DONE] Can we clear prior notifications?
** [DONE] Can stale notifications be avoided? Can we clear "update check broken" notification once "updates available" notification came in? Can we clear "updates available" once user updated?
* Other error cases to notify?
* Documentation:
** [DONE] [[systemcheck]]: [[Systemcheck#Update_Notifications_by_updatecheck|Update Notifications by updatecheck]]
** [DONE] [[Dev/Automatic_Updates]]: [[Dev/Automatic_Updates#updatecheck|updatecheck]]
** [DONE] [[Operating System Software and Updates]]
** [DONE] non-Qubes vs Qubes
** [DONE] document disabling
* [DONE] notify https://forums.kicksecure.com/t/notifications-about-new-updates/774
* Aaron: Reviewed, added some documentation updates, found and fixed a likely minor bug with debug output.
** Bugfix: https://github.com/ArrayBolt3/systemcheck/tree/arraybolt3/updatecheck
*** Patrick: Merged.
== trailing whitespaces - please comment ==
* please research
* please comment in https://forums.whonix.org/t/detecting-malicious-unicode-in-source-code-and-pull-requests/13754 (or elsewhere) how trailing whitespaces can lead to security and/or other issues, if applicable
* Added a comment with an analysis of spaces causing issues in Bash, Python, and Rust. Bash seems to be vulnerable to the most alarming problems here, C interestingly seems resistent to these types of attacks.
== enable X event buffering by default for Whonix ==
* https://github.com/QubesOS/qubes-issues/issues/9771
* PR: https://github.com/QubesOS/qubes-core-admin-addon-whonix/pull/20
** Patrick: please enable kloak-alike in Qubes by default for existing users that upgrade
** or other, better solution acceptable by Qubes
*** Aaron: Fixed, now works for existing VMs as well.
* Merged upstream.
== user-sysmaint-split - sysmaint-panel - add terminal background tinting ==
* tint terminals in sysmaint mode slightly red to encourage users to be careful while in sysmaint mode
* Done, also added framework for making similar tasks easier in the future: https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/terminal-tint
** Patrick: Merged.
== user-sysmaint-split - sysmaint-panel - new features ==
* sysmaint-panel could be used to promote nice but lesser known functionality
* apt-get-reset
** should renamed to apt-get-reinstall?
** rationale: re-installation of a package (if other packages depend on it) while restoring configuration files back to package defaults is very difficult for users. Hence, apt-get-reset has been invented.
* dummy-dependency
** use --purge?
** do not yet --yes, obviously
* Both features (and some additional software uninstallation features) implemented in https://github.com/ArrayBolt3/sysmaint-panel/commit/320f4bea7faa288b659fc20a35d3e318bf363980
** Patrick: Merged.
== research depthcharge ==
* moved to [[Dev/boot]]
== Minimal Firmware combined with Linux Based Bootloader - review and improve the wiki draft ==
* https://www.kicksecure.com/wiki/Verified_Boot#Minimal_Firmware_combined_with_Linux_Based_Bootloader
* Read through, fixed a wording issue, added some more ideas and an important requirement
== updatecheck - avoid assuming Internet access ==
* updatecheck assumes Internet access and will return errors without it. We should enter add checks for network connectivity somewhere in here, skipping checks when it is absent and doing them when it is present.
* Fixed in https://github.com/ArrayBolt3/systemcheck/tree/arraybolt3/updatecheck-polish
== updatecheck - send_notification_wait_exit fixes ==
* Ensure title is displayed correctly, right now it looks like it will be glued onto the start of the message without formatting
* Avoid saying "Please run systemcheck" when unnecessary
* Fixed in https://github.com/ArrayBolt3/systemcheck/tree/arraybolt3/updatecheck-polish
== safe-print follow-up issues ==
* easy to fix, minor issues (such as an imperfection in debian/control): please fix
* bigger (more time consuming) issues: please create github tickets for Ben for stecho issues that have not been addressed yet
* Minor fixes: https://github.com/ArrayBolt3/helper-scripts/commit/345d20955b121f2a2249e53c3319dbf118e0f805
** Patrick: Merged.
* Filed https://github.com/Kicksecure/helper-scripts/issues/18 as a followup
== unicode - don't strip trailing whitespace ==
* as discussed
* slight issue with the title "don't strip trailing whitespace" actually meant "show trailing whitespaces"
* done: https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/unicode-show-enhance
** Patrick: Merged.
== RPi GRUB - Continue Research ==
* non-goal: RPi Secure Boot (due to issues documented in chapter [[Verified_Boot#Raspberry_Pi_RPi_Based]])
* non-goal: hiding of u-boot
* goal: complete RPi GRUB support for the purposes of
** being able to implement RPi GRUB support in grml-debootstrap - maybe - at a later time - depending on grml upstream feedback on RPi support
** being able to implement the functionality in derivative-maker (in case grml upstream rejects RPI GRUB support)
** todo items (updated by Patrick) on [[Dev/boot#Load_GRUB_with_u-boot]]
* document raspi-firmware versus clobbering config.txt (by /etc/kernel/postinst.d or similar) and consider how an implementation later could handle this (probably by using config-package-dev hide, dpkg divert or otherwise)
* Research done, additional notes added to Dev/boot. Likely ready to continue implementation when desirable.
== investigate Raspberry Pi GRUB compatibility ==
* to allow user-sysmaint-split and security enhancing kernel parameters to be used on the RPi
* use u-boot to load GRUB if possible, UEFI features of u-boot may be required for this
* grub-uboot may also be usable, though this works on 32-bit ARM only, but if it can load a 64-bit kernel, that might be OK
* or preferably https://packages.debian.org/bookworm/u-boot-rpi ?
* Got it to work with u-boot-rpi and grub-efi-arm64. Documented procedure and concepts at https://www.kicksecure.com/wiki/Dev/boot#Booting_Debian_Trixie_with_GRUB_.2B_u-boot_on_Raspberry_Pi_4
== unicode ==
* please review the recent commits, improve, applicable:
* please read, comment, if applicable: https://forums.whonix.org/t/detecting-malicious-unicode-in-source-code-and-pull-requests/13754
* if something new could be learned, consider if stecho also needs changes
* Reviewed, discussed with Patrick in chat.
== user-sysmaint-split - fix live mode sysmaint ==
* broken at dracut mount after entering FDE password
* Fixes:
** user-sysmaint-split: https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/live-sysmaint
*** Patrick: Merged.
** grub-live: https://github.com/ArrayBolt3/grub-live/tree/arraybolt3/live-sysmaint
*** Patrick: Merged.
== user-sysmaint-split - custom lightdm autologin configuration breaks sysmaint mode boot ==
sudo append-once /etc/lightdm/lightdm.conf.d/user-autologin.conf "\
[SeatDefaults]
user-session=xfce
autologin-user=user
"
* Should be fixed by https://github.com/ArrayBolt3/user-sysmaint-split/commit/46a72d139e10479dfdec55dcbdf9818bea1eceef
** Patrick: Merged.
== privleap - better error message in case comm socket cannot be created as expected ==
WARNING: Account 'lightdm' is not allowed to have a comm socket
* new feature "expected-non-user+=lightdm"
* better:
handle_control_create_msg: INFO: Account 'lightdm' is not allowed to have a comm socket, as expected, ok.
* Implemented:
** privleap: https://github.com/ArrayBolt3/privleap/commit/78b83a9ff22a91c47bab9964e6d8b76672dc5f06
*** Patrick: Merged.
** dist-base-files: https://github.com/ArrayBolt3/dist-base-files/tree/arraybolt3/expected-disallowed-users
*** Patrick: Merged.
== review safe-print ==
* https://github.com/Kicksecure/helper-scripts/pull/14
* Merged by Patrick.
== leaprun - implement --check command line parameter ==
* to check if it would be allowed to run an action without running the actual action
* Implemented in https://github.com/ArrayBolt3/privleap/commit/fb76cc6a7683a789ef9d69096a05077350b7ec0f, tests pass, haven't done real-world testing yet.
* Patrick: Merged.
== user-sysmaint-split - lock screen command broken ==
* to debug, a terminal was started and then sysmaint-panel was started from the terminal emulator
/usr/bin/zsh
[sysmaint ~]% sysmaint-panel
requestActivate() called for QWidgetWindow(0x120a4600, name="BackgroundScreenWindow") which has Qt::WindowDoesNotAcceptFocus set.
xscreensaver-command: no screensaver is running on display :0
* Aaron: Known issue from last night, I apparently forgot to mark it in the task tracker though and only documented it in the progress reports. Fix in user-sysmaint-split: https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/screenlock
*** Parick: Merged.
* Also found some other bugs while researching and fixing this:
** Warnings about missing passwords when disabling autologin were appearing at the wrong time in some situations. Fix in helper-scripts: https://github.com/ArrayBolt3/helper-scripts/commit/adaecfafcb6abae0bafb6f2d31436a661875bdfd
*** Parick: Merged.
** Software update notifications were appearing in a sysmaint session (which is not necessary or desirable). The notification would also advertise using sysmaint-panel even if it wasn't installed. Fixes in systemcheck: https://github.com/ArrayBolt3/systemcheck/tree/arraybolt3/fix-updatecheck (Note: Includes some migration code, see chat for details)
** /etc/apt/sources.list.d/derivative.list was not being generated on first boot if the user booted into PERSISTENT mode SYSMAINT first. Fix in repository-dist: https://github.com/ArrayBolt3/repository-dist/tree/arraybolt3/sysmaint
*** Parick: Merged.
== user-sysmaint-split - sysmaint-panel - check system status button - add delay ==
* systemcheck takes 2-3 seconds until user gets feedback. i pressed the button twice and then had a duplicate systemcheck.
* please disable the button for 2-5 seconds after it has been clicked.
* visible disable the button if the effort for that is reasonable
* perhaps a counter that counts down 5, 4, 3, 2, 1?
* perhaps generally should be the case for all buttons
* Implemented: https://github.com/ArrayBolt3/sysmaint-panel/commit/7e39a7df817045ba3c4bc6f7a1f64e82bba71d92
** This is implemented for most buttons, except for Open Terminal, Reboot, Shut Down, and Install Software. The user experience when using those doesn't warrant a timeout lock and adding a timeout lock there would probably annoy the user.
** Visible timeout counter is present, implemented by adding a (5) at the end of each button label for the duration of the lock (where "5" will be replaced with the remaining seconds until the lock times out).
* Patrick: Merged.
== user-sysmaint-split - sysmaint-panel - install updates button confusing ==
* since it only runs apt dist-upgrade, users might miss out on upgrades because users might not know it's apt update followed by apt dist-upgrade
* Mostly resolved in https://github.com/ArrayBolt3/sysmaint-panel/commit/7ae6a0dcee5e15794dfdb78e9f804d0bf9394095, additional questions and details shared in chat
* Patrick: Merged.
== user-sysmaint-split - sysmaint-panel - output formatting issue ==
* shows:
/usr/bin/sudo
/usr/bin/apt
update
* that is confusing even for users that know that command. better: /usr/bin/sudo /usr/bin/apt update
** Fixed: https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/terminal-helper-output
* Patrick: Merged.
== user-sysmaint-split - sysmaint-panel - wrong error message if logging in as wrong user ==
* login with account "user" after booting into sysmaint mode
* ignore warnings by pam-info during login screen that already advice against logging in with account "user" (because the user might miss them in the future due to PAM bugs, pam-info bugs, other login managers)
* actual: sysmaint-panel shows error "boot into sysmaint"
* expected: sysmaint-panel shows error "please login as account "sysmaint"
* Fixed by implementing a new dialog: https://github.com/ArrayBolt3/sysmaint-panel/commit/b782aa512689242d2a8066a1d7a36bc0ce40fc9b
* Patrick: Merged.
== user-admin-split - documentation improvements ==
* Qubes R4.2 vs R4.3
* Qubes uninstallation instructions (passwordless-root)
* Qubes boot modes
* user documentation
* developer documentation
* anything else missing
** Aaron: Don't see much missing, added requested points.
== autologinchange versus empty password ==
* issue:
** pwchange at time of writing does not notify if autologin is enabled
** autologinchange at time of writing does not notify if an empty password is being set
* the user might intend to secure their by using autologinchange and then be surprised that login without a password is still possible
* how could setting a password and autologinchange be more connected from a usability point of view?
* should one tool at the end of its execution recommend the other, if that seems applicable?
** applicable?
*** when disabling autologin, suggest to user to set a password, if password is currently empty.
*** when setting a password, suggest to user to disable autologin, if autologin is currently enabled.
** use colorful background to notify user of this potential discrepancy?
* or suggest or autorun systemcheck login security check only after such changes to make it obvious?
* Implemented: https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/pwchange-autologinchange-link
** Went with the strategy of having each tool warn if things are insecure when the user is doing hardening (i.e. warn about autologin when adding a password, or warn about empty password when disabling autologin)
** Patrick: Merged.
== lightweight update notifications ==
* Qubes vs non-Qubes:
** should not conflict with Qubes internal updater (multiple APT background processes blocking each other) - do this only inside Non-Qubes?
** on the other hand, systemcheck contains many tests that are useful inside Qubes as well
** Qubes developers do not wish the user to see a lot duplicate passive popups, active progress bars and active popups
*** Aaron: Qubes already shows upgrade notifications for VMs, so I would say this feature should not be added to Kicksecure or Whonix under Qubes OS. It's redundant and potentially conflicting.
* non-Qubes: GUI vs CLI?
** GUI: Implement this for the GUI version only?
** CLI: msgcollector supports writing to tty1 even for daemons (systemcheck) started in the background but this is probably confusing and disruptive. (Was default in the past.)
*** Aaron: Agreed, should be a GUI-only feature. CLI users can just run apt commands manually easily enough.
* as a stopgap until one day [[Dev/Automatic_Updates|Dev/Automatic Updates]] gets implemented
* re-use systemcheck for this? Could consider to re-enable autostart of systemcheck by default as it contains already lots of tests. "systemcheck --gui" currently shows:
INFO: Kicksecure APT Repository: Enabled. When the Kicksecure team releases BOOKWORM-DEVELOPERS updates, they will be AUTOMATICALLY installed (when you run apt-get dist-upgrade) along with updated packages from the Debian team. Please read https://www.kicksecure.com/wiki/Trust to understand the risk. If you want to change this, use:
dom0 -> Start Menu -> Template: kicksecure-bookworm -> Derivative Repository
WARNING: Debian Package Update Check Result: apt-get reports that packages can be updated.
Please update your 'kicksecure-bookworm' TemplateVM.
1. Open a TemplateVM terminal. (dom0 -> Start Menu -> Template: kicksecure-bookworm -> Terminal)
2. Update.
upgrade-nonroot
3. Shutdown your TemplateVM. (dom0 -> Qubes VM Manager -> right click 'kicksecure-bookworm' -> Shutdown VM)
4. Shutdown and restart this TemplateBased AppVM. (dom0 -> Qubes VM Manager -> right click 'work-main' -> Shutdown VM)
* The first "INFO: Kicksecure APT Repository" might be too noisy and could easily be disabled in GUI output by default.
* git history contains /usr/libexec/systemcheckdaemon
** Aaron: systemcheck shows a lot of info about multiple components, much of which a user may skip over or be tempted to skip over. I would prefer implementing this in such a way that a typical desktop notification (such as what notify-send can produce) is shown to the user when there are updates.
** Patrick:
*** It's possible to run select functions only, for example: systemcheck --verbose --function check_operating_system.
*** Other functions might be useful as well such as check_package_manager_running and check_dpkg.
* Aaron: Implemented initial version of update notifications using a user-side daemon.
** systemcheck: https://github.com/ArrayBolt3/systemcheck/tree/arraybolt3/updatecheck
*** Patrick: Merged.
** kicksecure-meta-packages: https://github.com/ArrayBolt3/kicksecure-meta-packages/tree/arraybolt3/notifyd
*** Not absolutely necessary, but makes notifications for the whole system much more pleasant to use, and provides a notification applet that can be added to the panel if desired.
*** Patrick: Merged.
== user-sysmaint-split - add screen lock button ==
* for locking screen while walking away from the system in sysmaint mode
* implement low-level lock command in helper-scripts, call the wrapper from sysmaint-panel, to be compatible with multiple screen lockers going forward
* Implemented:
** sysmaint-panel: https://github.com/ArrayBolt3/sysmaint-panel/commit/6913d1451467ebc961236ca4e4c0cd4adcd00a8c
*** Patrick: Merged.
** user-sysmaint-split: https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/fix-qubes-systemd
*** Patrick: Merged.
** helper-scripts: https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/screenlock
*** Patrick: Merged.
== GRUB - boot related enhancements ==
* Are there any other boot related enhancements outstanding? If so, please create tickets for these.
== grml-debootstrap - downstream handling grub-cloud versus /etc/default/grub ==
* After/if https://github.com/grml/grml-debootstrap/pull/299 gets merged...
* config-package-dev displace /etc/default/grub? Avoid "fighting" for configuration file ownership by moving the file out of the way.
* Generate a configuration file using do_once. Probably not owned by any package.
* Ship a default /etc/default/grub configuration file:
## Do not edit this file!
## Please create and add modifications to the following file instead:
## /etc/default/grub.d/50_user.cfg
##
## User documentation:
## https://www.kicksecure.com/wiki/grub
* minor comment on link: https://www.kicksecure.com/wiki/grub (lower case) vs https://www.kicksecure.com/wiki/Grub (normal case) is OK. Preferring lower case for simplicity thanks to MediaWiki extension SaneCase.
* Implemented for the most part in (broken link), though the comment at the top was not added yet because no other method of image generation we do adds that link and we cannot safely divert and replace this file. Details explained in chat.
* Patrick: Pending discussion.
* Aaron: Tried implementing again after discussion, attempt 2: https://github.com/ArrayBolt3/derivative-maker/commit/6b4e1a38345b69ae9c7e2b3212d7d0488cbd8b60
* Patrick: Merged.
* Patrick: Re-opened.
** mount image in step build-steps.d/3200_create-raw-image was broken. (file name base_image vs full image filename)
*** Re-factored and moved to 3500_install-packages
** grub-cloud sets: GRUB_TERMINAL_OUTPUT="gfxterm serial"
** bug: we used to unset: GRUB_TERMINAL=""
** Fixed.
** developer documentation: [[Dev/boot#.2Fetc.2Fdefault.2Fgrub.d.2F20_dist-base-files.cfg|/etc/default/grub.d/20_dist-base-files.cfg]]
** Please review.
*** Aaron: Reviewed implementation and documentation, looks good to me.
reopen:
* Aaron:
** Tangentially related, discovered a bug in my previous dist-base-files patch for enabling grub-cloud compatibility, resulting in the GRUB menu not being displayed on bootup. This is not caused by the grml-debootstrap PR, it was caused by me mistyping a variable name
** Fix: https://github.com/ArrayBolt3/dist-base-files/tree/arraybolt3/fix-grub
Patrick:
* PR seems not needed. See chat.
** Aaron: Replied in chat, PR seems needed to me, some confusion may be happening with different versions of grub-cloud.
*** Patrick: Merged.
== GRUB - lightweight document ISO GRUB ==
* https://github.com/derivative-maker/derivative-maker/tree/master/live-build-data/grub-config
* Dev/boot in similar style
* Added.
== user-sysmaint-split - qubes - features-request bug ==
* Whonix-Gateway Template and Kicksecure error message during upgrade from developers repository
Setting up dist-base-files (3:12.8-1) ...
Processing triggers for qubes-core-agent (4.2.41-1+deb12u1) ...
Traceback (most recent call last):
File "/usr/bin/qvm-features-request", line 111, in
sys.exit(main())
^^^^^^
File "/usr/bin/qvm-features-request", line 102, in main
subprocess.check_call(
File "/usr/lib/python3.11/subprocess.py", line 413, in check_call
raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['qrexec-client-vm', 'dom0', 'qubes.FeaturesRequest']' returned non-zero exit status 1.
Processing triggers for security-misc (3:44.4-1) ...
* Aaron: Cannot reproduce on Qubes R4.3.
** Discussed with Patrick, likely root cause determined. Fixes:
** user-sysmaint-split: https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/qubes-sysmaint-fix
*** Patrick: Merged.
** dist-base-files: https://github.com/ArrayBolt3/dist-base-files/tree/arraybolt3/qubes-sysmaint-fix
*** Patrick: Merged.
== user-sysmaint-split - qubes - qrexec refactoring ==
new file: usr/share/user-sysmaint-split/qubes/qubes-rpc/qubes.TemplateDownload
new file: usr/share/user-sysmaint-split/qubes/qubes-rpc/qubes.TemplateSearch
new file: usr/share/user-sysmaint-split/qubes/rpc-config/qubes.Filecopy
new file: usr/share/user-sysmaint-split/qubes/rpc-config/qubes.Gpg
* a global configuration would be better to avoid getting desync as Qubes appends files or changes file names
* please open a ticket upstream to discuss
** Found an alternative solution that doesn't require upstream changes: https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/better-qrexec-overrides
*** Patrick: Merged.
** Also includes fixes for other issues discovered during testing
== user-sysmaint-split - qubes - autologin message during upgrade ==
Setting up user-sysmaint-split (3:4.0-1) ...
GUI autologin is not applicable to Qubes OS.
* This message is confusing during upgrade.
* Prepend "INFO".
* Only showing during manual run please.
* Implemented:
** helper-scripts: https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/autologinchange-output
*** Patrick: Merged.
** user-sysmaint-split: https://github.com/ArrayBolt3/user-sysmaint-split/commit/89cdc200c8e5fafe6393d3102db1939d9aad37e9
*** Patrick: Merged.
== user-sysmaint-split - systemcheck - autologin check message and documentation ==
* systemcheck recommends the sysmaint wiki page - not applicable for users that upgraded and that are not (yet or not anymore) using user-sysmaint-split
** Aaron: Adjusted systemcheck to point to the Login wiki page instead as suggested below. https://github.com/ArrayBolt3/systemcheck/tree/arraybolt3/login-security
*** Patrick: Merged.
** which wiki page is more suitable? [[login]]?
*** should [[Desktop#Disable_Autologin|disable autologin]] be moved to [[login]]?
** password change instructions are currently on [[Post_Install_Advice|Post-installation Security Advice]]
** Aaron: Moved instructions from both locations to the Login page.
* also related: [[Protection_Against_Physical_Attacks|Protection against Physical Attacks]]
* please modify the wiki for better usability of this part. A wiki page is needed which explains at a glance, links users to more detailed sections.
** Aaron: Modified the Login, Post Install Advice, and Desktop wiki pages to move all login security related documentation into the Login page. Also added additional information about login security in general to the top of the login wiki page to provide good "at a glance" instructions. Also wrote a wiki page for the System Maintenance Panel itself so it could be referenced by other pages.
* systemcheck recommends sysmaint-panel - while not yet installed by default. Simplest solution would be to install it by default as it won't create issues for users not using user-sysmaint-split?
** Aaron: Sounds like a good idea to me. Implemented at https://github.com/ArrayBolt3/kicksecure-meta-packages/tree/arraybolt3/sysmaint-panel.
*** Patrick: Merged.
* systemcheck should point out that password / autologin inside VM is not "as important" (needs consideration when this is useful at all) as on the host? or skip login security check inside VMs?
** Aaron: I think this might be overcrowding the systemcheck output a bit. We currently don't express an opinion on whether the autologin or password protection status for each account is a problem in systemcheck itself, we only hint at it via colors. To me, this feels like the right approach since only the end user will know for sure what is secure for them. I think the login security check is still valuable in VMs though, as some users might have a legitimate reason to password-protect a VM (for instance, in a kiosk-like setup perhaps).
* documentation should point out that password / autologin inside VM is not "as important" (needs consideration when this is useful at all) as on the host? A lot users getting bothered with passwords and login prompts inside VMs if it does not benefit their threat model would be a usability degradation.
** Aaron: Agreed, this seems like a good place to put this kind of documentation. Added to the Login wiki page.
== older ==
[[Dev/todo/archived]]
= backlog - one day =
== apt-get - implement --restrict-install-recommends proof of concept ==
* todo
== Debian Installer Verification ==
* after live-build review queue made progress maybe
== Qubes doas ticket ==
* feature request doas support for Qubes
* ask if Qubes would accept doas configuration snippets
* https://forums.whonix.org/t/replace-sudo-with-doas/17482/22
* Ticket filed as an enhancement request: https://github.com/QubesOS/qubes-issues/issues/9599
* Backlogged, we're going sudoless rather than porting to doas for now.
== Qubes umask ticket ==
* /etc/sudoers.d/umask
* https://forums.whonix.org/t/replace-sudo-with-doas/17482/22
* This was only needed if migrating to doas. Superceded by sudoless mode, moved to backlog
== investigate porting from sudo to doas ==
* https://forums.whonix.org/t/replace-sudo-with-doas/17482
* can our /etc/sudoers.d snippets be ported to doas? is doas powerful enough for our requirements based on our already existing /etc/sudoers.d snippets?
* could we have a system that no longer requires sudo or would we end up with a system that comes with both, sudo and doas? ("double" attack surface)
* use ReplaceText as a wiki search engine to find our current uses of sudo because these would need to be ported to doas
** https://www.kicksecure.com/wiki/Special:ReplaceText
** https://www.whonix.org/wiki/Special:ReplaceText
** search terms:
** sudo
** lxsudo
* Ensure sudoers.d config files used in Kicksecure and Whonix on Qubes OS can be ported to doas
* Did an audit of all uses of sudo in kickseure and whonix codebases, and how difficult they should be to port to doas. Results: https://gist.github.com/ArrayBolt3/6699ec4c631fec28e1f4c0a2e657fcd7
* Superceded by sudoless mode, moved to backlog
== doas - send pull requests to Qubes ==
* [[Dev/todo#Qubes_doas_ticket|Qubes doas ticket]] might be unlikely to get rejected. But replies could take a while.
* Please send a pull requests. Since it is only 2 packages, 3 files the wasted effort if this gets rejected might be low enough?
qubes-core-agent: /etc/sudoers.d/qt_x11_no_mitshm
qubes-core-agent: /etc/sudoers.d/umask
qubes-input-proxy-sender: /etc/sudoers.d/qubes-input-trigger
* Superceded by sudoless mode, moved to backlog
== create /usr/local/etc/doas.d /etc/doas.d parser and /etc/doas.conf configuration file creator ==
* parse /usr/local/etc/doas.d
* parse /etc/doas.d
* parse only configuration files ending with .conf
* do not overwrite a file that does not contain our auto generated configuration file (could be user custom file)
** echo a warning in that case
* atomic, create variable then use sponge
* add to security-misc
* add a dpkg trigger
* /etc/doas.conf would require a header pointing out it is auto-generated.
## Do not edit this file!
## Please create and add modifications to the following file instead:
## /usr/local/etc/torrc.d/50_user.conf
## This file was auto generated by '$BASH_SOURCE' at APT package installation time (a dpkg trigger).
* Superceded by sudoless mode, moved to backlog
== doas - add to security-misc permission hardener whitelist ==
* todo
* Superceded by sudoless mode, moved to backlog
== doas - create /etc/doas.d configuration snippets ==
* add /etc/doas.d configuration snippets to the various packages needing these
* if possible, pending discussion in https://forums.whonix.org/t/replace-sudo-with-doas/17482/19 for review of sudoers.d snippets by upstream
* Superceded by sudoless mode, moved to backlog
== bootloader password ==
* https://forums.kicksecure.com/t/harden-grub-bootloader-using-bootloader-password/723
== vm-config-dist re-installs same version ==
* Why a freshly built ova image attempts to upgrade vm-config-dist, even though it is already the latest version?
* https://download.kicksecure.com/ova/17.2.7.8/
* please investigate
[user ~]% dpkg -l | grep vm-config
ii vm-config-dist 3:10.5-1 all usability enhancements inside virtual machines
[user ~]% upgrade-nonroot
Get:1 tor+https://deb.debian.org/debian bookworm InRelease [151 kB]
Get:2 tor+https://fasttrack.debian.net/debian bookworm-fasttrack InRelease [12.9 kB]
Get:3 tor+https://fasttrack.debian.net/debian bookworm-fasttrack/main amd64 Packages [5296 B]
Get:4 tor+https://deb.debian.org/debian bookworm-updates InRelease [55.4 kB]
Get:5 tor+https://fasttrack.debian.net/debian bookworm-fasttrack/non-free amd64 Packages [492 B]
Get:6 tor+https://deb.debian.org/debian-security bookworm-security InRelease [48.0 kB]
Get:7 tor+https://fasttrack.debian.net/debian bookworm-fasttrack/contrib amd64 Packages [7332 B]
Get:8 tor+https://deb.kicksecure.com bookworm InRelease [62.0 kB]
Get:9 tor+https://deb.debian.org/debian bookworm-backports InRelease [59.0 kB]
Get:10 tor+https://deb.kicksecure.com bookworm/non-free amd64 Packages [913 B]
Get:11 tor+https://deb.debian.org/debian bookworm/non-free amd64 Packages [97.3 kB]
Get:12 tor+https://deb.debian.org/debian bookworm/non-free-firmware amd64 Packages [6236 B]
Get:13 tor+https://deb.debian.org/debian bookworm/contrib amd64 Packages [54.1 kB]
Get:14 tor+https://deb.debian.org/debian bookworm/main amd64 Packages [8789 kB]
Get:15 tor+https://deb.kicksecure.com bookworm/main amd64 Packages [33.7 kB]
Get:16 tor+https://deb.kicksecure.com bookworm/contrib amd64 Packages [509 B]
Get:17 tor+https://deb.debian.org/debian bookworm-updates/non-free-firmware amd64 Packages [616 B]
Get:18 tor+https://deb.debian.org/debian bookworm-updates/main amd64 Packages [2712 B]
Get:19 tor+https://deb.debian.org/debian bookworm-updates/non-free amd64 Packages [12.8 kB]
Get:20 tor+https://deb.debian.org/debian bookworm-updates/contrib amd64 Packages [768 B]
Get:21 tor+https://deb.debian.org/debian-security bookworm-security/contrib amd64 Packages [644 B]
Get:22 tor+https://deb.debian.org/debian-security bookworm-security/non-free-firmware amd64 Packages [688 B]
Get:23 tor+https://deb.debian.org/debian-security bookworm-security/main amd64 Packages [206 kB]
Get:24 tor+https://deb.debian.org/debian bookworm-backports/main amd64 Packages [264 kB]
Get:25 tor+https://deb.debian.org/debian bookworm-backports/contrib amd64 Packages [5624 B]
Get:26 tor+https://deb.debian.org/debian bookworm-backports/non-free-firmware amd64 Packages [3852 B]
Get:27 tor+https://deb.debian.org/debian bookworm-backports/non-free amd64 Packages [11.1 kB]
Fetched 9891 kB in 8s (1227 kB/s)
Reading package lists... Done
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
vm-config-dist
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 40.2 kB of archives.
After this operation, 2048 B of additional disk space will be used.
Do you want to continue? [Y/n] ^Czsh: exit 130 upgrade-nonroot
[user ~]% apt-cache show vm-config-dist
Package: vm-config-dist
Version: 3:10.5-1
Architecture: all
Maintainer: Patrick Schleizer
Installed-Size: 135
Depends: sudo, adduser, p7zip-full
Replaces: power-savings-disable-in-vms, shared-folder-help
Homepage: https://github.com/Kicksecure/vm-config-dist
Priority: optional
Section: misc
Filename: pool/main/v/vm-config-dist/vm-config-dist_10.5-1_all.deb
Size: 40244
SHA256: 41fc4cd7e2f97bdcf23ff80b91cbbc339aca3c60445ffaa4725147e4e28d048a
SHA1: d150305c67a4d3949c714c4b16a6a2c1ebe63353
MD5sum: 471286ecd49b36d287b50f807685036b
Description: usability enhancements inside virtual machines
Sets environment variable `QMLSCENE_DEVICE=softwarecontext` as workaround for
"Automatic fallback to softwarecontext renderer".
.
It is not useful to open a screensaver or to power down the desktop for
operating systems that are run inside VMs. There is no real display that could
be saved and no real power that could be saved. From usability perspective it
also is counter intuitive when looking at the VM window and only seeing a
black screen. Therefore it makes sense to disable power savings in VMs.
`/etc/X11/Xsession.d/20_kde_screen_locker_disable_in_vms.sh`
`/etc/profile.d/20_power_savings_disable_in_vms.sh`
`/etc/X11/Xsession.d/20_software_rendering_in_vms.sh`
`/usr/share/kde-power-savings-disable-in-vms/kdedrc`
`/usr/share/kde-screen-locker-disable-in-vms/kscreenlockerrc`
.
Disables screen locker when running in VMs because that is not useful either.
.
Makes setting up a shared folder for virtual machines a bit easier.
.
* Creates a folder `/mnt/shared` with `chmod 777`, adds a group
"vboxsf", adds user "user" to group "vboxsf". Facilitates auto-mounting of
shared folders.
.
* Helps using shared folders with VirtualBox and KVM a bit
easier (as in requiring fewer manual steps from the user).
.
* `/lib/systemd/system/mnt-shared-vbox.service`
* `/lib/systemd/system/mnt-shared-kvm.service`
.
Set screen resolution 1920x1080 by default for VM in VirtualBox and KVM.
Workaround for low screen resolution 1024x768 at first boot. When using lower
screen resolutions, Xfce will automatically scale down.
`/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/displays.xml`
.
Installs VirtualBox guest additions if package
`virtualbox-guest-additions-iso` is installed if environment variable
`dist_build_virtualbox=true` or if running inside VirtualBox.
(`systemd-detect-virt` returning `oracle`)
`/usr/bin/vbox-guest-installer`
Description-md5: 09e095e928a4c962e728f72d712b4c34
Package: vm-config-dist
Status: install ok installed
Priority: optional
Section: misc
Installed-Size: 133
Maintainer: Patrick Schleizer
Architecture: all
Version: 3:10.5-1
Replaces: power-savings-disable-in-vms, shared-folder-help
Depends: sudo, adduser, p7zip-full
Conffiles:
/etc/dracut.conf.d/30-vm-config-dist.conf 4b17a68bed81773993a0c46d79148986
/etc/gdm3/daemon.conf.dist b1f35c9655abcc3171af5c10ce4d8292
/etc/profile.d/20_kde_screen_locker_disable_in_vms.sh e45dd471bc555b906c6c04b208f4066b
/etc/profile.d/20_power_savings_disable_in_vms.sh bfef62e0edc770197204884b9fc3baea
/etc/profile.d/20_software_rendering_in_vms.sh 32d99ab4948878c5c790145bdafa88ea
/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/displays.xml 573a4880ca28e8e094ea78fa76fb875e
Description: usability enhancements inside virtual machines
Sets environment variable `QMLSCENE_DEVICE=softwarecontext` as workaround for
"Automatic fallback to softwarecontext renderer".
.
It is not useful to open a screensaver or to power down the desktop for
operating systems that are run inside VMs. There is no real display that could
be saved and no real power that could be saved. From usability perspective it
also is counter intuitive when looking at the VM window and only seeing a
black screen. Therefore it makes sense to disable power savings in VMs.
`/etc/X11/Xsession.d/20_kde_screen_locker_disable_in_vms.sh`
`/etc/profile.d/20_power_savings_disable_in_vms.sh`
`/etc/X11/Xsession.d/20_software_rendering_in_vms.sh`
`/usr/share/kde-power-savings-disable-in-vms/kdedrc`
`/usr/share/kde-screen-locker-disable-in-vms/kscreenlockerrc`
.
Disables screen locker when running in VMs because that is not useful either.
.
Makes setting up a shared folder for virtual machines a bit easier.
.
* Creates a folder `/mnt/shared` with `chmod 777`, adds a group
"vboxsf", adds user "user" to group "vboxsf". Facilitates auto-mounting of
shared folders.
.
* Helps using shared folders with VirtualBox and KVM a bit
easier (as in requiring fewer manual steps from the user).
.
* `/lib/systemd/system/mnt-shared-vbox.service`
* `/lib/systemd/system/mnt-shared-kvm.service`
.
Set screen resolution 1920x1080 by default for VM in VirtualBox and KVM.
Workaround for low screen resolution 1024x768 at first boot. When using lower
screen resolutions, Xfce will automatically scale down.
`/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/displays.xml`
.
Installs VirtualBox guest additions if package
`virtualbox-guest-additions-iso` is installed if environment variable
`dist_build_virtualbox=true` or if running inside VirtualBox.
(`systemd-detect-virt` returning `oracle`)
`/usr/bin/vbox-guest-installer`
Description-md5: 09e095e928a4c962e728f72d712b4c34
Homepage: https://github.com/Kicksecure/vm-config-dist
[user ~]%
* SHA256 is OK and matches my locally built package.
myfind . | grep vm-config-dist | grep '.deb$' | xargs sha256sum
+ set -e
+ find . -type f -not -iwholename '*.git*'
41fc4cd7e2f97bdcf23ff80b91cbbc339aca3c60445ffaa4725147e4e28d048a ./genmkfile-packages-result/vm-config-dist_10.5-1_all.deb
41fc4cd7e2f97bdcf23ff80b91cbbc339aca3c60445ffaa4725147e4e28d048a ./aptrepo_local/kicksecure/pool/main/v/vm-config-dist/vm-config-dist_10.5-1_all.deb
41fc4cd7e2f97bdcf23ff80b91cbbc339aca3c60445ffaa4725147e4e28d048a ./aptrepo_remote/kicksecure/pool/main/v/vm-config-dist/vm-config-dist_10.5-1_all.deb
* The Installed-Size of the package on the VM is listed as one size, but the Packages file in Kicksecure's remote repo lists a different Installed-Size. Thus even though the debs are identical, apt believes the packages are different and wants to update to the remote version of the package as a result. See https://unix.stackexchange.com/questions/581291/why-apt-wants-to-upgrade-already-up-to-date-package. Why this is happening is unclear. Perhaps something is going wrong with using reprepro? See below.
# From https://deb.kicksecure.com/dists/bookworm/main/binary-amd64/Packages:
Package: vm-config-dist
...
Installed-Size: 135
...
# From /var/lib/dpkg/status from the linked OVA file:
Package: vm-config-dist
...
Installed-Size: 133
...
* I did an OVA build in the background to see what Installed-Size it resulted in, but then accidentally deleted it, I can do redo the build and check it if desired.
== str_replace utf-8 bug ==
str_replace %%replace-me-clearnet-replace-me%% kicksecure.com /etc/postfix/header_checks.db
Traceback (most recent call last):
File "/usr/bin/str_replace", line 49, in
main()
File "/usr/bin/str_replace", line 26, in main
file_data = source_fh.read()
^^^^^^^^^^^^^^^^
File "", line 322, in decode
UnicodeDecodeError: 'utf-8' codec can't decode byte 0x8e in position 54: invalid start byte
* Low-priority, could be difficult to fix.
== Qubes graphical-session.target missing bug ==
* Which source code file does enable systemd graphical-session.target target on Debian?
* https://github.com/QubesOS/qubes-issues/issues/9576
* Patrick: msgcollector now starts the systemd unit from /etc/xdg/autostart, that is good enough.
== add date and time detection to archive.today frontend ==
* This is necessary for the next task.
* If a link has been archived once in the past, but is severely outdated, we should probably request that archive.today rearchive it. This requires that we know when archive.today archived each page.
* (It might be worthwhile to detect when a link was added to the Wiki and use that as a deciding factor as to whether or not we should archive the link again. Might be doable by using the archive.today backups from Github.)
* We decided to not attempt re-archiving already archived content, thus this is no longer needed for now.
== mediawiki bot setup ==
* no wiki mass editing required for now
* will be required for mediawiki mass editing
* https://www.kicksecure.com/wiki/Special:BotPasswords
* https://www.kicksecure.com/wiki/Special:BotPasswords/botname
* https://www.whonix.org/wiki/Special:BotPasswords
* https://www.whonix.org/wiki/Special:BotPasswords/botname
* note: replace botname with actual name of bot
== rootless X11 ==
* only if doable with low effort such as just changing some configs (such as in lightdm config) or changing some installed packages
* Would require switching away from LightDM or enabling rootless X11 support in LightDM, thus moving to backlog.
== power9 RAM encryption research ==
* todo
== auto-detect, prompt for potential root devices in case the root= device is misconfigured or missing ==
* https://github.com/dracutdevs/dracut/issues/2589
* if doable with reasonable effort please send a pull request to dracut-'''ng'''
* Pull request: https://github.com/dracut-ng/dracut-ng/pull/694
* update: as discussed, low priority if effort is too high
== dracut add support for undeclared CDLABEL ==
as discussed
== live-build - Retry button in derivative-maker doesn't work ==
* low priority, move to backlog please
== live-build - remove trailing spaces ==
* can be done when upstream review queue of live-build has more room
= Footnotes =
{{Footer}}