{{Header}}
{{title|title=
ToDo for Developers
}}
{{#seo:
|description=TODO
}}
{{devwiki}}
{{intro|
TODO
}}
{{Developers-only}}
= TODO DEV =
== trixie port - document enabling IPv6 on Whonix 18 ==
* for Qubes: set ipv6 feature to 1 on sys-net to allow IPv6 connectivity to work at all, then disable IPv6 on individual VMs you want to remain IPv4-only, ensure that sys-whonix and sys-firewall do NOT have IPv6 disabled
* for KVM: remove gcc -fsyntax-only, if sensible
gcc -fsyntax-only src/kloak.h
gcc -fsyntax-only src/kloak.c
gcc -fsyntax-only src/kloak.c src/xdg-shell-protocol.c src/xdg-output-protocol.c src/wlr-layer-shell.c src/wlr-virtual-pointer.c src/virtual-keyboard.c $(pkg-config --cflags libinput libevdev wayland-client xkbcommon
* review https://github.com/assisted-by-ai/kloak/pulls
== trixie port - check compiled code ==
* does our compiled code still compile on trixie?
* and compile time warnings to fix?
* any new compile time hardening flags that should be used?
* this is mostly about kloak but may affect other compiled code
== trixie port - package refactoring - kicksecure-meta-packages vs qubes-whonix - #2 ==
* TODO: Reduce packages in https://github.com/Whonix/qubes-whonix/blob/master/debian/control thanks to the improved Qubes support by kicksecure-meta-packages, if applicable.
** https://github.com/ArrayBolt3/qubes-whonix/tree/arraybolt3/kicksecure-qubes-merge
** https://github.com/ArrayBolt3/kicksecure-meta-packages/tree/arraybolt3/kicksecure-qubes-merge
* Patrick: merged, tested and reverted
* Gateway:
sudo apt dist-upgrade --no-install-recommends
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following package was automatically installed and is no longer required:
qubes-core-agent-passwordless-root
Use 'sudo apt autoremove' to remove it.
The following NEW packages will be installed:
codecrypt cython3 diceware dmeventd dosfstools extrepo fuse3 geoip-database kicksecure-cli kicksecure-default-applications-cli
kicksecure-qubes-cli libaio1 libbytes-random-secure-perl libclone-perl libcrypt-passwdmd5-perl libcrypt-random-seed-perl
libcrypto++8 libcryptx-perl libdevmapper-event1.02.1 libfftw3-double3 libfile-listing-perl libfuse3-3 libgeoip1 libhtml-parser-perl
libhtml-tagset-perl libhtml-tree-perl libhttp-cookies-perl libhttp-date-perl libhttp-message-perl libhttp-negotiate-perl
libio-html-perl libio-socket-ssl-perl liblvm2cmd2.03 liblwp-mediatypes-perl liblwp-protocol-https-perl libmath-random-isaac-perl
libnet-http-perl libnet-ssleay-perl libntfs-3g89 libsnappy1v5 libtry-tiny-perl libwww-perl libwww-robotrules-perl
libyaml-libyaml-perl lvm2 magic-wormhole makepasswd ntfs-3g perl-openssl-defaults pwgen python3-attr python3-autobahn
python3-automat python3-base58 python3-bcrypt python3-cbor python3-click python3-colorama python3-constantly python3-cryptography
python3-ecdsa python3-flatbuffers python3-geoip python3-hamcrest python3-hkdf python3-humanize python3-hyperlink
python3-incremental python3-lz4 python3-mnemonic python3-msgpack python3-nacl python3-openssl python3-packaging python3-passlib
python3-pyasn1 python3-pyasn1-modules python3-pyqrcode python3-service-identity python3-setuptools python3-snappy
python3-sortedcontainers python3-spake2 python3-tqdm python3-trie python3-twisted python3-txaio python3-txtorcon python3-u-msgpack
python3-ubjson python3-ujson python3-wsaccel python3-zope.interface
* Workstation:
sudo apt dist-upgrade --no-install-recommends
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following package was automatically installed and is no longer required:
qubes-core-agent-passwordless-root
Use 'sudo apt autoremove' to remove it.
The following NEW packages will be installed:
dmeventd dosfstools firefox-esr kicksecure-cli kicksecure-desktop-applications-recommended kicksecure-qubes-cli kicksecure-qubes-gui libaio1 libdevmapper-event1.02.1 libgarcon-1-0
libgarcon-common liblvm2cmd2.03 libntfs-3g89 libupower-glib3 libxklavier16 lvm2 ntfs-3g xfce4-helpers xfce4-settings
* Patrick: is there anything else to do here?
== trixie port - split the security-misc into security-misc-shared, security-misc-desktop and security-misc-server ==
* {{Github_link|repo=security-misc|path=/issues/187}}
* This is in preparation for the next task.
* Discussion on how best to do this posted at https://forums.kicksecure.com/t/splitting-security-misc-into-shared-desktop-and-server-packages/674
* keep {{Github_link|repo=security-misc|path=/issues/184}} in mind
== trixie port - display brightness ==
* https://forums.kicksecure.com/t/display-brightness/1271/2
== trixie port - desktop theme improvements ==
* suggestions from https://forums.whonix.org/t/xfce-theming-a-few-suggestions/7205/82 valid?
* useful to change the desktop theme?
* Might be useful to postpone after port to trixie. After the first trixie based release. Because by that time, desktop environment choice (Xfce vs LXqt) and wayland should be settled. No point in improving Xfce based style in case of porting to LXQt.
* Provided suggestions for improving Xfce theming and attempted to port the theming to LXQt. Should defer to Trixie.
* Can be postponed after the first trixie based release.
* Aaron: Mostly implemented as part of the port to LXQt, but we should entirely remote MATE's notification daemon in favor of LXQt's (this hasn't been done yet).
== apt solver bug - pulling in incorrect alternative dependencies ==
* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1113744
* Obtain requested debugging information and attach to ticket
== Qubes OS IPv6 DNS ==
* https://github.com/QubesOS/qubes-core-agent-linux/pull/592
== in-vm kernel boot mode support ==
* GRUB patch for Xen command line parsing has been merged
* implement boot mode support for in-vm kernels in qubes-core-admin
== port to sequoia-pgp ==
* port all code base from gpg to sequoia-pgp as much as sensible
* related - not part of this task - only for reference - https://github.com/QubesOS/qubes-issues/issues/8241
* https://sequoia-pgp.org/blog/2022/12/19/202212-chameleon-0.1/
* https://packages.debian.org/trixie/sequoia-chameleon-gnupg
** Can we just symlink /usr/bin/gpg to /usr/bin/gpg-sq?
== qubes - qrexec to NetVM ==
* investigate if it is possible to get the name of a qube's NetVM from within the qube, or otherwise send qrexec requests to the NetVM
* contribute feature to upstream if it doesn't exist
* use case: don't require sdwdate-gui in Qubes-Whonix-Workstation to be explicitly configured to talk to the appropriate Qubes-Whonix-Gateway in a multi-gateway setup
== stardict - investigate ==
* debian policy appliable?
* https://www.kicksecure.com/wiki/Dev/Debian#startdict
== three finger salute ==
* https://forums.kicksecure.com/t/ctrl-alt-del-three-finger-salute-action/1197
* the three finger salute should so something useful similar to what it does on Windows
** lock screen (Qubes does that)
** start task manager
** emergency shutdown button
* Open a sysmaint (or root) shell?
** This feature can be deferred.
** SAK alike?
*** Can a compromised Wayland swallow the three finger salute and mount a login spoofing attack?
**** Aaron: No, because the salute is read by the handler via evdev, which is provided directly by the kernel. It could receive the keypress despite emerg-shutdown or similar seeing it too, but emerg-shutdown would SIGSTOP the compositor before running the actual Ctrl+Alt+Delete handler.
*** Perhaps we should use the real SAK, but reconfigure its action, if that is at all possible?
**** Aaron: Does not appear to be possible, see https://www.kernel.org/doc/html/v6.0/security/sak.html
** research SIGSTOP
*** Aaron: Looks like it works reliably, even when a stuck kernel thread is involved
** research locked up kernel threads and their abuse potential
*** Aaron: It appears the worst they can do is prevent processes from fully exiting, which isn't a problem for us. They also seem to be very hard to create, unless you have root access. See https://chrisdown.name/2024/02/05/reliably-creating-d-state-processes-on-demand.html
** anti-phishing code
*** static
*** TOTP - perhaps at a later time
== live-hardener vs efi bug ==
* probably already resolved?
Aug 10 08:30:55 host live-hardener[767]: mount: /boot/efi: wrong fs type, bad option, bad superblock on overlay, missing codepage or helper program, or other error.
== emergency-shutdown - bug - breaks Calamares installer ==
* todo
* Patrick: Still an issue? Duplicate of [[Dev/todo#Kicksecure_installer_versus_live-hardener_bug|Kicksecure installer versus live-hardener bug]]?
** might have been fixed in: https://github.com/Kicksecure/security-misc/commit/c59a3b233bd8893d466c020a2e2695ab545c6e60
** KVM affected?
== emerg-shutdown - delayed shutdown ==
* emerg-shutdown may be triggered by accident, users should have an opportunity to cancel unless the root device has vanished entirely
* for delayed shutdowns, show a warning of some sort and provide clear instructions on how to cancel the shutdown
** switch to a TTY and display a red screen with warning text on it?
*** may conflict with agetty, investigate how to suppress it (or switch to a TTY that isn't in use and that agetty isn't configured to spawn on)
* some users may need instant shutdown without warning, allow configuring the shutdown timeout, including making it 0
== emerg-shutdown - versus ram-wipe ==
* an init (systemd) wrapper?
* root disk must be unmounted so kernel deletes {{fde}} key from RAM
== emerg-shutdown - bugs ==
* Qubes:
** Should probably not run in Qubes at all? Disable using systemd unit file conditional?
Aug 10 06:10:23 host emerg-shutdown[635]: Failed to find any input device supporting panic keys!
Aug 10 06:10:23 host systemd[1]: emerg-shutdown.service: Main process exited, code=exited, status=1/FAILURE
Aug 10 06:10:23 host systemd[1]: emerg-shutdown.service: Failed with result 'exit-code'.
Aug 10 06:10:35 host memlockd[677]: Mapped file /lib/x86_64-linux-gnu/libgpg-error.so.0
* Non-Qubes:
** So far only observed in non-Qubes.
Aug 11 08:27:57 localhost memlockd[1006]: Error mmaping /etc/resolv.conf: Invalid argument
== emergency-shutdown - debugging improvements ==
* add more debug output:
** every relevant code path should be written to journal
** trigger needs to be recorded
** action needs to be recorded
** purpose: in case of bugs (such as above), it should be able to debug this at least with a (virtual) serial console
== chvt hardening ==
* https://forums.kicksecure.com/t/chvt-change-foreground-virtual-terminal-vt-tty-prevent-malware-from-forced-tty-change/1274
== timesync developer wiki page improvements ==
* https://www.whonix.org/wiki/Dev/TimeSync
* [[anondate]]
* https://www.kicksecure.com/wiki/Dev/sdwdate
* please study, improve
* take note of Tor consensus and replay attacks
* in preparation for follow-up tasks
== sdwdate refactoring and improvements ==
* study sdwdate source code
* lightweight refactoring (such as no longer using classes because these are used inconsistently)
* separate into sdwdate-daemon and sdwdate-time-fetcher?
** Aaron: sdwdate-daemon is a very interesting idea, most likely useful for the ClockVM idea, however it is only feasible in situations where one either has multiple networked physical machines or multiple connected virtual machines (i.e. VBox with one Whonix-Gateway and many Whonix-Workstations, or Qubes OS). This is because the daemon has to be able to change the system's time as it sees fit in order to get Tor working (i.e. first get consensus to work by using certificate lifetime if possible, then get circuits to work using consensus, then get real time from three separate servers which are now accessible since circuits work). There is no way to isolate CLOCK_REALTIME changes from the rest of the system, Linux has time namespaces but they don't virtualize CLOCK_REALTIME. Thus sdwdate-daemon would have to be able to modify the system time freely in its mission to find the right time.
** In theory, this could be avoided if time changes could be communicated to the Tor daemon without modifying the system's wall clock. I do not know if this is possible, I suspect it isn't. Even though it is technically feasible, it would potentially be immensely complicated to implement.
** Perhaps implement sdwdate-daemon as a process that only returns whatever the next time step is, and also indicate whether there are further steps? Then sdwdate-time-fetcher could either ignore the date if the daemon indicates more steps are still to come, or accept it. The ClockVM itself would unconditionally accept sdwdate-daemon's reported time values in order to assist it in finding the correct time, then client VMs would only update their clock once the "final step" was reached.
* sdwdate oneshot feature (pick the median time from the 3 pools, output to console, then exit) if considered useful for the next bullet point
* add support for sdwdate to be used as a [https://forums.whonix.org/t/qubes-whonix-gateway-as-clockvm/19015 Qubes-Whonix-Gateway as ClockVM]
* note: sdwdate can already fix the clock if it is very slow (with the help of Tor consensus and anondate)
** Aaron: If the clock is very very slow, this seems to not work. Might be possible to use Tor certificates to get within a year of the correct date, then attempt to brute-force a month that will allow Tor consensus to work. As long as the Tor network itself will not work if the clock is too far off, we don't have to worry too much about replay attacks, untrusted data, etc. - the worst an attacker could do is denial of service, we'll only get working connectivity if we get very close to the correct time (or an adversary controls so many of the servers we're using it can trick us into thinking our time is correct, which is statistically unlikely...? is it actually statistically unlikely?)
* add feature to sdwdate to allow it fixing the clock if it is very fast too
** it may not be possible to implement such a feature securely (setting the clock forward has no security risk but setting the clock backwards makes already expired keys valid again). perhaps should just be a manual action? in theory, by setting the clock backwards very far into the past, sdwdate should be able to fix it. Perhaps we could try once to set the clock backwards just a few hours (not years) based on Tor consensus / anondate? Or perhaps this should only be possible by manual user action?
* use chrony - time setting only - not time fetching - as a replacement for sclockadj as per [[Dev/sdwdate]]
** or if easier, saner, port sclockadj from clock_settime to adjtimex?
** Aaron: Probably easier to port sclockadj, chrony looks a bit dangerous to me.
** please research, consider various options
== kicksecure - update torification improvements ==
* only shipped-by-default apt repositories go through Tor
* ideally, newly added apt repositories should go through Tor as well, as should flatpak installation and updates
** Flatpaks can be made to go through Tor by enabling an HTTPTunnelPort in Tor, then setting http_proxy and https_proxy to http://localhost:9080 (assuming your port number is 9080) when running Flatpak. There doesn't appear to be a way to set a proxy in Flatpak's configuration, thus this would probably require a wrapper.
== flatpak update integration ==
* users are given the ability to easily install flatpaks via browser-choice, but aren't given any easy way to update them
* add code to upgrade-nonroot that also updates flatpaks
* Aaron: Implemented: https://github.com/ArrayBolt3/usability-misc/tree/arraybolt3/flatpak-update
* Patrick: should be deferred until update torification has been improved
== investigate Debian Rolling ==
* investigate why Debian Rolling initiative failed
** From initial research:
*** Lots of disagreement about how exactly to implement it, although https://lists.debian.org/debian-devel/2011/05/msg00275.html had a very large amount of positive feedback compared to other proposals
**** See also DEP-10 (https://dep-team.pages.debian.net/deps/dep10/) which is somewhat orthogonal but related
*** Limited manpower, no one appears to have tried to actually do it
*** Need to cope with the activity occurring in Debian's unstable and testing repositories, which have some turbulence and can cause issues if one isn't careful
*** Likely worth trying to resurrect
* contact people involved previously, if that makes sense
* suggest prospective developers
* Started to write tooling for this: https://github.com/ArrayBolt3/drk Very incomplete, nowhere near usable. Will keep developing this.
== repository-dist - improvements ==
* {{Github_link|repo=repository-dist
* GUI: detect stable, stable-proposed-updates, testers, developers setting in GUI. I.e. if re-running the tool, keep the former setting. Should this depend on previous choice in the GUI (status files, probably easier) or actual status on the disk (might be manually modified by the user)|path=?}}
* add support for switching back and forth between clearnet and onion
== Tool to onionize all APT sources ==
* https://forums.whonix.org/t/tool-to-onionize-all-apt-sources/13367
* Should it be part of repository-dist or a standalone tool?
== verified boot implementation ==
* assume firmware can extend trust to kernel via Sovereign Boot
* create a system for extending trust from kernel to initramfs and userland
* possibly investigate immutable images?
* Implementation idea notes:
** A system running with Verified Boot enabled must have the root partition in live mode (read only with tmpfs overlay). Therefore something similar to live mode will be needed when running in "verified mode"
** dm-verify is what Google uses, there seems to be no compelling reason for us to avoid it.
** Kernel modifications are not permitted, Kicksecure will be signing Debian's shim meaning only vanilla Debian kernels will be bootable. Rely on alternative ways of storing the dm-verify root hash in a secure immutable fashion, such as:
*** TPM / Measured Boot? Highly desirable if security issues don't result, as this avoids the need for user interaction unless something goes wrong.
**** Would require some way of authenticating that the TPM has not been reset (similar to Heads TOTP/HOTP codes)
*** User providing the hash on an external drive?
*** Verification passphrase similar to LUKS passphrase?
** Patrick: TPM is unavailable inside VMs? In this case, verified boot support is still desirable.
* Patrick
** Whonix-Gateway: either no verified boot initially or install user-sysmaint-split by default
** persistent mode, verified boot should still allow for logs persistent
** [[Verified_Boot#When_the_verification_is_over.3F|When the verification is over?]]:
*** "verification is a continuous process happening as data is loaded into memory"
*** "This means if malware manages to modify the /usr/bin/mv program despite immutability, then dm-verity would notice this the next time the user or system is attempting to execute that command."
*** This security gained from this feature is somewhat reduced if the attacker can use ephermal overlays.
** consider [[Sysmaint#enable_sudo_access_in_USER_session|enable sudo access in USER session]] (developer debug mode): disable verified boot + write to disk + regenerate verified boot hash tree (this is to ease debugging issues only happening in user session but not in sysmaint session)
* prefer Debian on true read-only filesystem without ephemeral overlay to benefit from kernel verified continuous verification after boot feature
** [[Verified_Boot#Challenges_with_Immutable_Filesystems|Challenges with Immutable Filesystems]]
*** As-needed ephemeral overlays
*** Use alternate software that doesn't require root to be writable
*** as feasible, up for discussion
== permission-hardener - live bug ==
* got a bug report by e-mail
sudo apt install network-manager-openvpn-gnome
security-misc (3:44.4-1) ...
INFO: triggered security-misc: 'security-misc' security-misc DPKG_MAINTSCRIPT_
NAME: 'postinst' $\*: 'triggered /usr' 2: '/usr'
/usr/libexec/security-misc/mmap-rnd-bits: INFO: Successfully written ASLR map
config file:
/etc/sysctl.d/30_security-misc_aslr-mmap.conf
Running SUID Disabler and Permission Hardener... See also:
https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener
/var/lib/dpkg/info/security-misc.postinst: INFO: running: permission-hardener
enable
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root shadow 744 /usr/lib/live/mount/rootfs/filesystem/usr/sbin/unix_chkpwd
dpkg-statoverride: : `/usr/lib/live/mount/rootfs/filesystem/usr/sbin/unix_chkpwd'
permission-hardener: [ERROR]: Command 'dpkg-statoverride --add --update root shadow 744 /usr/lib/live/mount/rootfs/filesystem/usr/sbin/unix_chkpwd' failed with exit code '2'! calling functio
n name: 'commit_policy'
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener-v2/new_mode --add root shadow 744 /usr/lib/live/mount/rootfs/filesystem/usr/sbin/unix_chkp
wd
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/rootfs/filesystem/usr/bin/pkexec
dpkg-statoverride: : `/usr/lib/live/mount/rootfs/filesystem/usr/bin/pkexec'
permission-hardener: [ERROR]: Command 'dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/rootfs/filesystem/usr/bin/pkexec' failed with exit code '2'! calling function name:
'commit_policy'
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener-v2/new_mode --add root root 744 /usr/lib/live/mount/rootfs/filesystem/usr/bin/pkexec
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/rootfs/filesystem/usr/bin/sudo
dpkg-statoverride: : `/usr/lib/live/mount/rootfs/filesystem/usr/bin/sudo'
permission-hardener: [ERROR]: Command 'dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/rootfs/filesystem/usr/bin/sudo' failed with exit code '2'! calling function name: 'c
ommit_policy'
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener-v2/new_mode --add root root 744 /usr/lib/live/mount/rootfs/filesystem/usr/bin/sudo
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root shadow 744 /usr/lib/live/mount/medium/usr/sbin/unix_chkpwd
dpkg-statoverride: : `/usr/lib/live/mount/medium/usr/sbin/unix_chkpwd'
permission-hardener: [ERROR]: Command 'dpkg-statoverride --add --update root shadow 744 /usr/lib/live/mount/medium/usr/sbin/unix_chkpwd' failed with exit code '2'! calling function name: 'co
mmit_policy'
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener-v2/new_mode --add root shadow 744 /usr/lib/live/mount/medium/usr/sbin/unix_chkpwd
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/medium/usr/bin/pkexec
dpkg-statoverride: : `/usr/lib/live/mount/medium/usr/bin/pkexec'
permission-hardener: [ERROR]: Command 'dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/medium/usr/bin/pkexec' failed with exit code '2'! calling function name: 'commit_pol
icy'
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener-v2/new_mode --add root root 744 /usr/lib/live/mount/medium/usr/bin/pkexec
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/medium/usr/bin/sudo
dpkg-statoverride: : `/usr/lib/live/mount/medium/usr/bin/sudo'
permission-hardener: [ERROR]: Command 'dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/medium/usr/bin/sudo' failed with exit code '2'! calling function name: 'commit_polic
y'
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener-v2/new_mode --add root root 744 /usr/lib/live/mount/medium/usr/bin/sudo
permission-hardener: [NOTICE]: To compare the current and previous permission modes, install 'meld' (or preferred diff tool) for comparison of file mode changes:
sudo apt install --no-install-recommends meld
meld /var/lib/permission-hardener-v2/existing_mode/statoverride /var/lib/permission-hardener-v2/new_mode/statoverride
permission-hardener: [ERROR]: Exiting with non-zero exit code: '203'
/var/lib/dpkg/info/security-misc.postinst: ERROR: Permission hardening failed.
* random guess: Could there be issues with non-latin language settings?
* Why is it /usr/lib/live/mount/rootfs/filesystem?
* Could it be that the user booted into live mode?
* Maybe a case of low RAM where no further writes to RAM were possible?
* Booting into live mode and using APT should be supported as much as feasible.
* In case of insufficient information, could you please add debug code to provide more information in the future?
* Unsure if further information can be requested form the reporter, but I could try.
* Useful to add:
test -w "${file_name_from_stat}"
* permission hardener might not be the cause of this issue. However, ideally it would show a better error message pointing out the issue.
* Aaron: Cannot reproduce on ISO or in LIVE mode USER.
** The /usr/lib/live/mount path suggests that the issue is the result of attempting to distribution-morph a vanilla Debian Live session. This, IMO, is not something we should support, because:
*** All changes will be lost on reboot, meaning someone who uses this in production will be downloading a lot of Kicksecure packages from our infra every time they start the system.
*** We already offer a live Kicksecure ISO.
*** None of the kernel hardening options will be enabled, and they can't be enabled, because that would require a reboot which will discard everything.
*** And of course, permission-hardener doesn't expect anything under /usr to be read-only.
** Would suggest adding a warning to the distribution morphing documentation that a live Debian ISO session can't be morphed, and that one should download a live Kicksecure ISO if they need a Kicksecure-enhanced live system.
* Patrick: Done. Documented.
* Could you please add better error handling in this case?
== audio ==
=== audio generally ===
* https://forums.whonix.org/t/port-from-pulseaudio-to-pipewire-for-audio-support/16879/40
* please read, comment if something useful to share
=== VirtualBox Intel HD Audio and PipeWire Incompatibility / Audio broken after increasing ram to 5 GB / No sound after latest updates - PipeWire Bug? ===
* https://forums.whonix.org/t/virtualbox-intel-hd-audio-and-pipewire-incompatibility-audio-broken-after-increasing-ram-to-5-gb-no-sound-after-latest-updates-pipewire-bug/18211
* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081965
* please investigate if doable with reasonable effort
* Tried switching between Pulseaudio and Pipewire on a booted VM, discovered I could "initialize" the speakers with Pulseaudio and then Pipewire would work thereafter
* Virtually certain this is an upstream bug, was able to reproduce with both Ubuntu 24.04 and Arch Linux.
* Suggest switching to AC97 audio (even Arch Linux defaults to this under Virtualbox).
* Need to investigate upstream code
* Could not get any meaningful hints from pipewire, wireplumber, and pipewire-pulse logs. Pulseaudio shows an "alsa woke us up to write new data to the device but there was actually nothing to write" error in its logs. At this point this is likely to be a bug in VirtualBox or the snd-hda-intel kernel driver.
== live-build - test lb config --dm-verity ==
* Does the ISO still function if build with lb config --dm-verity?
* Does it break apt-get install pkg-name? It might not break it due to overlayfs.
* Lacks live-build support when used with dracut:
** lb config won't even run if you try to enable verity and dracut at the same time, unless you override live-build by commenting that sanity check out
** The ISO won't build initially because the dm-verity building code is trying to find the live filesystem in the wrong location
** dracut isn't configured to include systemd-veritysetup-generator, needed for verifying the root FS in the first place
** No kernel command line options are added to the ISO for verity setup
== Kicksecure Firewall ==
https://forums.kicksecure.com/t/kicksecure-firewall/378/10
== Meta Packages, Kicksecure, Whonix - Desktop versus Server ==
https://forums.kicksecure.com/t/meta-packages-kicksecure-desktop-versus-kicksecure-server/415
== wipe video RAM ==
* add wipe video RAM support to [[ram-wipe]]
* maybe based on https://wiki.archlinux.org/title/Swap_on_video_RAM
* maybe also based on https://github.com/divestedcg/Brace/blob/master/brace/etc/profile.d/brace-env-overrides.sh
# zero video RAM to prevent leakage
# see (CC BY-SA 4.0): https://www.adlerweb.info/blog/2012/06/20/nvidia-x-org-video-ram-information-leak
export R600_DEBUG=zerovram;
export AMD_DEBUG=zerovram;
export RADV_DEBUG=zerovram;
* if doable with reasonable effort
== Tor 0.4.8.9 broken in combination with vanguards ==
* https://gitlab.torproject.org/tpo/core/tor/-/issues/40892
* write a script to use git bisect to auto test which commit introduced this issue maybe based on https://forums.whonix.org/t/vanguards-additional-protections-for-tor-onion-services/8064/64
* if not done by upstream yet
* if doable with reasonable effort
* Aaron: vanguards has been removed from Debian Trixie, still worth doing?
== VirtualBox serial console ==
* {{CodeSelect|inline=true|code=
sudo apt install serial-console-enable
}}
* [[Recovery#Serial_Console|Serial Console]]
* causes bug (spam of journal)
* https://forums.whonix.org/t/serial-console-in-virtualbox/8021/13
* fixable? upstream bug report?
* would installation by default be sane or a security issue?
== KVM related ==
=== KVM - 3D Graphics Acceleration - SPICE - Testing - drm ===
* please test: https://www.whonix.org/wiki/KVM#3D_Graphics_Acceleration_-_Testing_-_drm
* please mention your configuration (still using SPICE), quote Patrick and report here: https://forums.whonix.org/t/how-to-enable-3d-acceleration-in-kvm/16501/22
* test if DRM (direct rendering manager) is enabled as per https://www.whonix.org/wiki/KVM#3D_Graphics_Acceleration_-_Testing_-_drm
* test performance as per https://www.whonix.org/wiki/KVM#3D_Graphics_Acceleration_-_Testing_-_Performance
=== KVM - 3D Graphics Acceleration - Performance Test - Display SDL ===
* https://forums.whonix.org/t/how-to-enable-3d-acceleration-in-kvm/16501/22
* test SDL
* test if DRM (direct rendering manager) is enabled as per https://www.whonix.org/wiki/KVM#3D_Graphics_Acceleration_-_Testing_-_drm
* test performance as per https://www.whonix.org/wiki/KVM#3D_Graphics_Acceleration_-_Testing_-_Performance
=== KVM - 3D Graphics Acceleration - Performance Test - Display GDK ===
* https://forums.whonix.org/t/how-to-enable-3d-acceleration-in-kvm/16501/22
* test GTK
* test if DRM (direct rendering manager) is enabled as per https://www.whonix.org/wiki/KVM#3D_Graphics_Acceleration_-_Testing_-_drm
* test performance as per https://www.whonix.org/wiki/KVM#3D_Graphics_Acceleration_-_Testing_-_Performance
=== KVM - verify AppArmor sVirt confinement operation ===
* https://forums.whonix.org/t/help-welcome-kvm-development-staying-the-course/166/593
=== KVM - use rootless ===
* https://forums.whonix.org/t/rootless-virtual-machines-with-kvm-and-qemu/20952
* port documentation (and XML files, if needed) to qemu:///session, if sane
* search Kicksecure; and Whonix wiki - using [[Special:ReplaceText]]
* re-check if sVirt is still functional
=== KVM - port to unix domain socket based internal networking for Whonix-Gateway to Whonix-Workstation connections ===
* https://forums.whonix.org/t/help-welcome-kvm-development-staying-the-course/166/594
* update documentation
** https://www.whonix.org/wiki/Multiple_Whonix-Workstation#How-to:_Use_more_than_One_Whonix-Workstation_-_Easy
** https://www.whonix.org/wiki/KVM#Creating_Multiple_Internal_Networks
** https://www.whonix.org/wiki/Multiple_Whonix-Gateway#KVM
=== KVM - IPv6 router advertisement issues ===
* when
'''Rollback Attacks Definition:'''
The Update Framework (TUF) defines `rollback attacks` [x]
> An attacker presents files to a software update system that are older than those the client has already seen. With no way to tell it is an obsolete version that may contain vulnerabilities, the user installs the software. Later on, the vulnerabilities can be exploited by attackers.
'''Rollback Attack Protection and Valid-Until Field'''
Rollback attacks attempt to trick the updater into applying an outdated (and potentially vulnerable) version of the software. One widely recommended mitigation against rollback attacks is using a "Valid-Until" field or equivalent freshness period in the signed metadata, after which a given update should no longer be accepted.
Firefox's internal updater does not publicly mention using a "Valid-Until" field (or explicit expiration on update metadata) to guarantee update freshness or safeguard against replay/rollback attacks in the same way as systems like The Update Framework (TUF) or Debian's APT
'''Non-solutions:'''
TLS might mitigate this attack but higher security than what TLS can offer should be provided in case TLS or server compromise.
'''Solution:'''
Server side:
Sign, automatically periodically re-sign update metadata.
Client side:
Accept only metadata signed up to a certain age.
'''Resources:'''
Mozilla has blogged about rollback attacks in the past. [x]
[x] https://theupdateframework.io/docs/security/
[x] https://blog.mozilla.org/attack-and-defense/2020/10/12/guest-blog-post-rollback-attack/
* Aaron: Filed issue against Tor Browser: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/44039 Also requested a Tor Project Gitlab account, which I now have.
** I did not file a report against Mozilla Firefox, because their update mechanism involves automatically generated XML created by a backend server, whereas The Tor Project's update metadata seems to be static and not nearly as complicated.
== grml-debootstrap bootloader installation failure in Docker ==
* https://github.com/grml/grml-debootstrap/issues/348#issuecomment-3017083278
* please use discretion on how worthwhile it is to spend time on this. as in, if you think it's doable without huge effort and you like docker, please implement. Otherwise, please only provide instructions for reproduction and leave it to upstream or tableseeker to fix.
** Aaron: Ran into complications trying to fix this myself, handed off to tabletseeker for further investigation.
== RPi GRUB - contribute to Debian ==
* Start a discussion and contribute to https://raspi.debian.net/ if accepted by upstream.
* This and the above ticket might result in implementation feedback, such as for options in config.txt.
* Combined this and the debian-arm notification ticket into a single email.
* https://lists.debian.org/debian-arm/2025/04/msg00012.html
* Found:
** https://salsa.debian.org/raspi-team
** https://salsa.debian.org/raspi-team
** Seems active as per: https://salsa.debian.org/raspi-team/image-specs/-/issues/74
** https://salsa.debian.org/raspi-team/image-specs/-/issues
*** Please consider posting a feature request there for RPi GRUB support, if that is sensible. Draft:
add support for GRUB as bootloader for RPi
I've recently succeeded in converting an existing Debian Trixie RPi image to boot using GRUB on the RPi 4B and extensively documented how to do that. [1] I also posted about this on the debian-arm mailing list. [2]
Booting in this way has several substantial advantages over the current Raspberry Pi boot process:
* The kernel command line can be modified via /etc/default/grub and files under /etc/default/grub.d. Some software requires or benefits from such modifications and leverages this mechanism in GRUB to make non-invasive changes to the command line. With direct kernel boot, these changes are silently ignored, while with U-Boot + GRUB, they are correctly applied.
* In the event of a bad kernel update, users can easily boot into older kernels as they would on a typical desktop system.
* Recovering from a broken boot without a secondary system becomes much easier, as users can use the GRUB and U-Boot consoles to debug and manually boot the system.
* Multiboot installations on the Pi become possible.
Is this a feature for which you would welcome a merge request here, either as an option or even as the default?
Obviously, at this point, RPi GRUB support could only be added to Forky and later.
(I've also recently submitted a pull request to `grml-debootstrap` (a Debian bootable image builder tool) [3] [4] implementing "basic" RPi support.)
* [1] https://www.kicksecure.com/wiki/Dev/boot#Booting_Debian_Trixie_with_GRUB_+_u-boot_on_Raspberry_Pi_4
* [2] https://lists.debian.org/debian-arm/2025/04/msg00012.html
* [3] http://packages.debian.org/grml-debootstrap
* [4] https://github.com/grml/grml-debootstrap/pull/335
* Aaron: Filed issue upstream using template: [https://salsa.debian.org/raspi-team/image-specs/-/issues/78 Support U-Boot + grub-efi boot flow]
** Also filed a bug report against raspi-firmware: [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1102607 Add support for U-Boot + grub-arm64-efi boot flow]
== RPi grml-debootstrap ==
* https://github.com/grml/grml-debootstrap/issues/114
* Draft PR at https://github.com/grml/grml-debootstrap/pull/335, needs more testing and work
* Tested and polished PR and marked it as ready for review.
* Added question about future support for U-Boot + grub-efi-arm64.
== qubes boot modes - in-vm kernel support ==
* todo
* Submitted to Qubes: https://github.com/QubesOS/qubes-linux-pvgrub2/pull/16
* Submitted to FSF: https://lists.gnu.org/archive/html/grub-devel/2025-04/msg00050.html
** Attempt to get attention for the patch again on April 11, try to smooth out some of the possible issues with the patch before sending if at all possible.
** If a second attempt at submitting the patch results in complete silence, return to Qubes and explain that attempts to upstream the patch weren't acknowledged.
== grml-debootstrap - EFI partition size ==
* https://github.com/grml/grml-debootstrap/issues/221
* zeha currently does not want to implement this until systemd-boot "happens" (I'm guessing this means until it is supported by grml-debootstrap).
== GRUB - Debian packages grub-pc and grub-efi co-install-ability ==
* please submit a patch to Debian to make grub-pc and grub-efi co-installable
* [https://bugs-devel.debian.org/cgi-bin/bugreport.cgi?bug=904062 Allow concurrent installation of grub-pc and grub-efi-amd64]
* Submitted and awaiting review: [https://salsa.debian.org/grub-team/grub/-/merge_requests/76#note_590495 Remove ucf conffile conflict between grub-pc and grub-efi-{amd64,ia32}]
* Unfortunately this is not going to be able to make it into Trixie, it will have to wait for Forky before it makes it into Debian Stable.
== ISO - GRUB - silence cosmetic errors in live ISO GRUB ==
* Earlier attempts to fix cosmetic errors in GRUB failed, since they introduced bugs into the live-build-provided boot screen.
* Investigate how to fix this, potentially make an upstream feature request or patch if needed
* Errors include loadfont issues, Secure Boot loading issues
* Sent email to grub-devel mailing list to investigate this
== ISO - memtest86+ ==
error: bad shim signature
* Fixable?
* Apparently requires a security review: [https://github.com/rhboot/shim-review/issues/314 Meta: Signing memtest86+ v6.10]
* [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032375 memtest86+: fails to work with Secure Boot enabled]
* Asked about what contributions would allow this to move forward on the debian-efi mailing list: [https://lists.debian.org/debian-efi/2024/12/msg00021.html Memtest86+ Secure Boot signing]
== test SysRq keys under LXQt Wayland ==
* ensure SysRq+unraw, SysRq+k behave as expected in context of [[Login spoofing]]
* Has issues, wlroots bug reported at https://gitlab.freedesktop.org/wlroots/wlroots/-/issues/3930
== ISO - changed files issues ==
(annoted)
+ debsums --silent
debsums: changed file /usr/sbin/sources-media (from calamares-settings-debian package) - issue for future verified boot
debsums: missing file /var/lib/dbus/machine-id (from dist-base-files package) - issue for Whonix-Host, non-ideal for Kicksecure but not a blocker
+ debsums --config --silent
debsums: changed file /etc/calamares/modules/unpackfs.conf (from calamares-settings-debian package) - issue for future verified boot
debsums: changed file /etc/cryptsetup-initramfs/conf-hook (from cryptsetup-initramfs package) - issue for future verified boot
debsums: changed file /etc/machine-id (from dist-base-files package) - issue for Whonix-Host, non-ideal for Kicksecure but not a blocker
* All of these are modified by live-build itself:
** /usr/sbin/sources-media is modified by live-build/share/hooks/normal/5050-dracut.hook.chroot so that it points to the proper location of the on-ISO apt repo when dracut is in use (the location is different when initramfs-tools is used). The need for this could potentially be removed by modifying the sources-media script to autodetect the correct location, though this requires upstream to be receptive to the idea.
*** Please discuss upstream. Since there is already some sort of dm-verity support in upstream live-build (scripts/build/binary_dm-verity), upstream might be receiptive.
**** Feature request filed: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089618
** /var/lib/dbus/machine-id is deleted by live-build/share/hooks/normal/8020-remove-dbus-machine-id.hook.chroot, which has a note in it as follows: "This removes dbus machine id that cache that makes each system unique." This seems important and I can't think of an obvious way to avoid needing to do this. My Kicksecure VMs appear to have machine IDs, but it's unclear how they're being generated originally, so it may be worth enabling the machineid module in our Calamares configuration to ensure that the machine ID is properly generated.
*** See also: https://www.whonix.org/wiki/Protocol-Leak-Protection_and_Fingerprinting-Protection#Identifiers_Design_Goals
*** TODO: Discuss.
**** Proposal for fixing this made.
** /etc/calamares/modules/unpackfs.conf is modified by live-build/share/hooks/normal/5050-dracut.hook.chroot so that it points to the proper location of the on-ISO squashfs containing the operating system. Again, the location is different when initramfs-tools is used. This is a "hardcoded" configuration file, there isn't a way to add autodetection logic here. It might be possible to make a pull request to Calamares that would allow it to skip squashfses that didn't exist?
*** Yes, please discuss upstream.
**** Feature request filed: https://github.com/calamares/calamares/issues/2409
** /etc/cryptsetup-initramfs/conf-hook is modified by live-build/share/hooks/normal/1010-enable-cryptsetup.hook.chroot, where it is used to enable cryptsetup in initramfs-tools. Assuming this isn't legacy configuration, this seems important and I can't think of an obvious way to avoid needing to do this. Might be worth testing to see if this is still necessary though.
*** Yes, please.
**** Bug report made: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089624
** /etc/machine-id is deleted by live-build/share/hooks/normal/8020-remove-dbus-machine-id.hook.chroot. Has a very similar note to the other machine ID deletion hook. Same concerns apply.
*** Proposal for fixing this made.
== ISO - Finish Module Action Follow-Up ==
* https://github.com/calamares/calamares/issues/2321
* please follow-up
* Followed up on Matrix, will follow up again soon on Github if I don't get a response.
* Was informed by Adriaan de Groot that the code is still unfinished, and also on his radar.
== live-build - add mmdebstrap support ==
* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031932
* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031929
* Merge request: https://salsa.debian.org/live-team/live-build/-/merge_requests/370
== live-build - use APT with error-on-any ==
* use option apt --error-on=any for all invocations of apt-get (update)
* only needed for apt-get update, otherwise superfluous but non-issue
* this is a security feature
* this is to prevent inconsistent images that succeeded connecting to the "normal" repository but failed to connect to the security repository
* can be implemented using already existing live-build option --apt-options OPTION|"OPTIONS"?
* Requires a patch to live-build. Using --apt-options results in a build failure with E: Command line option --error-on=any is not understood in combination with the other options
* Patch written, submitted upstream as https://salsa.debian.org/live-team/live-build/-/merge_requests/371. New configuration option now used in my branch of live-build.
== security-misc - investigate PAM ==
* there is /etc/pam.d/sudo-i for interactive and /etc/pam.d/sudo
* pam has concepts of common-session-noninteractive vs common-session (non-interactive)
* how could we on the PAM level notice if faillock is used interactively or non-interactively?
* if non-interactive, skip faillock
* if interactive, do not skip faillock
* Bug reports:
** https://github.com/linux-pam/linux-pam/issues/842
** https://github.com/sudo-project/sudo/issues/415
* Once we go sudoless, this will no longer be a concern except for VMs that aren't sudoless.
== live-build - grub.cfg GRUB configuration - loopback.cfg ==
* add https://www.supergrubdisk.org/wiki/Loopback.cfg compatibility (as as Debian Live ISO)
* Requires fixes in live-build and Dracut to make work:
** live-build is specifying the wrong kernel parameter for loopback booting when using dracut - it's using findiso when it should be using iso-scan/filename. A fix for this has been integrated into my fork of live-build. MR to upstream here: https://salsa.debian.org/live-team/live-build/-/merge_requests/376
** dracut is failing to run udevadm trigger during its device scanning, so even when it finds the ISO and attaches it as a loopback device, it never finds it. Only appears to be a problem on Debian Bookworm, Trixie works just fine.
*** Task is on hold until we migrate to Trixie.
** (Side note: At least on QEMU, loopback mounts in GRUB fail with out-of-memory errors if the system uses UEFI. With BIOS it works fine. Not quite sure why this happens, very well may be an issue with QEMU's implementation of UEFI hardware or my usage thereof.)
== live-build - lb-binary should not run apt-get update ==
* todo
* Bug filed at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1087470
* Note that the use of apt-get in the binary stage appears to be very baked into live-build's logic. It's pretty unlikely this will change.
== live-build - policy-rc.d handling ==
* https://salsa.debian.org/live-team/live-build/-/merge_requests/409
= REVIEW PLEASE =
== kicksecure Qubes Template - sdwdate qrexec Denied message ==
* [https://github.com/QubesOS/qubes-issues/issues/7447 Kicksecure inside Debian Template sdwdate qrexec Denied message]
* Rewrote sdwdate-gui to function better under Qubes. '''NOT READY FOR MERGE, REQUIRES CHANGES ON THE QUBES OS SIDE ALSO.'''
** sdwdate-gui: https://github.com/ArrayBolt3/sdwdate-gui/tree/arraybolt3/qubes-redesign
** anon-gw-base-files: https://github.com/ArrayBolt3/anon-gw-base-files/tree/arraybolt3/sdwdate-gui
** kicksecure-base-files: https://github.com/ArrayBolt3/kicksecure-base-files/tree/arraybolt3/sdwdate-gui
* Qubes side:
** https://github.com/QubesOS/qubes-issues/issues/10020
** https://github.com/QubesOS/qubes-core-admin-addon-whonix/pull/21
* pending questions by Patrick on migration path
** Aaron: Absent rm_conffile commands were an oversight. Corrected now.
* Qubes OS side changes merged, waiting to merge sdwdate-gui changes until Trixie port.
* issue: Kicksecure 18 (trixie based) + Qubes R4.2 - as discussed
* https://github.com/QubesOS/qubes-issues/issues/10219
* Aaron: Current plan is to maintain Kicksecure/Whonix 17 support for the remainder of Qubes R4.2's lifespan. sdwdate fix will be present in R4.3+ only.
== review and test IPv6 support pull requests ==
* https://forums.whonix.org/t/add-ipv6-support/19893
* https://www.whonix.org/wiki/Dev/ipv6
* please review for Non-Qubes-Whonix, Qubes-Whonix
* goal: merge as much as doable/possible without breaking networking
* enabling IPv6 support in Qubes-Whonix might only be possible during release upgrade to trixie based and orchestration with Qubes
* Waiting for planned fixes to land in PRs.
* Update 1:
** Please recheck.
** Notes:
*** square brackets aren't supported in systemd: https://github.com/systemd/systemd/issues/35621
*** quote "The only issue is that VirtualBox only supports IPv6 if we switch to bridged interface, which exposes whonix gateway to the network. libvirt requires adding custom NAT rules for IPv6, which are only automatically managed for IPv4. If we want to add this, we'd need to add a static IP configuration and give the user instructions on how to add NAT rules on the host. So for now only Qubes will have direct support for IPv6 for outgoing transactions, without further instructions a user needs to do on the host."
**** VirtualBox nowadays supports IPv6 NAT. We can easily reconfigure KVM to have IPv6 NAT also. Qubes OS supports it as well, but allows toggling it on or off.
* Can't get it working in VBox (even with bridged networking), libvirt (even with a custom network interface), or Qubes (apparent bug in Qubes R4.3 prevents me from making a new network-providing qube). See https://forum.qubes-os.org/t/qubes-4-3-cannot-create-a-new-appvm-that-provides-network-to-other-qubes/30906/2.
* Update 2:
** https://github.com/Whonix/whonix-gw-network-conf/pull/1#discussion_r1903385107
** https://github.com/Whonix/whonix-gw-network-conf/pull/1#discussion_r1903385335
** please direct questions, issues to Daniel (such as by adding these to https://www.whonix.org/wiki/Dev/ipv6 or commenting on a pull request)
* Aaron: Left Daniel some feedback on things that didn't work. If not fixed in a week (so around April 4th), our plan is to merge as-is and fix bugs after.
* Patrick: All merged.
* Patrick: Please go through all pull requests and notes. Add fixes. Comment on closed pull requests for resolved items.
* Patrick: Coordinate enabling of IPv6 with Qubes for R4.3.
** Aaron: Will require global IPv6 support in Qubes OS for this to work, which is too late to land in R4.3: https://github.com/QubesOS/qubes-issues/issues/10232#issuecomment-3301165088 Probably better to document the instructions for enabling it for now.
* Patrick: Ideally, whether IPv6 is enabled or disabled, VM networking shouldn't break.
** Aaron: I believe the current code will work whether IPv6 is ''available'' or not. This means that if the network just doesn't support it, or the user has turned off IPv6 support in Qubes OS, networking should still work. However, if IPv6 is turned off on the kernel level, it will break things (in particular listening on the loopback IPv6 address will fail in Tor, and ifupdown will complain about there being IPv6 network configuration present). Is it a feature goal to allow disabling IPv6 on the kernel level? If so, more work will be needed here, some of which may be messy.
* Patrick: Please review my replace-ips changes.
** Aaron: Reviewed, did cleanup, hardened using black/mypy/pylint
* Patrick: Please fix replace-ips overzealous IP replacement, if sensible.
shell:
echo 'DNS=10.152.152.100' > /tmp/test.conf
python:
ips=['10.152.152.10']
current_ip='10.0.0.1'
files=['/tmp/test.conf']
ip_file='/tmp/ip'
protocol='IPv4'
replace_ip(ips, current_ip, files, ip_file, protocol)
/tmp/test.conf content:
* expected: 10.0.0.1
* actual: 10.0.0.10
issues:
* Substring hit: 10.152.152.10 inside 10.152.152.100 gets changed
** Aaron: Fixed.
* replaces all whether comments or non-comments
** Aaron: Fixed.
* Fix Tor startup when IPv6 is disabled, use replace-ips-like code to comment out HTTPTunnelPort lines that listen on IPv6 addresses
** Aaron: Implemented, though I ended up using a shell script (which mostly was a wrapper around a sed command) for this because it was much easier to do so and didn't require mass refactoring.
* Attempt to make network-online.target actually useful by waiting for a particular IPv6 address to become available before declaring the network "up", then use that to delay tor startup instead of a hardcoded delay
** Aaron: After further thought, decided this was a bad idea. Details shared in chat for further discussion.
* Aaron: It appears IPv6 is generally working well now. Further bugs may need to be worked out, but so far it seems to work relatively well. Moved IPv6 DNS support in Qubes OS to a new task.
* Patrick:
** start tor-whonix-gw-setup.service also in sysmaint mode?
*** Aaron: tor-whonix-gw-setup.service was able to be fully merged into anon-gw-anonymizer-config.service, so the unit no longer exists now. anon-gw-anonymizer-config.service is depended on by sysmaint-boot.target already.
** /usr/libexec/anon-gw-anonymizer-config/generate-tor-service-defaults-torrc-anondist might get started by /usr/libexec/anon-gw-anonymizer-config/tor-config-sane
*** Aaron: Done.
** While we're at it, the following trigger seems no longer required or if required should be done inside whonix-firewall package instead?
*** Aaron: Looks obsolete indeed, dh_installsystemd should automatically restart whonix-firewall.service when whonix-firewall is upgraded.
## Restart firewall
/usr/bin/whonix_firewall | \
/usr/bin/whonix-gateway-firewall | \
/usr/bin/whonix-workstation-firewall)
/usr/libexec/whonix-firewall/enable-firewall || true
;;
= ARCHIVED =
== trixie port - meta packages fixes - #1 ==
* bug: package kicksecure-desktop-applications-xfce is still installed after release-upgrade
** this was prior review and merge of [[Dev/todo#trixie_port_-_fix_incorrect_dependency_resolution|trixie port - fix incorrect dependency resolution]] - so this may or may not be fixed already
** Aaron: Should be fixed now, accidentally only had Breaks/Replaces against LXQt-related packages that only existed for a short time during the Trixie port and didn't add Breaks/Replaces against Xfce-related packages.
== trixie port - fix incorrect dependency resolution ==
* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1113744
* apt solver issues are resulting in Pulseaudio being installed rather than Pipewire in some situations
* Remove the pipe character from our dependencies wherever possible, we should not have either/or dependencies any longer unless we're ready to take special steps to ensure the right dependencies are resolved
* Change how our dummy-dependency packages work so they can still replace unwanted packages but don't require an either/or dependency to function properly
* Aaron: Reworked the metapackages substantially, built a Kicksecure VirtualBox image, and compared its installed packages with the Kickescure Xfce VirtualBox Bookworm iamge. Looks like the changes are working.
== trixie port - usbguard-notifier ==
* please try
* install by default if sensible
* https://forums.kicksecure.com/t/usbguard-what-should-we-allow-or-disallow-by-default/1248/29
* add usbguard-notifier to recommends
* move usbguard to recommends
* Aaron: Implemented:
** developer-meta-files (master metapackage change): https://github.com/ArrayBolt3/developer-meta-files/tree/arraybolt3/trixie
** kicksecure-meta-packages: https://github.com/ArrayBolt3/kicksecure-meta-packages/tree/arraybolt3/trixie
** security-misc: https://github.com/ArrayBolt3/security-misc/tree/arraybolt3/trixie
== sysmaint panel items ==
* https://forums.kicksecure.com/t/panel-items-missing-feedback/1108/
* please reply
* please implement, if sane
* could also defer to Debian trixie if/when we port to Wayland / LXQt
* Power manager applet issue fixed:
** desktop-config-dist: https://github.com/ArrayBolt3/desktop-config-dist/tree/arraybolt3/power-manager
** user-sysmaint-split: https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/systray
* Clock applet awaiting input from Patrick.
** Patrick: Clock applet: Can be done when porting to Debian 13 / trixie or Wayland. Preferably not inventing a clock/date widget.
*** Aaron: Moved to "WAITING ON" since the clock is the last part of this that needs implemented, and we don't intend on doing that until the Trixie port is done.
*** Aaron: Implemented in Kicksecure 18.
== trixie port - Qubes meta packages ==
* Qubes
* apt install --no-install-recommends kicksecure-qubes-gui-lxqt
snip
Unwanted in Qubes:
dracut (not yet supported by Qubes unfortunately at time of writing) # Aaron: Moved to dist-nonqubes-cli.
# Aaron: How is it unsupported? Is there qubes-specific code that doesn't work with it, or is it just memory consumption as mentioned at https://github.com/QubesOS/qubes-issues/issues/8649#issuecomment-1781341921 ?
Potentially unwanted Qubes:
accountsservice # Aaron: Cannot be removed, dependency of mate-polkit.
arc-theme # Aaron: Removed it and its dependencies from desktop-config-dist.
ddrescueview # Aaron: Left this here since I thought it might be useful for people using Kicksecure on Qubes for working with disk images from dying hard drives. Better to leave out?
gddrescue # Aaron: See ddrescueview notes above.
lxqt-config # Aaron: Essential for Qubes. This is the equivalent of xfce4-settings.
lxqt-panel # Aaron: Moved to dist-nonqubes-gui-lxqt.
xdg-desktop-portal-lxqt # Aaron: Essential for Qubes. Provides a file selection dialog.
wlgreet # Aaron: Moved this and greetd to dist-nonqubes-gui-lxqt.
Probably unwanted in Qubes:
desktop-config-dist-dependencies # Aaron: Moved to dist-nonqubes-gui-all.
discover # Hardware discovery unnecessary under Qubes? Could be moved or even removed entirely if nothing uses it. It can be removed cleanly, it appears.
grub-live # Aaron: Moved to dist-nonqubes-cli.
laptop-detect # Aaron: Unsure on this one, it doesn't just detect if running on a laptop, it also detects if *not* running on a laptop, which is the case on Qubes, thus could be valuable?
lxqt-openssh-askpass # Aaron: Useful for Qubes, this is a more-or-less general purpose authorization prompt, used sometimes by SSH
lxqt-policykit # Aaron: Removed universally via dummy-dependency, as it cannot normally be removed without removing other important LXQt components.
lxqt-powermanagement # Aaron: Moved to dist-nonqubes-gui-lxqt.
lxqt-qtplugin # Aaron: Essential LXQt component, needed to theme applications.
lxqt-runner # Aaron: Moved to dist-nonqubes-gui-lxqt.
lxqt-session # Aaron: Moved to dist-nonqubes-gui-lxqt.
lxqt-system-theme # Aaron: Essential LXQt theming component.
lxqt-themes # Aaron: Also an essential LXQt theming component.
lxqt-wayland-session # Aaron: Moved to dist-nonqubes-gui-lxqt.
screengrab # Aaron: Still useful for taking screenshots of windows within the qube in question?
## Aaron: Side-note, we need a different screen capture application for Wayland as it turns out the version of Screengrab in Debian Trixie is one version too old to have Wayland screen capture support.
smart-notifier # Aaron: Left because someone might attach a physical disk to a VM to check its SMART data in theory. Better to remove?
smartmontools # Aaron: See above for smart-notifier.
swaybg # Aaron: Moved to dist-nonqubes-gui-lxqt.
systemd-cryptsetup # Aaron: Essential for Qubes, used by swap-file-creator.
wdisplays # Aaron: Moved to dist-nonqubes-gui-lxqt.
Questionable:
hwinfo # Aaron: Left because it seemed potentially useful, but we might be able to remove it if nothing uses it? It can be removed cleanly it appears.
pavucontrol-qt # Aaron: I guess Qubes has their own Pipewire control so this isn't essential. Moved to the appropriate nonqubes metapackages.
pipewire-alsa # Aaron: Necessary for applications that are stuck using ALSA to record and play back sound.
pipewire-audio # Aaron: This is a metapackage that depends on things that don't conflict with Qubes and that look important.
psensor # Aaron: Potentially useful if someone passes a physical disk through to a VM. Better to leave out?
usbguard # Aaron: Discussed with Qubes OS upstream, seems useful to have, current configuration takes into account many of the concerns brought up in the discussion.
== trixie port - fully disable lxqt-policykit ==
* lxqt-policykit is buggy, we want to use mate-polkit instead
* Aaron: Done, created a new dummy metapackage for this.
== trixie-port - Wayland screenshot tool ==
* screengrab is incapable of taking screenshots under Wayland, it will be capable in Forky.
* Find a stop-gap solution for now.
* Aaron: Got Flameshot working well. Uploaded needed code changes to the arraybolt3/trixie branches.
== trixie-port - meta packages issues ==
* (weird terminal symbols because it is sudo xl console)
apt install kicksecure-qubes-gui-lxqt
Solving dependencies... Error!
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:
Unsatisfied dependencies:
dist-general-gui-lxqt : Depends: lxqt-wayland-session but it is not installable
.[1;31mError: .[0m.[1mUnable to correct problems, you have held broken packages..[0m
.[1;31mError: .[0m.[1mThe following information from --solver 3.0 may provide additional context:
Unable to satisfy dependencies. Reached two conflicting decisions:
1. dist-general-gui-lxqt:amd64 is selected for install because:
1. kicksecure-qubes-gui-lxqt:amd64=3:32.6-1 is selected for install
2. kicksecure-qubes-gui-lxqt:amd64 Depends dist-general-gui-lxqt
2. dist-general-gui-lxqt:amd64 Depends lxqt-wayland-session
but none of the choices are installable:
[no choices].[0m
* Aaron: lxqt-wayland-session is required by our Wayland session because it is essential to getting labwc and LXQt to work together. I have a Kicksecure-ready package for this at https://github.com/ArrayBolt3/lxqt-wayland-session, the original upstream to compare it to is at https://github.com/lxqt/lxqt-wayland-session. Upstream signs their releases.
*** Patrick: Merged.
* Proper build artifact cleanup requires a change to genmkfile, see https://github.com/ArrayBolt3/genmkfile/commit/6e223ae9de25ff8fb4e4fb3253921c9ee225f7ff. Needs review due to execution of arbitrary code from working directory, I believe this is safe in this instance.
** Patrick: Merged.
* labwc is being depended on by dist-general-gui-all which means it will get installed on Qubes. That's an error from during the porting process.
** Aaron: Moved to dist-nonqubes-gui-all.
*** Patrick: Merged.
** Aaron: Ready to generate Qubes OS templates and do package comparisons?
*** Patrick: Ready. See also next task. This task can probably be moved to archived and use the next task.
== Ubuntu KVM versus VirtualBox Bug ==
* https://forums.whonix.org/t/cannot-start-whonix-imported-vms-verr-hgcm-service-not-found/22102/10
** KVM is enabled by default on Ubuntu? In that case...
* manual installation:
** document this issue on [[VirtualBox]] (to be found here: [[Template:VirtualBox_Host_Software_Installation]])
* dist-installer-cli:
** dist-installer-cli: disable KVM - if kernel module is automatically load by default - if installing Kicksecure (or Whonix) with VirtualBox using the installer
*** Probably unspecific to Ubuntu. Can be a general check in case other host operating systems do similar things.
*** Probably "notice" level for output.
*** If disabling by default is not sane, a "warning" (or even "error") level output would be good.
*** document the feature on [[Template:Linux_installer_features]]
* Aaron:
** Implemented for Bookworm: https://github.com/ArrayBolt3/usability-misc/commit/ab18a9cbbe3680a3de0dcba0e75c84ba577377c6
*** Also implemented for Trixie.
*** Also automatically disabled KVM virt_at_load in usability-misc for Kicksecure and Whonix systems.
** Documentation written.
** Filed a bug report against VirtualBox for fixing this upstream: https://github.com/VirtualBox/virtualbox/issues/188
* Patrick: Merged.
== trixie port - misc - #2 ==
* 1) release-upgrade should honor DEBIAN_FRONTEND="noninteractive"
** all interactive questions should honor this environment variable (or another suitable)
** this is about the new interactive SSH question
* 2) move dpkg-noninteractive from usability-misc to helper-scripts
* Aaron: Both are now done.
*** Patrick: Merged.
** Bear in mind that helper-scripts will have to Breaks/Replaces whatever the last version of usability-misc to have dpkg-noninteractive was in order to avoid upgrade failure.
*** Patrick: Done.
== polish release-upgrade script ==
* see todo comments (related to meta packages)
* /etc/apt/sources.list.d/extrepo_kicksecure.sources can cause issues
* /etc/apt/sources.list.d/extrepo_whonix.sources can probably also cause issues
* Aaron: Done in https://github.com/ArrayBolt3/legacy-dist/commit/000d2db8cd1c20aa156568aed9fb007062083a0a,
** Patrick: Merged.
* however this is untested as the Breaks/Replaces in helper-scripts against usability-misc prevents me from upgrading. usability-misc's next upload should be bumped to have the same version as that specified by helper-scripts' Breaks/Replaces.
** Patrick: Fixed.
== images packages diff ==
* build trixie based images (maybe non-qubes based only for now until trixie repository is ready)
* compare list of installed Debian packages with bookworm based images
* in Qubes Kicksecure, during release-upgrade, packages sysmaint-panel usability-misc are unexpectedly removed
* Aaron: Finished comparison, changed several dependencies in the process. See arraybolt3/trixie branches of kicksecure-meta-packages, anon-meta-packages, and developer-meta-files.
** Patrick: All merged.
== trixie port - meta packages ==
* implement [[Dev/Metapackages]] when porting to trixie
* make sure xscreensaver no longer gets installed by default in Qubes VMs
* Do not create complex interdependencies among metapackages. Define a set of "master" metapackages, have them only depend on individual sub-metapackages that provide groups of shared software, use scripting to help autogenerate things as needed
* Patrick: script auto generation features - proposal:
** 1 or w scripts doesn't matter
** create main structure (all the nodes)
** create "main" meta packages including dependencies
* Aaron: Implemented and pushed. Some minor issues may be present that we can work out as we go along, I audited the metapackages to fix as many of these as I reasonably could.
* Patrick: Merged.
== trixie port - port to Wayland ==
* LXQt - maybe:
** {{Github_link|repo=kicksecure-meta-packages|path=/pull/2}}
** Avoidable?
* Xfce:
** Preferable?
** https://alexxcons.github.io/blogpost_14.html
** https://forums.whonix.org/t/whonix-xfce-development/6213/106
* Aaron: Investigation with LXQt vs. Xfce complete, we chose to go with LXQt. Initial porting effort complete, there is likely more we can do to polish the experience but basic functionality is now there.
* Patrick: All trixie branches merged.
== trixie port - misc #3 ==
* greetd builder: do not run inside Qubes?
** Aaron: Fixed.
* wayland https://www.kicksecure.com/wiki/Keyboard_Layout documentation
* sdwdate-gui-qubes do it only in Qubes?
** Aaron: Fixed.
* sdwdate-gui: please also parse /usr/local/etc/sdwdate-gui.d (this is by convention and to better support App Qubes)
** Aaron: Implemented.
* sdwdate-gui: please only parse files ending with ".conf". This is to avoid parsing files such as ".dpkg" or ending with "~" (backup files by some editors).
** Aaron: Implemented.
* sdwdate-gui: the following was good in the past.
shopt -s nullglob
for i in \
/etc/sdwdate-gui.d/*.conf \
/usr/local/etc/sdwdate-gui.d/*.conf \
; do
bash -n "$i"
source "$i"
done
* reasons:
** This is because nullglob avoid parsing "/etc/sdwdate-gui.d/*.conf" if there are no files.
*** Aaron: Added where appropriate.
** Absence of dotglob avoids parsing files starting with a dot.
*** Aaron: Added where appropriate.
** bash syntax check (bash -n)
*** Aaron: The configuration files are no longer Bash scripts and are parsed by string manipulation. This was necessary to parse the configuration in Python.
* sdwdate-gui: Supports sigterm? Useful for manual testing on the command line.
** Aaron: Already supported, signal handlers are set up and the appropriate QTimers are used to allow them to be triggered.
* desktop-config-dist: ensure qterminal uses unlimited scrollback
** Aaron: Confirmed that this is enabled by default.
* Patrick: All merged.
== trixie port - polish default browser handling ==
* open-link-confirmation should be the canonical default browser in all instances
* merge the functionality of tb-default-browser into open-link-confirmation
** Aaron: Done.
* (maybe?) configure all browsers offered by Browser Choice to not request to be made the default browser, since the typical default browser controls will override open-link-confirmation and reduce security
** Aaron: Done for Firefox, unnecessary for Chromium, Tor Browser, and Mullvad Browser.
** For Brave, could not figure out how to configure it appopriately. Asked upstream for help: https://community.brave.app/t/is-there-a-way-to-disable-set-as-default-browser-prompts-before-launching-brave/640667
* Whonix: open-link-confirmation should only consider torbrowser
** Aaron: Done.
* uninstall tb-default-browser inside release-upgrade (if useful)
** Aaron: Done.
* Changes:
** open-link-confirmation: https://github.com/ArrayBolt3/open-link-confirmation/commit/f1707c4a0bf72b3188a015f41d007a51fbc57ee3
*** and https://github.com/ArrayBolt3/open-link-confirmation/commit/a23b1f7eb5def6b85e5570dd0a93dc531cb2ac67
** Patrick: Merged.
** legacy-dist: https://github.com/ArrayBolt3/legacy-dist/commit/d8943bfe2cd8660c8bd19ebaadfb9ffa801031ae
*** Patrick: Merged.
* Patrick: Please change tb-default-browser into a lintian clean transitional package. And/or make open-link-confirmation use Replaces: tb-default-browser. This is to avoid package conflicts when upgrading and still having the old package around. I could also delete the package from the source tree and then use Replace and Provides tb-default-browser within open-link-confirmation?
** Aaron: Done in https://github.com/ArrayBolt3/open-link-confirmation/commit/a09dc42708350c3713789c4423a6cfe66dd044a0, note that this adds a tb-default-browser transitional package ''to open-link-confirmation''. This is intentional, following the documentation at https://wiki.debian.org/RenamingPackages.
*** Patrick: Merged.
** As part of the transition, removing the original tb-default-browser source package from our archives would be a good idea.
*** Patrick: Done. Removed from git submodules. Trixie repository will be re-created without tb-default-browser.
== bookworm - fix live-hardener ==
* https://forums.kicksecure.com/t/question-about-grub-live-and-writable-file-system/1221/3
* Aaron: Bugfix created: https://github.com/ArrayBolt3/grub-live/tree/arraybolt3/live-hardener-fix
** Test thoroughly and release to Bookworm? Necessary for live mode to function fully under Bookworm on EFI hardware.
* Patrick: Not for bookworm.
* Patrick: Merged.
== trixie port - derivative-maker ==
* branch looks good, but not mergeable due to git submodules
* Aaron: Should hopefully be fixed now.
* Patrick: Merged.
== investigate Qubes memory issue ==
* https://forums.whonix.org/t/increased-memory-usage/22092
* fixed probably for trixie and above only
* Aaron: Added several new optimizations and researched other possible optimizations:
** Disabled emerg-shutdown and ensure-shutdown on Qubes OS: https://github.com/ArrayBolt3/security-misc/commit/28f44d2e1d54da990cf203d2965431bc12a5d008
*** ensure-shutdown has to be disabled as well because it depends on emerg-shutdown. ensure-shutdown will be replaced anyway because systemd has a native implementation of this already.
** Disabled memlockd by default, and fixed the way emerg-shutdown uses it: https://github.com/ArrayBolt3/security-misc/commit/cd44a7e1369cd798b06595fdb118e0c7bea52194
** Discovered that sleep consumes a non-negligible amount of non-shared memory (somewhere between 150 KiB and 1.7 MiB depending on what tool you use to measure it), thus attempted to optimize some sleep calls out of our codebase:
*** Native Bash implementation of sleep: https://github.com/ArrayBolt3/helper-scripts/commit/81d8eb6d502c80f089637a9dfd75f26db004a45e
*** Added to anon-ws-disable-stacked-tor: https://github.com/ArrayBolt3/anon-ws-disable-stacked-tor/commit/6e55d22731a32e11d65b188ba18fb70f9be92463
*** Added to canary-daemon in systemcheck: https://github.com/ArrayBolt3/systemcheck/commit/0febf95bc78a6a0097e52f7435152c4dd1783a33
*** Added to msgdispatcher in msgcollector: https://github.com/ArrayBolt3/msgcollector/commit/e4de3f75aba852440d3e414f626acd12f06249bd
*** Discovered sdwdate did not need to call out to the sleep binary anymore to withstand time jumps, so switched back to Python time.sleep: https://github.com/ArrayBolt3/sdwdate/commit/963203c7196789c56303cce8a365e0f40b91180b
* Patrick: All merged.
** sdwdate-gui-client)is hard to optimize, it needs Qt to be implemented safely and effectively in Python, to my awareness.
** privleapd is using quite a bit of memory (almost 10 MB), unsure if there's any good way to reduce it
== trixie port - deprecate initramfs-tools support - consider making dracut a dependency ==
* todo
* hard depend on dracut?
* if so, must also hard depend on systemd-cryptsetup
* do this during release-upgrade
* related: [[dracut]]
* Aaron: Implemented in my arraybolt3/trixie branches.
** Special support in the release-upgrade script might not be needed, I believe dracut will replace initramfs-tools cleanly.
== trixie port - USB Guard ==
* {{Github_link|repo=security-misc|path=/pull/166}}
* merge locally
* apply fixes on top
* Aaron: Done: https://github.com/ArrayBolt3/security-misc/commit/cba16879eff9d3d998c127e41c38d2067cdf04cc
== trixie port - misc ==
* might need to split this into multiple tasks
* waiting for trixie to get frozen and stable enough
* 1) SSH configurations
** move configuration snippets from [[SSH]] wiki page to security-misc [not completed at time of writing in end of 2024 but should be early next year]
*** Aaron: Implemented: https://github.com/ArrayBolt3/security-misc/commit/2ada07cf66727ea66283c55c0ba078489b3db94e
** {{Github_link|repo=legacy-dist|path=/blob/master/usr/sbin/release-upgrade}}
*** add ominous message to release-upgrade script if SSH client or server is installed
**** Aaron: Implemented: https://github.com/ArrayBolt3/legacy-dist/commit/fbeee3a3e6d64fa88f94fbcf1d4a37d9648c6248
*** point out in distribution morphing instructions
**** Aaron: Added a warnings section for this and similar warnings we may add in the future. Did the edit without being logged in so as to make it a "draft for review".
* 2) repository codename split project names
** update repository origin value as per https://www.kicksecure.com/wiki/Dev/APT#changed_its_'Origin'_value_from_'whonix'_to_'kicksecure'
** (revert the revert of {{Github_link|repo=derivative-maker|path=/commit/25f5c7e11afd23f58f40286be1fd9097c31a705e)}}
** Aaron: Done, and added (untested) code to legacy-dist for coping with the change.
* 3) move from usability-misc and security-misc to to helper-scripts
** upgrade-nonroot
** other APT related scripts
** this will allow sysmaint-panel to remove dependency on usability-misc and security-misc
** Aaron: Done.
* 4) convert user-sysmaint-split and sysmaint-panel from "loose packages" to dependencies of the respective meta packages
** add ominous message to release-upgrade script
** Aaron: Discussed via chat, decided to not do this after all.
* 5) Check if /etc/grub.d/10_linux was updated in Debian. If so, update our fork in dist-base-files.
** Aaron: Checked, changes did exist. Synced our fork with upstream.
* 6) https://www.whonix.org/wiki/Dev/Redistribution#Major_Upgrade
** Aaron: Updated appropriate values.
* 7) port all sources.list files to DEB822-Style Format (can be postponed if needed)
** Aaron: Done, however live-build and grml-debootstrap need not-yet-integrated-upstream changes for this to work.
*** live-build: https://salsa.debian.org/ArrayBolt3/live-build/-/tree/arraybolt3/lb-dracut?ref_type=heads
*** grml-debootstrap: https://github.com/ArrayBolt3/grml-debootstrap/tree/arraybolt3/deb822
* 8) ram-wipe: re-add Depends: systemd-cryptsetup
** Aaron: Done.
* 9) review and merge various trixie related improvements to security-misc {{Github_link|repo=security-misc|path=/pulls}}
** Aaron: Done, almost all merged.
*** One PR for Thunderbird prefs should probably be closed without merging. I've deleted Thunderbird prefs from the arraybolt3/trixie branch of security-misc.
*** One PR from raja-grewal (https://github.com/Kicksecure/security-misc/pull/313) I requested changes on and am awaiting a reply.
* 10) debug-misc: {{Github_link|repo=debug-misc|path=/pulls}}
** Aaron: Blocked on raja-grewal's response to my review on https://github.com/Kicksecure/debug-misc/pull/4.
== trixie port - document disabling USBGuard ==
* USBGuard will likely interfere with users who either use special input devices (touchscreens, possibly some types of mice and keyboard), and may interfere with Framework 16 users' ability to use external keyboards and mice.
** document how to disable in the wiki once we are sure we are shipping USBGuard in Trixie
* USBGuard documented: https://www.kicksecure.com/wiki/USBGuard
== trixie port - GRUB_DEVICE vs dracut vs initramfs-tools ==
* The following is required for initramfs-tools only:
GRUB_DEVICE="/dev/disk/by-uuid/${GRUB_DEVICE_UUID}"
unset GRUB_DEVICE_UUID
* grep the source code for this and move it below the following condition because it is not required by dracut:
if pkg_installed initramfs-tools ; then?
* related: [[dracut]]
* Aaron: Done:
** dist-base-files: https://github.com/ArrayBolt3/dist-base-files/commit/1b485087f33b9f4131bf89473144e7fbef77dc0a
** grub-live: https://github.com/ArrayBolt3/grub-live/commit/685d1d676aed78ce4da1aa75c6a6c6da3c2d5c1a
** user-sysmaint-split: https://github.com/ArrayBolt3/user-sysmaint-split/commit/a94203791ddab06ed2cf6f2d201029d291687cef
* Patrick: Merged. (As part of the trixie branches)
== trixie port - dracut - hostonly yes versus no ==
* after Dracut fixes... should Kicksecure images (in trixie) use a different hostonly mode?
* Yes, we should switch to hostonly sloppy mode, which is now being substantially improved to be a lot more generic upstream.
* Done: https://github.com/ArrayBolt3/dist-base-files/commit/1b485087f33b9f4131bf89473144e7fbef77dc0a
** Note that the enhanced hostonly sloppy mode changes may not be in Trixie itself yet, we may have to pull Dracut from debian-backports to get the good changes in the future. I think this is still a good change for now though, users who need a portable USB flash drive can turn this off if it causes problems (which it probably won't anyway).
* Patrick: Merged.
== trixie port - live mode notification ==
* inform the user what mode they've booted in via an ephemeral desktop notification shown on login
* reason: https://forums.kicksecure.com/t/live-mode-option-boots-into-persistent-sysmaint/1216
** Aaron: Implemented: https://github.com/ArrayBolt3/desktop-config-dist/commit/03aa359bc5d54958a1e6f4edd29b2c79610c7668
* Patrick: Merged.
== begin Trixie port ==
* immediate goal - rebase Kicksecure as-is ontfo Trixie
* further enhancements are in other tickets under WAITING ON
* Aaron: Current progress can be seen in the arraybolt3/trixie branches of all repos in my account
* Ready for review, some issues still remain that will need worked out prior to a beta or stable release:
** systemd-remount-fs.service and systemd-growfs-root.service are failing when booted in live mode
** privleap autopkgtest is broken
* Patrick: merged all trixie branches - except derivative-maker (separate ticket)
== trixie port - remaining known alpha issues ==
* systemd-remount-fs.service and systemd-growfs-root.service are failing when booted in live mode
** May affect Bookworm also. Fix: https://github.com/ArrayBolt3/grub-live/tree/arraybolt3/live-improvements
*** Already merged into arraybolt3/trixie as well.
*** Patrick: Merged. (bookwork + trixie)
* privleap autopkgtest is broken
** Fixed, along with other code quality tests: https://github.com/ArrayBolt3/privleap/commit/6e81f2112b5be0a0f5ad1f78b4732d082ea67f00
*** Patrick: Bookworm - not merged (because in trixie branch)
*** Patrick: all trixie branches merged
== bookworm - 17.4.4.6 bug reports ==
* https://forums.whonix.org/t/shared-folder-blank-running-in-live-mode-after-update/22056
** Aaron: Intentional but somewhat unexpected behavior. Ideas for improvement shared on forums.
* https://forums.kicksecure.com/t/live-mode-option-boots-into-persistent-sysmaint/1216
** Aaron: Likely a user misunderstanding.
== VirtualBox restart bug ==
* https://forums.whonix.org/t/whonix-only-starts-after-several-attempt/22032
* issue:
rcpu_preempt self-detected stall on CPU
* looks similar like this screenshot: https://community-assets.home-assistant.io/original/4X/7/5/4/754bdc85b2c7c449b16f3413288efcf7911b02fd.png
* environment
** Windows (latest) - if available - preferably - can be a different operating system if that is an issue
** VirtualBox (latest)
** run multiple VMs at the same time (3 or more)
* keep restarting 1 VM such as Kicksecure Xfce
* does any restart hang? if so, please investigate.
* maybe [[Recovery#Kicksecure_specific|Kicksecure specific]] will be helpful
* windows only: this very post might be helpful (disable hyper-v): https://community.home-assistant.io/t/daily-crash-with-virtualbox-rcu-preempt-self-detected-stall-on-cpu/709041/4
* try to boot with and without mouse focus inside the VM versus mouse outside the VM. The system might boot more reliably with mouse focus inside the VM, which might be the same or another bug.
* Aaron: Debugged, posted results on forum. Determined that the current documented fix does not work, found a fix that did work and a workaround that works well enough.
== Kicksecure installer versus live-hardener bug ==
* Environment:
** VirtualBox
** EFI
** btrfs
ERROR: Installation failed: "Bootloader installation error"
.. - message: "Bootloader installation error"
.. - details: The bootloader could not be installed. The installation command grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=Kicksecure --force returned error code 1.
Attempting to run this command manually inside the /tmp calamares chroot for purpose of debugging.
Installing for x86_64-efi platform.
grub-install: warning: Cannot set EFI variable Boot0003.
grub-install: warning: efivarfs_set_variable: failed to create /sys/firmware/efi/efivars/Boot0003-8be4df61-93ca-11d2-aa0d-00e098032b8c for writing: Read-only file system.
grub-install: warning: _efi_set_variable_mode: ops->set_variable() failed: Read-only file system.
grub-install: error: failed to register the EFI boot entry: Read-only file system.
zsh: exit 1 grub-install --target=x86_64-efi --efi-directory=/boot/efi --force
Potentially related:
sudo journalctl -u live-hardener.service
Aug 09 06:34:08 localhost systemd[1]: Starting live-hardener.service - Remounts auxiliary writable filesystems as read-only and applies a tmpfs overlay on them...
Aug 09 06:34:09 localhost live-hardener[940]: mount: /sys/firmware/efi/efivars: wrong fs type, bad option, bad superblock on overlay, missing codepage or helper program, or other error.
Aug 09 06:34:09 localhost live-hardener[940]: dmesg(1) may have more information after failed mount system call.
Aug 09 06:34:09 localhost systemd[1]: Finished live-hardener.service - Remounts auxiliary writable filesystems as read-only and applies a tmpfs overlay on them.
* Note: Patrick adding refactoring and debugging to live-hardener since.
* What might be happening: live-hardener remounts something as read-only which is incompatible with Calamares.
** Calamares might fail to re-mount as read-write. If so, please create a ticket for later to report this upstream.
* Aaron: Found and fixed issue, live-hardener shouldn't run in ISO Live mode at all. https://github.com/ArrayBolt3/grub-live/tree/arraybolt3/live-hardener-fix
** Also fully disabled emerg-shutdown under Bookworm, and attempted to fix the bug resulting in shutdown during installation.
*** security-misc: https://github.com/ArrayBolt3/security-misc/tree/arraybolt3/emerg-shutdown
*** user-sysmaint-split: https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/emerg-shutdown
* Patrick: All merged.
== emerg-shutdown #3 ==
* paranoid mode - shut down when any removable device (USB drive, keyboard, mouse, etc.) is removed from the system
* Integrate into initramfs so the panic key works on the LUKS prompt
* useful to use the same hardened gcc compile time options as we use for sclockadj?
* do we really want three finger salute to emergency shutdown?
** https://forums.kicksecure.com/t/emergency-key-press-shutdown-sequence/1199
** emerg-shutdown --countdown 10
** emerg-shutdown --cancel
** no cancel = proceed with emergency shutdown
** if confirmed: emerg-shutdown --instant-shutdown
* Aaron: Implemented most suggested features: https://github.com/ArrayBolt3/security-misc/tree/arraybolt3/emerg-shutdown Also merged to arraybolt3/trixie.
** Did not implement the --countdown and --cancel features. These seem more appropriate for the three finger salute task. The panic key should be an unconditional and immediate shutdown where speed is important above all else. A three finger salute on the other hand is where other features like delayed emergency shutdown may make sense.
* Patrick: Merged.
== docker inside whonix-workstation versus whonix-workstation-firewall ==
* please comment: https://forums.whonix.org/t/how-can-you-make-a-docker-container-inside-whonix-workstation-connect-to-the-internet/21772/5
== emergency shutdown - #2 ==
* /usr/lib/systemd/system/emerg-shutdown.service and /usr/lib/systemd/system/ensure-shutdown.service
** possible to run earlier then multi-user.target?
** purpose: reliable shutdown in cases for example where the boot process is broken for other reasons or wrong FDE password entry
* add a shutdown breaking systemd unit
** add a systemd unit to security-misc by default that breaks shutdown on purpose
** commented out by default
** purpose: to be easily able to the force shutdown
* Aaron: Implemented:
** user-sysmaint-split: https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/emerg-shutdown
** security-misc: https://github.com/ArrayBolt3/security-misc/tree/arraybolt3/emerg-shutdown
* Patrick: All merged.
== emergency shutdown implementation ==
* when the boot USB drive is removed
* when panic key is pressed (most obviously probably the power button)
* https://github.com/NobodySpecial256/panic-wipe/blob/main/panic.c
* Aaron: Implemented
** security-misc: https://github.com/ArrayBolt3/security-misc/tree/arraybolt3/emerg-shutdown
** helper-scripts: https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/emerg-shutdown
** user-sysmaint-split: https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/emerg-shutdown
* Patrick: All merged.
== display manager selection ==
* What is "the best" display manager?
* please read history: https://forums.whonix.org/t/display-manager-lightdm-gdm3-sddm-or-no-display-manager-startx/12457
* in preparation for the next task
* might resolve the verified boot issue for lightdm requiring read-write access to /var/lib/lightdm
* can be refereed until after Debian trixie or during port to Debian trixie
* Aaron: greetd is looking relatively promising. Commented about it in the linked forum post.
* Patrick: Replied.
* Aaron: Replied back in chat. Possible issues with LightDM not considered blockers, but greetd may still be more desirable.
== dracut size parameter improvement ==
* please comment, if applicable
* https://forums.whonix.org/t/grub-live-improvement-overlay-mount-sh-add-increase-size-mount-command-parameter/21998
* Aaron: Commented and filed feature request.
== improve systemd shutdown reliability ==
* this is required for effective ram-wipe - hung at shutdown would be adverse for security as the system keeps running and ram does not get wiped
* add a systemd unit to some kicksecure package that will result in breaking the shutdown on purpose (ExitStop taking forever)
** use: KillMode=none
** use other settings coming to mind making the systemd unit harder to kill
** this is for testing purposes only
** once this ticket is done, we will comment it out by default and keep it as comments-only for reference, future testing
* check, adjust global values such as:
** timeout is mentioned in /etc/systemd/system.conf logind.conf user.conf
DefaultTimeoutStopSec=30s
DefaultTimeoutStartSec=30s
DefaultTimeoutAbortSec=30s
* investigate if there is any other ways to make the systemd force shutdown
* investigate if there is any other ways to make the system force shutdown
* Aaron: systemd doesn't appear to have this feature, filed a request: https://github.com/systemd/systemd/issues/38261
** In the mean time, a unit with something similar to ExecStop=bash -c -- 'sleep 15; echo "o" > /proc/sysrq-trigger might work.
*** Actually, this won't work, systemd will hang waiting for the sleep 15 to finish, then the system will forcibly power down.
* Patrick: Please consider a small custom (C) program to run kernel call reboot or poweroff in case that is more reliable than sysrq.
** Aaron: Continuing to investigate the cause of shutdown failure - C programs are no more reliable than using SysRq in my testing.
*** So far I have been able to determine that removing i915 (Intel graphics) firmware from /lib/firmware is enough to resolve the issue. However, this shouldn't be needed because vanilla Debian 12 is able to emergency shut down properly with i915 firmware present. Therefore a Kicksecure configuration change is likely interacting poorly with the firmware or driver.
* Aaron: I believe this is currently impossible to implement, see https://github.com/systemd/systemd/issues/38261#issuecomment-3130259046. However, I was able to finally implement emergency shutdown.
** Patrick brought up the possibility of using KillMode=none to keep the shutdown "unstick" mechanism from being killed prematurely. I ended up using KillMode=process instead. I was able to implement this after all, however it may require some tuning by the end user and so is disabled by default. Notes documented in code and left in chat.
== permanent shortcut to VM shared folder ==
* for easy access of shared files via Thunar
* Implemented: https://github.com/ArrayBolt3/vm-config-dist/tree/arraybolt3/shared-folder-readme
* Patrick: Merged.
== calamares - unmount issues ==
* Calamares is not unmounting an encrypted filesystem after installation is complete, thus making livecheck warn about an "unsafe" live state.
* Investigate, determine if this is already fixed in Trixie or in newer versions of Calamares, or if a bugfix needs to be made.
* Aaron: During Trixie porting work, it appears this is already solved in Trixie.
== emergent shutdown discussion ==
* please read, comment if applicable
* https://forums.kicksecure.com/t/unplugging-external-drive-doesnt-trigger-a-shutdown/994
* https://forums.whonix.org/t/panic-button-panic-shutdown-buskill-the-usb-kill-cord-for-your-laptop/13755
* Implemented, but may need further polish:
** security-misc: https://github.com/ArrayBolt3/security-misc/tree/arraybolt3/emerg-shutdown
*** On my test system, this reliably causes the screen to black out and the OS to become inaccessible when I unplug the root filesystem device, but sometimes the power LED will remain lit and the fans will keep running. This happens about 50% of the time, the other 50% of the time a proper shutdown is done. Because of the shutdown method being used, I currently suspect this is the fault of my hardware and not of the implementation, but further testing will be needed to confirm that and documentation should indicate that users must test this feature thoroughly before relying on it in a security-sensitive situation.
*** This is supposed to work even if Kicksecure is burned to an optical disc and that disc is ejected, but I believe is currently will not work. I believe the kernel sends a different event for an ejected optical disc than for a removed USB drive.
*** Panic button support not yet implemented.
** helper-scripts: https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/emerg-shutdown
*** The root device finding script could use more thorough testing and could be expanded to support more scenarios.
** user-sysmaint-split: https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/emerg-shutdown
* Left comments documenting that this is now on hold until the Trixie port is done.
** Decided to finish work on this for Bookworm anyway as it was needed for a desired feature, and the work done will be useful for Trixie and higher.
** Discussion is over, implementation is in progress, thus this task is archived.
== review login security ==
* account user without a password might be an issue? Yes, but we have these under control:
** sudo - either unavailable in user session, unavailable for accounts other than account user and/or password protected
** su - nosuid
** login - requires root
** ssh - not installed by default
** loginctl?
** anything else?
* please document
* Aaron: Skimmed Strong User Account Isolation page, didn't see anything missing. Did see that a note about SSH not being installed on Kicksecure by default was missing from the SSH wiki page, added it.
== browser choice - bugs ==
* bug: user session -> chromium -> install as flatpak -> fails at pkexec. Should not be allowed to reach that point.
* Aaron: Fixed (along with a few other bugs): https://github.com/ArrayBolt3/browser-choice/commit/fc37dfb44af5ce47fb550515e3070ed4900addcf
** Patrick: Merged.
== autostart system-maintenance-panel on Whonix-Gateway ==
* https://forums.whonix.org/t/autostart-system-maintenance-panel-on-whonix-gateway/21928
* Aaron: Implemented: https://github.com/ArrayBolt3/anon-gw-base-files/tree/arraybolt3/sysmaint-panel
** Patrick: Merged.
== system-maintenance-panel - improvements ==
* Whonix-Gateway: "network connections" tries to start nmtui which isn't installed by design on Whonix-Gateway
** Aaron: "Install a Browser" shouldn't be displayed in Whonix-Gateway or Whonix-Workstation either. Hid both buttons when running on Whonix.
* Whonix-Gateway: should other utilities be added such as onioncircuits, tor-control-panel, anon-connection-wizard or best avoided to avoid overloading and code complexity?
** Aaron: Fine to add those tools, doesn't add much complexity. Added all three of these to Whonix-Gateway, plus Tor Status Monitor (Nyx) to keep the button panel well-balanced.
* lock screen: If no password is set, this does not actually lock the screen. Should show an error popup that suggests to set a password and run login security check?
** Aaron: Good idea. We should also refuse to lock the screen if the password is locked or "restricted" since it will be impossible to unlock in those situations.
* Aaron: Implemented all requested enhancements:
** systemcheck needed to be changed since the get-password-status-list script had to move to helper-scripts: https://github.com/ArrayBolt3/systemcheck/tree/arraybolt3/move-password-list-script
*** Patrick: Merged.
** helper-scripts (enhanced the actual lock script, also moved get-password-status-list into this): https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/screen-locking
*** Patrick: Merged.
** sysmaint-panel: https://github.com/ArrayBolt3/sysmaint-panel/commit/76366bab51e3614e70739a539da79ba65a13e1b3
*** Patrick: Merged.
== review /etc/zsh configuration ==
* https://forums.whonix.org/t/change-default-shell-from-bash-to-zsh-by-default/14792
* {{Github_link|repo=desktop-config-dist|path=/tree/master/etc/zsh}}
* security review
* please suggest other useful changes, if applicable
* Aaron: Audited, added suggested security and usability enhancements in https://github.com/ArrayBolt3/desktop-config-dist/tree/arraybolt3/zsh-harden
** Note, one of the changes is to remove the -N option from the default ls alias - this aids usability in my opinion, but might not be desirable? Would be happy to undo that if this is considered too much of a change.
*** Patrick: Should be ok.
** Patrick: Merged.
== systemcheck login security check ==
* systemcheck run in user session shows password for account "user" as "Absent" and account "sysmaint" as "Locked"
* however, sysmaint does not really have a password set.
* Should be "Locked (Absent)" in orange color instead?
* Aaron: Good idea, implemented.
** helper-scripts: https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/login-locked-absent
*** Patrick: Merged.
** systemcheck: https://github.com/ArrayBolt3/systemcheck/tree/arraybolt3/login-locked-absent
*** Patrick: Merged.
== add prevent login test to systemcheck ==
* add a new test to systemcheck?
sudo -u nobody su user
sudo: unable to execute /usr/bin/su: Permission denied
* Aaron: Implemented using stat rather than a direct execution attempt to make the results independent of the executing user account: https://github.com/ArrayBolt3/systemcheck/tree/arraybolt3/su-test
* Patrick: Merged.
== reconsider qubes login security ==
* reconsider running systemcheck function check_login_security also inside Qubes
* at time of writing:
[INFO] [systemcheck] Kicksecure Login Security Check:
+----------+--------------------------------------+
| Users | Password GUI Autologin |
+----------+--------------------------------------+
| root | Locked (Present) Enabled |
| user | Absent Enabled |
| sysmaint | Locked Enabled |
+----------+--------------------------------------+
* root account locked: important to check
* gui autologin: in user session, disable for root, sysmaint?
* Aaron: Implemented Qubes support: https://github.com/ArrayBolt3/systemcheck/tree/arraybolt3/qubes-login-security
** For GUI autologin, I chose to mimic the behavior of the tool on non-Qubes platforms as much as possible by making it clear that both the default user *and* the sysmaint account were considered as having "autologin" enabled. This isn't totally identical to display manager autologin, so I didn't implement this in helper-scripts /usr/sbin/autologinchange, but instead implemented it directly in systemcheck since applications should be using separate handlers for Qubes "autologin" and lightdm/sddm autologin.
** Patrick: Merged.
== Qubes-Whonix qrexec review ==
* threat model: compromised workstation
* please review all qrexec services and see if these could be used to produce an IP leak from Whonix-Workstation
* check for privacy issues
* fix in case issues are found
* Aaron: Audited, could not find any way to cause an IP leak without lots of user interaction. Did find at least one possible way to cause one with user interaction.
** Filed feature request: https://github.com/QubesOS/qubes-issues/issues/10051
** Patch to implement: https://github.com/QubesOS/qubes-core-admin-addon-whonix/pull/22
*** Patrick: Please implement as suggested by Marek.
**** Aaron: Implemented, left some notes about shortcomings of the current implementation and suggestions for how to further improve things. Waiting on further discussion.
**** Aaron: Awaiting merge, this will be able to be moved to archived once done.
***** Merged.
== Debian on true read-only filesystem without ephemeral overlay ==
* in preparation for verified boot implementation
* research
* investigate, document which locations require ephemeral overlays
* investigate, document which locations are useful to persist even when booting with verified boot such as logs
* report bugs or missing features upstream (so we have something to point to to justify our implementation)
* Aaron: Got vanilla Debian 12 Xfce to get to a functional GUI with a read-only root filesystem.
** Needed to mount a tmpfs to the following directories:
*** /tmp
*** /var/tmp
*** Both of these are simply expected to be world-writable by systemd, see https://systemd.io/TEMPORARY_DIRECTORIES/ and https://github.com/systemd/systemd/issues/17701#issuecomment-734302274
** Needed to mount tmpfs overlays to the following directories:
*** /var/lib/lightdm
*** /home
** In actual use, /home would probably be on a separate partition, as would /var unless aiming for it to be non-persistent. Note that Fedora Silverblue operates in a similar fashion - /var is a separate partition, and /home is mounted from it.
** exim4 and anacron failed to start. anacron complains that it cannot open the timestamp file for job cron.daily, while exim4 complains it cannot touch /var/lib/exim4/config.autogenerated.tmp. Having /var writable would resolve this.
** Once the GUI came up, LibreOffice and Firefox ESR both were able to launch. Web browsing in Firefox seemed to operate normally.
** Should repeat this test, but with Kicksecure 17 rather than a plain Debian VM.
* Aaron: Got Kicksecure 17 to boot directly to a GUI using a read-only root filesystem.
** Reused same mounts as above, except I overlaid all of /var with a tmpfs, and also used a systemd unit to automate the overlay setup process.
** sdwdate-pre.service fails because it is unable to write /usr/libexec/sdwdate/sclockadj. Could be easily ported to drop the file under /run instead.
** swap-file-creator.service fails for obvious reasons
** sysmaint boot malfunctions, at least in part because /etc/passwd can no longer be written to in order to unlock the sysmaint account
** Firefox ESR works when booted into a user session
== investigate networkmanager issue ==
* Kicksecure
Mar 25 10:11:41 localhost NetworkManager[990]: [1742911901.7721] failed to open /run/network/ifstate
* issue or safely ignored?
** Aaron: I believe this can be safely ignored, /run/network is an ifupdown thing that (to my awareness) we don't use in Kicksecure. Added a line to systemcheck to silence the warning.
== browser-choice - improvements ==
* Should use && instead of ;?
usr/share/browser-choice/plugins/chromium.txt:update-and-install-script=pkexec bash -c -- 'apt-get update; apt-get-noninteractive -y install chromium'
usr/share/browser-choice/plugins/firefox.txt:update-and-install-script=pkexec bash -c -- 'apt-get update; apt-get-noninteractive -y install firefox-esr'
usr/share/browser-choice/plugins/firefox.txt:install-script=pkexec bash -c -- 'extrepo enable mozilla; apt-get update; apt-get-noninteractive -y install firefox'
* There might be more such cases. (I did only grep for update;.)
** Aaron: Fixed.
* always "set -x" for transparency
** Aaron: Done, except in places where command output is invisible or would cause confusion. (All installation and removal routines have "set -x" enabled.)
* feature request: Please make text copy/pasteable (useful for users so they can ask for support).
** Aaron: Done for labels, Qt doesn't appear to allow me to do this for radio buttons and checkboxes.
* feature request: always show commands executed in browser choice's console window (this is for transparency - user should be able to follow that's happening under the hood. this enables more users to follow what is going on, debug, etc.)
** Aaron: We get this for free by using "set -x", which is now done.
* feature request: allow maximzing browser choice console window
** Aaron: Implemented.
* bug: after installing Brave Browser using APT using Browser Choice, clicking the browser icon in Xfce (quick start menu), Browser Choice reports that no browser is installed - even though Brave Browser has been installed.
** Aaron: open-link-confirmation issue, fixed here: https://github.com/ArrayBolt3/open-link-confirmation/tree/arraybolt3/default-browser
* Tor Browser installation: failed - because package tb-updater is not installed. Solution? Install tb-updater, tb-starter using APT first if not yet installed. But this is a problem. Because tb-updater/tb-starter installation requires root. running update-torbrowser does not. Perhaps we should install tb-updater/tb-starter by default?
** Aaron: Installing tb-updater and tb-starter by default sounds like a good idea. Implemented.
** tb-starter by default might add a confusing start menu entry. Perhaps acceptable.
*** Aaron: It does, but it's not horrible.
** Should tb-default-browser be installed?
*** Aaron: No, this overrides open-link-confirmation.
** Best to add support for running update-torbrowser in sysmaint session for simplicity?
*** Aaron: Requires enumerating users on the system, presenting them to the user to ask them which one to install Tor Browser as, then it would need to do that. Would be complicated to implement in tb-updater itself most likely, as we would need the UI and backend layers to be separate so the backend could run as the target user while the frontend operated as the sysmaint user, but the two sides would need to be able to communicate. This preferably would be avoided as tb-updater is already very complicated. This could potentially be hacked around with a "helper" that would simply run sudo -E -u user update-torbrowser (replacing "user" as appropriate). This trick would break under Wayland though due to Wayland socket permissions and would require potentially dangerous "opening up" of security to overcome.
*** Similar to running dist-installer-cli in sysmaint but installing to account "user".
*** Security impact?
*** Then all actions could be run from within sysmaint session. Less exceptions. Less user confusion.
**** Aaron: Having to pick which user to install the browser as, might be more confusing? "Install system wide" is easy to understand, "install as current user" is easy to understand, "pick the user to install as" is a weird concept not usually encountered.
* "click done to exit this wizard" -> Please expand "You can restart this wizard any time by ..."
** Aaron: Implemented.
* feature request: advice user on how to start the installed browser
** Aaron: Implemented.
* feature request: ask to start the browser after installation (will be limited due to sysmaint versus user session - but useful for browsers such as Tor Browser)
** Aaron: This was already implemented and works in my testing.
* feature request: ability to start an already installed browser from browser choice?
** Aaron: Implemented. Also made it so that if browser-choice is called as browser-choice https://example.com, launching a browser from within browser-choice will also pass the URL to it so that it immediately opens in the chosen browser (this enhances integration with open-link-confirmation).
* feature request: in user session, some options are not possible. The window the is grayed out. This is good. Please add a sysmaint notice. (I am sure users will ignore the sysmaint popup or not understand it, then post a screenshot of the grayed out window and ask how. This is a feature request to prevent that.)
** Aaron: Implemented sorta, I had to change how the option restriction mechanism worked in order to add a working launch feature, and in so doing added "(Sysmaint mode required)" strings to options that aren't available in sysmaint mode. This should serve a similar purpose.
* feature request: clarify "system-wide". Users will have trouble to understand which options are available in user session (Tor Browser) versus
** Aaron: Done.
* feature request: increase default size of screen so all browsers are visible by default?
** Aaron: Implemented.
* feature request: allow all screens to maximize?
** Aaron: Not sure how you mean - popup dialogs probably shouldn't be maximizable? All wizard screens can be maximized now though.
* Aaron: browser-choice overhaul: https://github.com/ArrayBolt3/browser-choice/commit/2a54e9011e4ad55448c76e3a2433a496ad419c17
== browser-choice - integrations ==
* Kicksecure: no longer install firefox, thunderbird by default
* make browser-choice the default browser? (lowest priority so it does not take effect over other installed browsers)
* other required or useful integrations?
* Aaron: Implemented:
** browser-choice: https://github.com/ArrayBolt3/browser-choice/commit/8498e02b0afa5e3c107877d057c849e12cc76514 Code and UX improvements, including better guidance about what to do if you're trying to install browsers in a user session.
** open-link-confirmation: https://github.com/ArrayBolt3/open-link-confirmation/tree/arraybolt3/default-browser Adds browser-choice as a low-priority default browser.
*** Should we be adding other browsers that we advertise in browser-choice here, i.e Mullvad and Brave? Mullvad's "set as default" feature fails silently, so this may be the only way for some users to get a default browser if they choose something non-standard.
** sysmaint-panel: https://github.com/ArrayBolt3/sysmaint-panel/tree/arraybolt3/default-browser Added a button for launching Browser Choice, since this is going to be vitally necessary.
** kicksecure-meta-packages: https://github.com/ArrayBolt3/kicksecure-meta-packages/tree/arraybolt3/default-browser Removed firefox-esr from dependencies, added browser-choice. (Note that dummy-dependency still provides firefox-esr, I wasn't sure whether I should remove that or not. I'd argue it should not be removed, if the user has some other package that "requires" firefox-esr and we remove dummy-dependency's "provides firefox-esr", it may result in the user's package manager getting stuck or trying to force installation of firefox-esr.)
** anon-meta-packages: https://github.com/ArrayBolt3/anon-meta-packages/tree/arraybolt3/default-browser Removed thunderbird from dependencies, added browser-choice.
** Unrelated, but I also ended up reviewing derivative-maker changes and did some fixes to derivative-update and approx caching while I was there: https://github.com/ArrayBolt3/derivative-maker/commit/58ed8b162dcc868ff8d5e5d57f0066b8a42b82c5
* Patrick: All merged.
== browser-choice - integrations - #2 ==
* add to Qubes Kicksecure Template default Qubes app menu
** Aaron: Added.
* integration with setup-wizard-dist?
** mention Browser Choice in setup-wizard-dist?
*** Aaron: Good idea, added.
** add a button to start Browser Choice from setup-wizard-dist?
*** Aaron: This may not be helpful - both Whonix-Workstation and Kicksecure come with user-sysmaint-split by default, so launching Browser Choice on first user session boot could be confusing.
** port setup-wizard-dist to designer for prettification?
*** Aaron: I don't think this is necessary, the application seems to be "pretty" enough and it isn't complicated enough for the extra abstraction of using Designer to be useful IMO.
* open-link-confirmation: If no browser is installed yet in sysmaint mode, it advises the user "boot into user session" but that would be not of much help, because no browser is installed yet. Please add a message in such cases "open-link-confirmation could not detect an installed browser yet. Consider using a different device or VM to open the link or install a browser." (Needs polishing.)
** Aaron: This is a bit tricky to do for multiple reasons:
*** We'd have to load the install-status snippets from browser-choice and execute them in open-link-confirmation in order to check for the existence of a web browser. This is technically feasible (the install-status snippets are simply Bash code), but complicated and makes me a bit nervous.
*** User-specific browsers can fool a naive approach that simply runs the install-status snippets - if the user has installed Tor Browser in a sysmaint session, the torbrowser check will pass.
*** Ignoring user-specific browsers will result in some users being told they have no browser installed when they do have a browser installed.
*** Checking for user-specific browsers isn't possible because we don't know which user account the user will log into ahead of time.
*** The best way of doing this autodetection I can see is to look for system-wide browsers using browser-choice's plugin code, and suggest the user install a browser if no system-wide browsers are found (noting that this may not be necessary if the user has a user-specific browser installed).
*** A simpler solution, and the one I started out with to avoid overcomplicating things, is to change the last line of the message to say "Ensure a suitable web browser is installed, then reboot into...". This leaves it to the user to decide whether a suitable browser is actually installed or not, something they are better-equipped to do than the program is.
* Aaron: Implemented:
** qubes-template-kicksecure: https://github.com/ArrayBolt3/qubes-template-kicksecure
** setup-wizard-dist: https://github.com/ArrayBolt3/setup-wizard-dist/tree/arraybolt3/browser-choice
** open-link-confirmation: https://github.com/ArrayBolt3/open-link-confirmation/tree/arraybolt3/default-browser
* Patrick: All merged.
== livecheck - improvements ==
* bug: clicking on "persistent mode" link bug: nothing happens (also no error when run from terminal)
* feature request: make text copy/pasteable
* feature request: improve the right click menu a bit. (show the name of the application "livecheck" to have some context what it is about)
* Aaron: Implemented, but wasn't sure about the UX for adding the Livecheck name to the applet, so I made two different implementations. '''Only one should be merged,''' pick whichever one you like more (screenshots shared in chat). Both variants have the link bug fixed and the text copy-pastable.
** Applet name under exit button: https://github.com/ArrayBolt3/desktop-config-dist/tree/arraybolt3/livecheck-enhance
*** Patrick: Merged.
** Applet name as part of exit button: https://github.com/ArrayBolt3/desktop-config-dist/tree/arraybolt3/livecheck-enhance-alt
*** Patrick: Ignored.
== test all vms - systemcheck --verbose --leak-tests ==
* KS, GW, WS:
** systemcheck --verbose --leak-tests
* some new issues: apparmor, erst disable
* please investigate
* maybe unfixable:
** Aaron: Very likely unfixable or too difficult to fix, as we'd have to somehow request info from the vboxsf driver about what mount tags are available. Silenced via /etc/systemcheck.d/30_default.conf.
Jul 18 06:31:08 localhost mount-shared[855]: /sbin/mount.vboxsf: mounting failed with the error: No such file or directory
Jul 18 06:31:08 localhost kernel: vboxsf: Host rejected mount of 'shared' with error -2
* only inside KVM, do not run in VBox (spice-vdagentd.service systemd drop-in file required in vm-config-dist probably:
** Aaron: Cannot reproduce with virt-manager or with bare QEMU+KVM, did not attempt to mitigate.
Jul 18 06:31:08 localhost systemd[1]: spice-vdagentd.service: Failed to parse PID from file /run/spice-vdagentd/spice-vdagentd.pid: Invalid argument
* fixable:
** Aaron: Fixed.
Jul 22 10:15:47 host mount-shared[815]: accountctl: [ERROR]: User does not exist: 'sysmaint'
* apparmor:
** Aaron: fixed.
/usr/libexec/systemcheck/check_tor_socks_or_trans_port.bsh: line 116: /usr/bin/curl.anondist-orig: Permission denied
* Aaron: Fixes and workarounds implemented:
** systemcheck: https://github.com/ArrayBolt3/systemcheck/tree/arraybolt3/warn-fix
** user-sysmaint-split: https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/systemcheck-warn-fix
** vm-config-dist: https://github.com/ArrayBolt3/vm-config-dist/tree/arraybolt3/enhance
** sdwdate: https://github.com/ArrayBolt3/sdwdate/tree/arraybolt3/qubes
* Patrick: All merged.
== document debian versus read-only root file system without overlay issues ==
* document on [[Verified Boot]]
* mention on [[Dev/user-sysmaint-split]]
* Aaron: Added documentation.
== user-sysmaint-split: fix Whonix-Workstation StandaloneVM breakage ==
* newly created Whonix-Workstation StandaloneVM suffers from a number of issues:
** default NetVM is sys-firewall, not sys-whonix
** /dev/xvdb is unformatted and blank, resulting in mount failure, which ends up preventing the VM from booting to the point where graphical windows can be displayed
** apt still attempts to use the TemplateVM proxy for downloads
* fedora-41-xfce and debian-12-xfce both work without issues
* we're likely failing to pull in a necessary service in sysmaint sessions
* Aaron: Fixes for most issues: https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/qubes-standalone
** Patrick: Merged.
** Issue filed for the NetVM problem: https://github.com/QubesOS/qubes-issues/issues/10067
*** PR: https://github.com/QubesOS/qubes-core-admin-addon-whonix/pull/23
**** Merged. Can this be archived?
== stable vs rolling - create ticket ==
* mention efforts towards Debian rolling and its failure
* mention rolling not necessarily more secure
* link the to the wiki https://www.kicksecure.com/wiki/Dev/Stable_vs_Rolling_Distributions
* purpose of ticket: to get the discussion started with the purpose of improving our developer documentation, problems and future solution tickets
* Aaron: Ticket created: https://forums.kicksecure.com/t/rolling-vs-stable-release-brainstorming/1139
== browser choice - #3 ==
* bug: mozilla repository warning gone? please re-add
* Please add third-party APT repository warning and link to the wiki where applicable.
* Perhaps some repetitive warnings should be declarative and a special box?
** such as: https://www.kicksecure.com/wiki/Install_Software#Third_Party_Repository_Warning
** and: https://www.kicksecure.com/wiki/Install_Software#Programs_in_Home_Folder
* Aaron: Added additional warnings for third-party APT repositories, plus a general warning for software installation risks.
** Also created https://www.kicksecure.com/wiki/Install_Software#Trust_Considerations to link to in the general risks warning.
== browser choice - #2 ==
* simplify mozilla stable helper: simply ship/hardcode/add the key or better use extrepo (already installed by default)
* Check for network access and warn the user if it is not available
** implement as global "plug-in"? (or hardcoded for Kicksecure)
** do it similar as in /usr/libexec/systemcheck/updatecheck
** convert the "am I online" / "do i have internet access" check in /usr/libexec/systemcheck/updatecheck into a helper-script shell library
* Don't show the launch checkbox when running in sysmaint sessions
* Naming considerations? Right now the program calls itself "Application Chooser" in the window titlebar, but "Browser Choice" in the application menu (since "Application Chooser" sounds very generic). -> let's settle on Browser Choice (as long as we don't implement a full blown app store)
* add browser plugins:
** Mullvad Browser
** Brave Browser
* Test on Qubes OS
* Test on Whonix-Workstation
* Add warning popup when run in a Qubes OS AppVM (this is mentioned in the spec but not yet implemented)
* remove /home/aaron string from applyingchangespage.ui
* Implementation (mostly tested, could use one more thorough methodical test but should be merge-ready)
** browser-choice: https://github.com/ArrayBolt3/browser-choice/tree/master
*** Patrick: Merged.
** helper-scripts: https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/network-check
*** Patrick: Merged.
** systemcheck: https://github.com/ArrayBolt3/systemcheck/tree/arraybolt3/refactor-network-check
*** Patrick: Merged.
== sysmaint-panel and browser-choice - build improvements ==
* implement "make" and "make clean" as discussed
* run build-ui.sh from an override_dh_build section in debian/rules
* no longer add autogenerated files to git source code folder
* improve name of "core" files
* Aaron: Implemented:
** browser-choice: https://github.com/ArrayBolt3/browser-choice/commit/14e029beca186de22bc4c82c184c14a1a769272d
** sysmaint-panel: https://github.com/ArrayBolt3/sysmaint-panel/tree/arraybolt3/ui-refactor
== browser choice ==
* [[Dev/browser-choice]]
* please implement
* Alpha-quality implementation: https://github.com/ArrayBolt3/browser-choice
* Known issues:
** The last page of the wizard has a ridiculous amount of empty space in it, the wizard window needs to resize itself on the last step to fix this.
*** Fixed.
** The precheck and postcheck scripts aren't being run at all.
*** Precheck and postcheck scripts removed, they are difficult to implement as a separate field if the check scripts require privileges without resulting in multiple password prompts. Moreover, apt does package consistency checks before installing or removing software and will error out if things are problematic. If a particular installation or removal routine does require consistency checks, those can be built directly into the install/remove/purge command lines.
** Quite a bit of variable naming could stand to be better.
*** Renamed a bunch of things for clarity.
** Chromium Flatpak doesn't install for reasons discussed in chat.
*** Fixed, unverified flatpak warning added.
** Tor Browser won't launch in sysmaint mode due to (I think) a particular systemd unit not being started. Unsure if we want to do anything about that.
*** Changed handling mechanism so that whether a browser can be managed in user mode or not is up to capability scripts. Also allowed user-sysmaint-split to be run in a user session.
** Logging is ephemeral and all logs are lost as soon as you continue past the "Applying Software Changes" screen. We need to be logging to a file, not just to the display.
*** Real logging is now implemented.
** The Mozilla apt repository version of Firefox cannot be installed, as the helper script needed for it hasn't been written yet.
*** Script is now written and appears to be functional when tested.
* Further ideas for consideration:
** Check for network access and warn the user if it is not available?
** Don't show the launch checkbox when running in sysmaint sessions? That checkbox makes it worryingly easy to launch a web browser in a sysmaint session, something we've worked to avoid.
** Naming considerations? Right now the program calls itself "Application Chooser" in the window titlebar, but "Browser Choice" in the application menu (since "Application Chooser" sounds very generic).
** Add Mullvad Browser plugin?
** Add plugins for email clients and ensure the application works in that scenario? Maybe chat clients too?
*** (Tabs currently don't have special considerations made for them as far as alphabetizing, so there probably is some additional work needed to make the experience perfect in that regard.)
* Further TODOs:
** Test on Qubes OS
** Test on Whonix-Workstation
** Add warning popup when run in a Qubes OS AppVM (this is mentioned in the spec but not yet implemented)
== user-sysmaint-split - Whonix-Gateway ==
* think through what verified_boot=on versus verified_boot=off should do on Whonix-Gateway
* document on [[Dev/user-sysmaint-split]]
** Create a new "VERIFIED Mode | USER Session | daily activities" that is essentially live mode but with /home persistent and dm-verity enabled.
** This should be used for verified boot in general most likely.
** Patrick: Any immediate changes useful on Whonix-Gateway long as verified boot does not get implemented?
*** Aaron: Not that I'm aware of.
** Patrick: If verified boot gets enabled on Whonix-Gateway, how the user would modify system Tor configuration? Use /usr/local similar as it is done in Qubes-Whonix?
*** Aaron: Users could apply Tor configuration the same way as they always would, it would simply be reset on reboot. For persistent changes, users would boot into PERSISTENT Mode | USER Session | power user activities, and make their changes. This is somewhat similar to sysmaint mode, but not as restrictive. A better way to do this could be to allow the user to store their Tor (and maybe specific other system wide) configuration files somewhere that requires admin permissions to modify, but that is not protected by verified boot - perhaps we need to add the concept of a "configuration volume" to our verified boot documentation?
**** Patrick: Yes, we might need something similar to Qubes bind-dirs. In case of Tor, we do already support /usr/local/etc/torrc'''.d''' as documented in https://www.whonix.org/wiki/Tor#Edit_Tor_Configuration
** Patrick: If "PERSISTENT Mode | USER Session" gets renamed to verified mode, that seems to blurry the boundary between persistent mode and live mode? Maybe we don't need to rename any boot modes but implement verified boot invisible to the user? Because if we s/persistent/verified, how would we rename live mode?
*** Aaron: Verified mode won't replace persistent mode unless user-sysmaint-split is installed. Persistent mode will still have a use.
**** Patrick: What is the use case of unverified persistent mode if verified persistent mode is available?
**** Aaron: Necessary to do things like updating software or making persistent configuration changes. Software updates and reconfiguration can be done in verified mode but those changes will be lost upon reboot.
**** Patrick: In case unverified vs verified persistent mode has a use case that we want to support, how would we name unverified live mode versus verified live mode? (That is, in case if there is a use case for unverified live mode that we want to support.)
**** Aaron: Current suggested naming is "VERIFIED Mode" and "PERSISTENT Mode", but maybe "VERIFIED Mode" and "UNVERIFIED Mode" or "VERIFIED Mode" and "UPDATE Mode" would be better? Should discuss in chat.
== dracut initrd compression ==
* research compression options
* probably use zstd
* Done: https://forums.kicksecure.com/t/dracut-compression-research/1131
** Would suggest using xz, but zstd is quite good also.
* Patrick: See forum thread.
* Patrick: Please investigate why our initrd is uncompressed by default since dracut allegedly uses zstd by default.
* Patrick: Please test Fedora's configuration snippet (linked in above forum thread).
* Aaron: Our initrd is gzip-compressed by default. The note about zstd compression defaults in Fedora CoreOS's configuration is not saying that the dracut default is zstd to my awareness, it's saying they're resuing the default settings dracut uses for zstd when zstd is used. From the Dracut manual, "If you pass it just the name of a compression program, it will call that program with known-working arguments."
* Aaron: Tested configuration snippet, performed worse than xz in all metrics.
* Patrick: Please implement xz.
* Aaron: Done: https://github.com/ArrayBolt3/dist-base-files/tree/arraybolt3/initrd-compress
** Implemented as a file directly in /etc/dracut.conf.d, since if the user chooses to modify this file, I believe this ''should'' trigger a conffile prompt if we ever modify this again.
** Tested in a VM, appears to work. It does ''not'' immediately regenerate the initramfs, but it will have an effect the next time the initramfs is regenerated. I believe this is the desired behavior (making the initramfs be regenerated every time dist-base-files is updated would be excessive).
== qubes integration - missing default start menu entry ==
* missing by default:
** Qubes App Launcher (blue/grey "Q") → Whonix-Gateway App Qube (commonly called sys-whonix) → User Firewall Settings
** Qubes App Launcher (blue/grey "Q") → Whonix-Gateway App Qube (commonly called sys-whonix) → Global Firewall Settings
* please do a full review for all of Qubes-Whonix for which other default start menu entries could/should be added where appropriate
* please do a full review for all of Kicksecure for which other default start menu entries could/should be added where appropriate
* Aaron: Made the following changes:
** Kicksecure AppVM: Include Settings Manager, for better feature parity with the Debian 12 AppVM
** Kicksecure TemplateVM: Remove thunar and add
= backlog - one day =
== calamares - make 3.3.12 available in Bookworm ==
* necessary to fix bugs related to the disk encryption user interface
* Sid and Trixie are still at 3.3.9, does maintainer need help packaging 3.3.12?
** Maintainer uploaded 3.3.12 to Sid, should migrate to Testing relatively soon.
** 3.3.11 was hung up on calamares-extensions 3.3.1, and while calamares-extensions 3.3.11 is technically available, a real release of it hasn't been made. Pinged the Calamares devs to see if they could do that, after than I'll ping the Debian Qt/KDE team to get them to package it and that should release calamares into Trixie.
** 3.3.12 was uploaded but was slightly wonky, wasn't migrating, maintainer wasn't fixing the issue yet. Got a DD friend to sponsor an NMU to fix the problem, should hopefully migrate on December 22nd if all goes well. (Thanks to Simon Quigley for sponsorship!)
* Backport 3.3.12 after it is available in Trixie
** Backport submitted to Debian Mentors, review requested from maintainer.
** Moving to backlog because the maintainer ultimately did not appear willing to help with this. We're porting to Trixie now, so this is probably no longer necessary.
== lightdm ssdm ==
* bug report: https://forums.kicksecure.com/t/kicksecure-inside-lmde-5/46/11
* cause of bug could be in rads or security-misc
* Unable to reproduce bug, request for more information at https://forums.kicksecure.com/t/kicksecure-inside-lmde-5/46/13
* More information received, need to retry this one more time
* Tested, finally managed to partially reproduce. Issue appears to be in SDDM.
* Aaron: Debugging complete, bug report with fix filed. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089004
** Moving to backlog because of no response to report. Due to Debian policy for stable releases this bug will most likely never be fixed in Bookworm.
== fix Qubes OS kloak implementation behavior with XFCE apps ==
* When dragging XFCE applications in Whonix-Workstation by their menu bar (directly underneath the title bar), the window moves erratically across the screen
* Hover is silently failing to function properly in XFCE application menus
* Hover seems to work just fine in Tor Browser
* May have been a random bug, cannot reproduce now. Bring back from backlog if a way to reproduce this is discovered.
== calamares - enable GRUB force_efi_extra_removable ==
* todo
* if applicable
* PR: https://github.com/calamares/calamares/pull/2446
* Pending discussion.
* Unlikely to be implemented, the current "workaround" appears to be the intended way to implement this sort of thing.
== apt-get - implement --restrict-install-recommends proof of concept ==
* todo
== Debian Installer Verification ==
* after live-build review queue made progress maybe
== Qubes doas ticket ==
* feature request doas support for Qubes
* ask if Qubes would accept doas configuration snippets
* https://forums.whonix.org/t/replace-sudo-with-doas/17482/22
* Ticket filed as an enhancement request: https://github.com/QubesOS/qubes-issues/issues/9599
* Backlogged, we're going sudoless rather than porting to doas for now.
== Qubes umask ticket ==
* /etc/sudoers.d/umask
* https://forums.whonix.org/t/replace-sudo-with-doas/17482/22
* This was only needed if migrating to doas. Superceded by sudoless mode, moved to backlog
== investigate porting from sudo to doas ==
* https://forums.whonix.org/t/replace-sudo-with-doas/17482
* can our /etc/sudoers.d snippets be ported to doas? is doas powerful enough for our requirements based on our already existing /etc/sudoers.d snippets?
* could we have a system that no longer requires sudo or would we end up with a system that comes with both, sudo and doas? ("double" attack surface)
* use ReplaceText as a wiki search engine to find our current uses of sudo because these would need to be ported to doas
** https://www.kicksecure.com/wiki/Special:ReplaceText
** https://www.whonix.org/wiki/Special:ReplaceText
** search terms:
** sudo
** lxsudo
* Ensure sudoers.d config files used in Kicksecure and Whonix on Qubes OS can be ported to doas
* Did an audit of all uses of sudo in kickseure and whonix codebases, and how difficult they should be to port to doas. Results: https://gist.github.com/ArrayBolt3/6699ec4c631fec28e1f4c0a2e657fcd7
* Superceded by sudoless mode, moved to backlog
== doas - send pull requests to Qubes ==
* [[Dev/todo#Qubes_doas_ticket|Qubes doas ticket]] might be unlikely to get rejected. But replies could take a while.
* Please send a pull requests. Since it is only 2 packages, 3 files the wasted effort if this gets rejected might be low enough?
qubes-core-agent: /etc/sudoers.d/qt_x11_no_mitshm
qubes-core-agent: /etc/sudoers.d/umask
qubes-input-proxy-sender: /etc/sudoers.d/qubes-input-trigger
* Superceded by sudoless mode, moved to backlog
== create /usr/local/etc/doas.d /etc/doas.d parser and /etc/doas.conf configuration file creator ==
* parse /usr/local/etc/doas.d
* parse /etc/doas.d
* parse only configuration files ending with .conf
* do not overwrite a file that does not contain our auto generated configuration file (could be user custom file)
** echo a warning in that case
* atomic, create variable then use sponge
* add to security-misc
* add a dpkg trigger
* /etc/doas.conf would require a header pointing out it is auto-generated.
## Do not edit this file!
## Please create and add modifications to the following file instead:
## /usr/local/etc/torrc.d/50_user.conf
## This file was auto generated by '$BASH_SOURCE' at APT package installation time (a dpkg trigger).
* Superceded by sudoless mode, moved to backlog
== doas - add to security-misc permission hardener whitelist ==
* todo
* Superceded by sudoless mode, moved to backlog
== doas - create /etc/doas.d configuration snippets ==
* add /etc/doas.d configuration snippets to the various packages needing these
* if possible, pending discussion in https://forums.whonix.org/t/replace-sudo-with-doas/17482/19 for review of sudoers.d snippets by upstream
* Superceded by sudoless mode, moved to backlog
== bootloader password ==
* https://forums.kicksecure.com/t/harden-grub-bootloader-using-bootloader-password/723
== vm-config-dist re-installs same version ==
* Why a freshly built ova image attempts to upgrade vm-config-dist, even though it is already the latest version?
* https://download.kicksecure.com/ova/17.2.7.8/
* please investigate
[user ~]% dpkg -l | grep vm-config
ii vm-config-dist 3:10.5-1 all usability enhancements inside virtual machines
[user ~]% upgrade-nonroot
Get:1 tor+https://deb.debian.org/debian bookworm InRelease [151 kB]
Get:2 tor+https://fasttrack.debian.net/debian bookworm-fasttrack InRelease [12.9 kB]
Get:3 tor+https://fasttrack.debian.net/debian bookworm-fasttrack/main amd64 Packages [5296 B]
Get:4 tor+https://deb.debian.org/debian bookworm-updates InRelease [55.4 kB]
Get:5 tor+https://fasttrack.debian.net/debian bookworm-fasttrack/non-free amd64 Packages [492 B]
Get:6 tor+https://deb.debian.org/debian-security bookworm-security InRelease [48.0 kB]
Get:7 tor+https://fasttrack.debian.net/debian bookworm-fasttrack/contrib amd64 Packages [7332 B]
Get:8 tor+https://deb.kicksecure.com bookworm InRelease [62.0 kB]
Get:9 tor+https://deb.debian.org/debian bookworm-backports InRelease [59.0 kB]
Get:10 tor+https://deb.kicksecure.com bookworm/non-free amd64 Packages [913 B]
Get:11 tor+https://deb.debian.org/debian bookworm/non-free amd64 Packages [97.3 kB]
Get:12 tor+https://deb.debian.org/debian bookworm/non-free-firmware amd64 Packages [6236 B]
Get:13 tor+https://deb.debian.org/debian bookworm/contrib amd64 Packages [54.1 kB]
Get:14 tor+https://deb.debian.org/debian bookworm/main amd64 Packages [8789 kB]
Get:15 tor+https://deb.kicksecure.com bookworm/main amd64 Packages [33.7 kB]
Get:16 tor+https://deb.kicksecure.com bookworm/contrib amd64 Packages [509 B]
Get:17 tor+https://deb.debian.org/debian bookworm-updates/non-free-firmware amd64 Packages [616 B]
Get:18 tor+https://deb.debian.org/debian bookworm-updates/main amd64 Packages [2712 B]
Get:19 tor+https://deb.debian.org/debian bookworm-updates/non-free amd64 Packages [12.8 kB]
Get:20 tor+https://deb.debian.org/debian bookworm-updates/contrib amd64 Packages [768 B]
Get:21 tor+https://deb.debian.org/debian-security bookworm-security/contrib amd64 Packages [644 B]
Get:22 tor+https://deb.debian.org/debian-security bookworm-security/non-free-firmware amd64 Packages [688 B]
Get:23 tor+https://deb.debian.org/debian-security bookworm-security/main amd64 Packages [206 kB]
Get:24 tor+https://deb.debian.org/debian bookworm-backports/main amd64 Packages [264 kB]
Get:25 tor+https://deb.debian.org/debian bookworm-backports/contrib amd64 Packages [5624 B]
Get:26 tor+https://deb.debian.org/debian bookworm-backports/non-free-firmware amd64 Packages [3852 B]
Get:27 tor+https://deb.debian.org/debian bookworm-backports/non-free amd64 Packages [11.1 kB]
Fetched 9891 kB in 8s (1227 kB/s)
Reading package lists... Done
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
vm-config-dist
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 40.2 kB of archives.
After this operation, 2048 B of additional disk space will be used.
Do you want to continue? [Y/n] ^Czsh: exit 130 upgrade-nonroot
[user ~]% apt-cache show vm-config-dist
Package: vm-config-dist
Version: 3:10.5-1
Architecture: all
Maintainer: Patrick Schleizer
Installed-Size: 135
Depends: sudo, adduser, p7zip-full
Replaces: power-savings-disable-in-vms, shared-folder-help
Homepage: {{Github_link|repo=vm-config-dist
Priority: optional
Section: misc
Filename: pool|path=/main/v/vm-config-dist/vm-config-dist_10.5-1_all.deb}}
Size: 40244
SHA256: 41fc4cd7e2f97bdcf23ff80b91cbbc339aca3c60445ffaa4725147e4e28d048a
SHA1: d150305c67a4d3949c714c4b16a6a2c1ebe63353
MD5sum: 471286ecd49b36d287b50f807685036b
Description: usability enhancements inside virtual machines
Sets environment variable `QMLSCENE_DEVICE=softwarecontext` as workaround for
"Automatic fallback to softwarecontext renderer".
.
It is not useful to open a screensaver or to power down the desktop for
operating systems that are run inside VMs. There is no real display that could
be saved and no real power that could be saved. From usability perspective it
also is counter intuitive when looking at the VM window and only seeing a
black screen. Therefore it makes sense to disable power savings in VMs.
`/etc/X11/Xsession.d/20_kde_screen_locker_disable_in_vms.sh`
`/etc/profile.d/20_power_savings_disable_in_vms.sh`
`/etc/X11/Xsession.d/20_software_rendering_in_vms.sh`
`/usr/share/kde-power-savings-disable-in-vms/kdedrc`
`/usr/share/kde-screen-locker-disable-in-vms/kscreenlockerrc`
.
Disables screen locker when running in VMs because that is not useful either.
.
Makes setting up a shared folder for virtual machines a bit easier.
.
* Creates a folder `/mnt/shared` with `chmod 777`, adds a group
"vboxsf", adds user "user" to group "vboxsf". Facilitates auto-mounting of
shared folders.
.
* Helps using shared folders with VirtualBox and KVM a bit
easier (as in requiring fewer manual steps from the user).
.
* `/lib/systemd/system/mnt-shared-vbox.service`
* `/lib/systemd/system/mnt-shared-kvm.service`
.
Set screen resolution 1920x1080 by default for VM in VirtualBox and KVM.
Workaround for low screen resolution 1024x768 at first boot. When using lower
screen resolutions, Xfce will automatically scale down.
`/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/displays.xml`
.
Installs VirtualBox guest additions if package
`virtualbox-guest-additions-iso` is installed if environment variable
`dist_build_virtualbox=true` or if running inside VirtualBox.
(`systemd-detect-virt` returning `oracle`)
`/usr/bin/vbox-guest-installer`
Description-md5: 09e095e928a4c962e728f72d712b4c34
Package: vm-config-dist
Status: install ok installed
Priority: optional
Section: misc
Installed-Size: 133
Maintainer: Patrick Schleizer
Architecture: all
Version: 3:10.5-1
Replaces: power-savings-disable-in-vms, shared-folder-help
Depends: sudo, adduser, p7zip-full
Conffiles:
/etc/dracut.conf.d/30-vm-config-dist.conf 4b17a68bed81773993a0c46d79148986
/etc/gdm3/daemon.conf.dist b1f35c9655abcc3171af5c10ce4d8292
/etc/profile.d/20_kde_screen_locker_disable_in_vms.sh e45dd471bc555b906c6c04b208f4066b
/etc/profile.d/20_power_savings_disable_in_vms.sh bfef62e0edc770197204884b9fc3baea
/etc/profile.d/20_software_rendering_in_vms.sh 32d99ab4948878c5c790145bdafa88ea
/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/displays.xml 573a4880ca28e8e094ea78fa76fb875e
Description: usability enhancements inside virtual machines
Sets environment variable `QMLSCENE_DEVICE=softwarecontext` as workaround for
"Automatic fallback to softwarecontext renderer".
.
It is not useful to open a screensaver or to power down the desktop for
operating systems that are run inside VMs. There is no real display that could
be saved and no real power that could be saved. From usability perspective it
also is counter intuitive when looking at the VM window and only seeing a
black screen. Therefore it makes sense to disable power savings in VMs.
`/etc/X11/Xsession.d/20_kde_screen_locker_disable_in_vms.sh`
`/etc/profile.d/20_power_savings_disable_in_vms.sh`
`/etc/X11/Xsession.d/20_software_rendering_in_vms.sh`
`/usr/share/kde-power-savings-disable-in-vms/kdedrc`
`/usr/share/kde-screen-locker-disable-in-vms/kscreenlockerrc`
.
Disables screen locker when running in VMs because that is not useful either.
.
Makes setting up a shared folder for virtual machines a bit easier.
.
* Creates a folder `/mnt/shared` with `chmod 777`, adds a group
"vboxsf", adds user "user" to group "vboxsf". Facilitates auto-mounting of
shared folders.
.
* Helps using shared folders with VirtualBox and KVM a bit
easier (as in requiring fewer manual steps from the user).
.
* `/lib/systemd/system/mnt-shared-vbox.service`
* `/lib/systemd/system/mnt-shared-kvm.service`
.
Set screen resolution 1920x1080 by default for VM in VirtualBox and KVM.
Workaround for low screen resolution 1024x768 at first boot. When using lower
screen resolutions, Xfce will automatically scale down.
`/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/displays.xml`
.
Installs VirtualBox guest additions if package
`virtualbox-guest-additions-iso` is installed if environment variable
`dist_build_virtualbox=true` or if running inside VirtualBox.
(`systemd-detect-virt` returning `oracle`)
`/usr/bin/vbox-guest-installer`
Description-md5: 09e095e928a4c962e728f72d712b4c34
Homepage: {{Github_link|repo=vm-config-dist
[user ~]%
<|path=/pre}}>
* SHA256 is OK and matches my locally built package.
myfind . | grep vm-config-dist | grep '.deb$' | xargs sha256sum
+ set -e
+ find . -type f -not -iwholename '*.git*'
41fc4cd7e2f97bdcf23ff80b91cbbc339aca3c60445ffaa4725147e4e28d048a ./genmkfile-packages-result/vm-config-dist_10.5-1_all.deb
41fc4cd7e2f97bdcf23ff80b91cbbc339aca3c60445ffaa4725147e4e28d048a ./aptrepo_local/kicksecure/pool/main/v/vm-config-dist/vm-config-dist_10.5-1_all.deb
41fc4cd7e2f97bdcf23ff80b91cbbc339aca3c60445ffaa4725147e4e28d048a ./aptrepo_remote/kicksecure/pool/main/v/vm-config-dist/vm-config-dist_10.5-1_all.deb
* The Installed-Size of the package on the VM is listed as one size, but the Packages file in Kicksecure's remote repo lists a different Installed-Size. Thus even though the debs are identical, apt believes the packages are different and wants to update to the remote version of the package as a result. See https://unix.stackexchange.com/questions/581291/why-apt-wants-to-upgrade-already-up-to-date-package. Why this is happening is unclear. Perhaps something is going wrong with using reprepro? See below.
# From https://deb.kicksecure.com/dists/bookworm/main/binary-amd64/Packages:
Package: vm-config-dist
...
Installed-Size: 135
...
# From /var/lib/dpkg/status from the linked OVA file:
Package: vm-config-dist
...
Installed-Size: 133
...
* I did an OVA build in the background to see what Installed-Size it resulted in, but then accidentally deleted it, I can do redo the build and check it if desired.
== str_replace utf-8 bug ==
str_replace %%replace-me-clearnet-replace-me%% kicksecure.com /etc/postfix/header_checks.db
Traceback (most recent call last):
File "/usr/bin/str_replace", line 49, in
main()
File "/usr/bin/str_replace", line 26, in main
file_data = source_fh.read()
^^^^^^^^^^^^^^^^
File "", line 322, in decode
UnicodeDecodeError: 'utf-8' codec can't decode byte 0x8e in position 54: invalid start byte
* Low-priority, could be difficult to fix.
== Qubes graphical-session.target missing bug ==
* Which source code file does enable systemd graphical-session.target target on Debian?
* https://github.com/QubesOS/qubes-issues/issues/9576
* Patrick: msgcollector now starts the systemd unit from /etc/xdg/autostart, that is good enough.
== add date and time detection to archive.today frontend ==
* This is necessary for the next task.
* If a link has been archived once in the past, but is severely outdated, we should probably request that archive.today rearchive it. This requires that we know when archive.today archived each page.
* (It might be worthwhile to detect when a link was added to the Wiki and use that as a deciding factor as to whether or not we should archive the link again. Might be doable by using the archive.today backups from Github.)
* We decided to not attempt re-archiving already archived content, thus this is no longer needed for now.
== mediawiki bot setup ==
* no wiki mass editing required for now
* will be required for mediawiki mass editing
* https://www.kicksecure.com/wiki/Special:BotPasswords
* https://www.kicksecure.com/wiki/Special:BotPasswords/botname
* https://www.whonix.org/wiki/Special:BotPasswords
* https://www.whonix.org/wiki/Special:BotPasswords/botname
* note: replace botname with actual name of bot
== rootless X11 ==
* only if doable with low effort such as just changing some configs (such as in lightdm config) or changing some installed packages
* Would require switching away from LightDM or enabling rootless X11 support in LightDM, thus moving to backlog.
== power9 RAM encryption research ==
* todo
== auto-detect, prompt for potential root devices in case the root= device is misconfigured or missing ==
* https://github.com/dracutdevs/dracut/issues/2589
* if doable with reasonable effort please send a pull request to dracut-'''ng'''
* Pull request: https://github.com/dracut-ng/dracut-ng/pull/694
* update: as discussed, low priority if effort is too high
== dracut add support for undeclared CDLABEL ==
as discussed
== live-build - Retry button in derivative-maker doesn't work ==
* low priority, move to backlog please
== live-build - remove trailing spaces ==
* can be done when upstream review queue of live-build has more room
= Footnotes =
{{Footer}}