{{Header}} {{title|title= Progress Reports 1 }} {{#seo: |description=Overview on the continuous progress for Kicksecure (and Whonix) with individual specific contributions for content, research, implementation etc |image=Page-progress-reports-thumb.jpg }} {{devwiki}} {{about_mininav}}
-n and --natural-scrolling switches to kloak to allow enabling natural scrolling.
=== anon-ws-disable-stacked-tor AppArmor fix, attempt #2 ===
Date: 2025-10-02
Simply shipping Tor's /etc/apparmor.d/abstractions/tor file in anon-ws-disable-stacked-tor didn't end up working, because it complicated upgrades from Whonix-Workstation 17 to Whonix-Workstation 18 due to Tor being incorrectly pre-installed on Whonix-Workstation 17. Now, we're now just touching the file if it doesn't exist in the postinst of anon-ws-disable-stacked-tor. This could still backfire if Tor is removed from Whonix-Workstation 17 during an upgrade or later... this code may need to move somewhere else.
=== Further research on kloak-wl split ===
Date: 2025-10-02
Did research into passing file descriptors between processes and communication between the core and adapter process. Also realized that the main advantage of the split (hiding biometric data from the wayland adapter) was not actually possible. Discussed with Patrick, we likely do not want to spend the effort needed to sandbox kloak further right now.
=== browser-choice logic fixes for privileged operations ===
Date: 2025-10-02
browser-choice was incorrectly refusing to allow new applications to be installed even when run as root in a Qubes OS template, if that template was not booted in sysmaint mode. Fixed that issue and some related logic issues.
=== Notify Patrick of missing commits for Whonix 18 Qubes template builds ===
Date: 2025-10-02
Prepared to attempt another Whonix 18 template build but discovered that the needed code was not yet pushed. Notified Patrick, this is now fixed.
== 2025-10-01 ==
=== Comment on tirdad hardening issue on Github ===
Date: 2025-10-01
Did research, determined that adding additional hardening flags to tirdad was likely not worth it and could even be detrimental. Commented this rationale on the corresponding Github issue.
=== More work on pcmanfm-qt Qubes integration ===
Date: 2025-10-01
Fixed remaining CI failures, tested code on Whonix-Workstation 18 with good results.
== 2025-09-30 ==
=== Work on pcmanfm-qt Qubes integration ===
Date: 2025-09-30
Made several adjustments to the pcmanfm-qt changes in qubes-core-agent-linux at Marek's suggestion. Still need to locally build and test the patches before considering them ready for merge.
=== Continued kloak sandboxing work ===
Date: 2025-09-30
Started trying to permit access to /dev/shm within the Wayland adapter component of the split version of kloak. Researched user namespace behavior and added some sample code and notes for future development.
=== Debug labwc keyboard layout broadcast bug ===
Date: 2025-09-30
Tested a suggested labwc from one of the labwc developers, found and researched remaining issues, and reported back the results.
== 2025-09-29 ==
=== Debug kloak issues with labwc keyboard layout changes ===
Date: 2025-09-29
Discovered that labwc was not reporting keyboard layout changes at all, thus why kloak was not ever getting keyboard layout changen notifications. Filed a bug report with upstream labwc.
=== Don't offer to start browsers in Qubes TemplateVMs with browser-choice ===
Date: 2025-09-29
Added some code to browser-choice to skip offering to launch the newly installed browser if running under a TemplateVM.
=== Dynamic labwc resolution resizing tests ===
Date: 2025-09-29
Answered a question from the labwc developers about behavior of labwc under VBox vs. QEMU. Found that behavior I thought was occurring (with screen size changes being reported) was not actually occurring as I thought.
=== Test to see if unshare could be used to circumvent ptrace restrictions ===
Date: 2025-09-29
Discovered that not only could I not bypass ptrace restrictions using unshare, it actually added additional restrictions beyond the normal ones. Added this info to a security-misc bug report suggesting that we tighten ptrace restrictions further.
=== Attempt to fix curl-wrapper-induced issues with Whonix-Workstation Qubes template build again ===
Date: 2025-09-29
My previous fix for this failed because a notice wasn't being redirected to stderr. Figured out what was happening, created and pushed a fix.
=== Fix FDE check code ===
Date: 2025-09-29
Previously our disk encryption checking code just checked to see if any encrypted disks were present on the system, and reported that full disk encryption was enabled if so. Now we look to see if / or /home are located on encrypted volumes, and report that.
== 2025-09-28 ==
=== Document clipboard sharing issues and workarounds ===
Date: 2025-09-28
Enhanced the shared clipboard documentation for VirtualBox and KVM. Also tested the suggested KVM workaround and ensured it functioned as expected.
=== Extensive bug fixing in preparation for Kicksecure 18 release ===
Date: 2025-09-28
Found, fixed, and tested fixes for many remaining bugs. Filed upstream bug reports, collaborated with Patrick on fixing packaging issues.
== 2025-09-27 ==
=== Misc fixes, Kicksecure 18 Qubes template build ===
Date: 2025-09-27
Found and documented a number of minor issues that need resolved prior to Kicksecure/Whonix 18's release. Built a test Kicksecure 18 template, installed it, and tested its functionality lightly.
== 2025-09-26 ==
=== Discuss shared clipboard issues ===
Date: 2025-09-26
Right now there is no working shared clipboard solution for Wayland. Discussed some possible solutions with Patrick, for now we're going to recommend using a shared folder when needing to copy data between the host and the guest. Patrick also discovered that spice-vdagent is not unmaintained after all, so there may be hope for it to be fixed later and we may be able to fix it.
=== Fix various issues with Kicksecure 18 on Qubes OS ===
Date: 2025-09-26
Created qubes-core-agent-pcmanfm-qt and submitted it upstream for preliminary review (there are some issues with it that need discussion). Fixed a couple other bugs at the same time.
== 2025-09-25 ==
=== Harden C code throughout Kicksecure ===
Date: 2025-09-25
Documented C hardening flags and ensured they were used by kloak, sclockadj, emerg-shutdown, and bindp. Made adjustments to the code as necessary to make it compile without warnings (kloak is still emitting some warnings from code autogenerated by wayland-scanner though).
=== Switch image viewer to loupe in Kicksecure 18 ===
Date: 2025-09-25
We decided to switch from lximage-qt to loupe because loupe uses Glycin, which is written in Rust and sandboxed, thus it is likely to be much more secure than lximage-qt and might even be safer than using a web browser as an image viewer.
== 2025-09-24 ==
=== Finish adding additional hardening flags to kloak ===
Date: 2025-09-24
kloak now uses a much more exhaustive set of warnings and flags to improve security. Compilation passes without warnings except for a couple of warnings from autogenerated code. These flags should be carried over to the rest of our C code ideally.
=== Debug, fix disk paths being used in lieu of UUIDs in grub.cfg ===
Date: 2025-09-24
Discovered that Kicksecure bootup was flaky on a multiboot system. This turned out to be because UUIDs weren't being used in grub.cfg. Found the problematic configuration and fixed it.
=== Debug, fix sysmaint autologin failure on physical hardware ===
Date: 2025-09-24
After much debugging, discovered that labwc needs more time to initialize when running with Intel accelerated graphics than when using software rendering. Increasing the duration of a sleep statement in the code fixed the issue.
== 2025-09-23 ==
=== Wired connectivity test with Kicksecure 18 NetVM ===
Date: 2025-09-23
Installed Qubes OS on a machine with wired networking, and tested how Kicksecure 18 worked as a NetVM in this scenario. Worked great, documented test results.
== 2025-09-22 ==
=== Debug inability to set display brightness under Kicksecure 18 ===
Date: 2025-09-22
Verified that the brightness keys and controls do not work on Kicksecure 18 at the moment, and researched what would be necessary to get them working.
=== Investigate, file bug report for upgrading Kicksecure and Whonix Qubes templates to Whonix 18 ===
Date: 2025-09-22
Filed a tracking bug report on the Qubes OS bug tracker so that we can get Whonix 18 templates into Qubes R4.3. Started discussion on the topic with Marek.
=== Add wpasupplicant dependency to Kicksecure baremetal and Qubes ===
Date: 2025-09-22
This will enable using Kicksecure as a NetVM out of the box.
== 2025-09-21 ==
=== Research additional hardening and warning flags for our C code, start applying them to kloak ===
Date: 2025-09-21
Read through the GCC manpage to find additional warnings to enable. Also searched for more hardening flags we could add and added them. Started making the needed changes to kloak to get rid of all possible warnings.
=== Fix broken updates on Whonix 18 under Qubes OS ===
Date: 2025-09-21
Discovered that apt was unable to install software updates on Whonix-Gateway and Whonix-Workstation. Found the root cause (the new curl wrapper was unable to resolve loopback addresses) and fixed it,
=== Test Kicksecure 18 NetVM on Qubes R4.3 ===
Date: 2025-09-21
Verified that Kicksecure 18 was usable as a NetVM (there was one unexpected missing package needed for wireless network connectivity, wpasupplicant). Tested Internet speeds and verified that the speed was comparable to using Debian 13 as a NetVM directly.
=== Review security-misc split ===
Date: 2025-09-21
Looked through the changes Patrick made to security-misc to split it into shared, desktop, and server packages. Made changes throughout the codebase to account for the split.
=== Merge Qubes-Whonix metapackages with new metapackage structure ===
Date: 2025-09-21
Removed all extra metapackages from Qubes-Whonix and merged them into our new metapackage structure.
=== Review, fix several issues with Qubes-Whonix metapackages ===
Date: 2025-09-21
Looked through two lists of newly installed packages Patrick extracted from upgrading Qubes-Whonix machines. Found some issues and fixed them.
=== Request review for kloak v2 beta implementation ===
Date: 2025-09-21
Posted a link to the new kloak v2 location on the forums and asked for review from vmonaco.
== 2025-09-20 ==
=== Fix remaining known kloak v2 UX issues ===
Date: 2025-09-20
Prevented kloak from attempting to start until a Wayland session starts for the first time. Also made it so that one can switch to a TTY without spamming the log with kloak restart events.
== 2025-09-19 ==
=== Collect Qubes OS tickets that need to be fixed for Whonix in-vm kernel support ===
Date: 2025-09-19
Added a task for Whonix in-vm kernel support in Qubes OS and collected blocker tickets underneath in. This will be worked on after the Trixie port.
=== kloak v2 sandbox code review with ChatGPT ===
Date: 2025-09-19
Significantly improved the sandbox for kloak v2's Wayland adapter executable with the help of ChatGPT. Hopefully the sandbox shouldn't need any further changes at this point.
== 2025-09-18 ==
=== kloak v2 split development ===
Date: 2025-09-18
Wrote a prototype of the initial sandboxing code for kloak v2. Further work remains to be done on it, once it's complete functional code can be added to it.
=== Research IPv6 static configuration for Whonix-Gateway, write IPv6 documentation for Whonix ===
Date: 2025-09-18
Created a wiki page documenting the state of IPv6 support on Whonix and how to enable it in various hypervisors. Also attempted to see if we could get Whonix-Gateway to use static IPv6 configuration on the Internet-facing interface; unfortunately, this did not appear possible without using different configuration on VirtualBox and KVM.
== 2025-09-17 ==
=== Research splitting kloak into multiple executables ===
Date: 2025-09-17
Looked into what was necessary to split the Wayland handling code out of the core kloak binary, what approach should be taken for communication between the two executables, and how to sandbox the Wayland-side executable. Started writing kloak-wl, the Wayland adapter for kloak v2.
=== Update Dev/ipv6 documentation for Whonix ===
Date: 2025-09-17
Updated several spots in the development IPv6 documentation to reflect better the current state of IPv6 support in Whonix and the hypervisors we support.
=== Tie up loose ends in IPv6 enablement ===
Date: 2025-09-17
Merged a new Tor preparation service in anon-gw-anonymizer-config into an existing service. Verified that whonix-firewall apt trigger was likely unnecessary.
== 2025-09-16 ==
=== Finish with IPv6 enablement ===
Date: 2025-09-16
Finished all remaining work on the IPv6 task, except for Qubes OS IPv6 DNS. Split the DNS ticket to a new task and scheduled it after the release of Whonix 18 since it's too late for IPv6 to be enabled by default in R4.3, we can document how to enable IPv6 until R4.4 (or R5.0) is released, and Whonix 18's release is time-critical.
== 2025-09-15 ==
=== IPv6 testing and fixing for Qubes OS ===
Date: 2025-09-15
Tested Qubes-Whonix IPv6 support, found and fixed some bugs, made notes on other bugs, discussed other issues that will eventually need fixed. Main blocker at this point is getting Tor to work even when IPv6 is disabled.
== 2025-09-14 ==
=== Fix several more IPv6-related bugs ===
Date: 2025-09-14
Fixed outgoing IPv6 connectivity in Tor, and found several more issues in the code that needed fixed. Pushed fixes, Patrick has merged them.
== 2025-09-13 ==
=== Testing and fixup of newly merged IPv6 code ===
Date: 2025-09-13
Re-reviewed much of the merged IPv6 code, did some testing and bugfixing on it.
== 2025-09-12 ==
=== Add usbguard-notifier to Kicksecure 18 ===
Date: 2025-09-12
Added usbguard-notifier to Kicksecure 18 to be installed by default. Added configuration to security-misc so that it works out of the box.
=== kloak v2 ChatGPT code review, more hardening planning ===
Date: 2025-09-12
Used ChatGPT to find some bugs and issues in kloak v2 and fix them. Planned how to split kloak v2 into a Wayland adapter and input-processing core to get libwayland-client out of the security-critical part of the codebase.
== 2025-09-11 ==
=== Improve sandboxing on kloak v2 further ===
Date: 2025-09-11
Finished splitting out compositor autodetection into a Python script. Reworked the kloak sandboxing measures (both systemd-based and AppArmor-based), the sandbox is now substantially tighter than previously.
== 2025-09-10 ==
=== Remove libudev dependency from kloak v2, start hardening compositor detection ===
Date: 2025-09-10
Replaced libudev with inotify in kloak v2, which should reduce how much permissions kloak needs. Also started reimplementing the compositor autodetect mechanism in Python so all the complex string parsing it does can be made memory-safe.
== 2025-09-09 ==
=== Set up kloak v2 sandboxing, more bugfixes and improvements ===
Date: 2025-09-09
The core kloak binary is in large part fully functional at this point. More hardening is necessary, as is configuration file support.
== 2025-09-08 ==
=== Get Wayland compositor autodetection mostly working in kloak v2 ===
Date: 2025-09-08
The routine for detecting the compositor in use is now finally working (at least for the most part, it needs tested more thoroughly). Also added the ability to customize the mouse cursor color via a command line switch (which will eventually allow configuring things via config files, but that will require a wrapper shell script).
=== Fix Xfce-specific metapackage transition ===
Date: 2025-09-08
The recent metapackage refactoring incorrectly didn't have any Breaks/Replaces against the old Xfce-specific metapackages. Added those so that upgrades work.
== 2025-09-07 ==
=== Start adding Wayland compositor autodetection to kloak v2 ===
Date: 2025-09-07
In order to allow kloak v2 to run as root as a system service, it needs to be able to find the correct Wayland compositor and connect to it. This turns out to be very difficult to do, but appears possible. Wrote a lot of the code needed to do this.
=== Resolve dependency resolution issues in Trixie ===
Date: 2025-09-07
Removed either/or dependencies from our metapackages and reworked our dummy-dependency package so that apt resolves dependencies in a more correct way. Built a Kicksecure 18 LXQt VirtualBox image and compared its packages to a Kicksecure 17 Xfce VirtualBox image to see if the changes generally worked (they do appear to be working).
== 2025-09-06 ==
=== Research how to get the kloak v2 service working properly ===
Date: 2025-09-06
The new way kloak v2 works compared to the original presents some unique challenges when it comes to using multiple user accounts or Wayland compositors on the same system. Started work on figuring out which Wayland compositor to connect to when kloak v2 is launched as root and how to allow user switching and TTYs to work.
=== Finish getting Flameshot working ===
Date: 2025-09-06
Flameshot now installs without problems and functions normally.
== 2025-09-05 ==
=== Work on getting Flameshot to work on Kicksecure 18 ===
Date: 2025-09-05
I discovered that Screengrab does not work on LXQt 2.1 with Wayland, meaning there's no working screenshot utility in Kicksecure. Flameshot looks like a good alternative, but doesn't work out of the box. Did a bunch of work to make it function correctly.
=== Look into suggested metapackage changes for Kicksecure and Whonix on Qubes OS ===
Date: 2025-09-05
Determine which changes looked helpful, which ones would not be helpful, and which ones needed more discussion. Implemented many of the changes.
== 2025-09-04 ==
=== Update pvgrub pull request in Qubes OS ===
Date: 2025-09-04
Updated the upstream PR and retested it in PVH mode on Qubes R4.3.
=== Continued debugging and improvement of kloak v2 ===
Date: 2025-09-04
Found and fixed many remaining issues in kloak v2. Builds no longer return warnings, a segfault issue was fixed, and some additional TODOs were added.
=== More metapackage fixing ===
Date: 2025-09-04
Moved a labwc dependency to a different location, and helped diagnose a package installation failure due to a version dependency mismatch between helper-scripts and usability-misc.
== 2025-09-03 ==
=== Bugfixing and hardening of kloak v2 ===
Date: 2025-09-03
Fixed a couple of serious bugs in kloak v2. Also started fixing a bunch of type conversion warnings and attempted to make all forms of integer overflow fatal as a hardening measure.
== 2025-09-02 ==
=== Finish comparing lists of packages from Kicksecure and Whonix images ===
Date: 2025-09-02
Comparison is finished, fixed several problems with packages being located in the wrong metapackage.
=== Fully prepare lxqt-wayland-session for integration into Kicksecure ===
Date: 2025-09-02
Found and fixed a number of problems in lxqt-wayland-session's packaging and one issue in genmkfile.
== 2025-09-01 ==
=== Package comparison, issue discussion ===
Date: 2025-09-01
Compared package lists from the Kicksecure CLI and GUI VirtualBox images from Kicksecure 17 and Kicksecure 18 to each other. Discovered several issues in the process, discussed them with Patrick. Fixed some issues, made notes for fixing others.
== 2025-08-31 ==
=== Begin building all Kicksecure and Whonix images for doing a package comparison ===
Date: 2025-08-31
Downloaded all non-Qubes variants of Kicksecure and Whonix, installed them, and began extracting package lists from them. Also started building all Kicksecure and Whonix 18 images from source, fixing issues at they pop up and installing and getting package lists from the built images.
=== Fix apparmor sandboxing on kloak v2, create fixme list ===
Date: 2025-08-31
Made a list of next steps for getting kloak v2 ready for production use, and also got it to work properly with AppArmor.
=== Get release-upgrade script to handle metapackage restructure ===
Date: 2025-08-31
legacy-dist's release-upgrade script should now detect which main metapackage the system needs and should install it during an upgrade, replacing old metapackages as appropriate.
=== Commit and push initial kloak v2 code ===
Date: 2025-08-31
Got a kloak-v2 branch made for Trixie's kloak repository, and added the kloak v2 code to it. Got the package to build Lintian-clean.
=== Disable kvm's enable_virt_at_load feature via usability-misc and dist-installer-cli ===
Date: 2025-08-31
Researched what was necessary to get VirtualBox working right with 6.12+ kernels (namely, setting kvm.enable_virt_at_load=0, and integrated it into our codebase. Also filed a VirtualBox bug asking Oracle to set the same option in their packaging.
== 2025-08-29 ==
=== Upgrade kloak to kloak version 2 ===
Date: 2025-08-29
Started replacing the kloak code in our main kloak repository with the version 2 code I wrote previously. Still work-in-progress as this requires changes to services, updates to documentation, etc.
=== Create transitional package for tb-default-browser ===
Date: 2025-08-29
Followed Debian's instructions on how to create a transitional package for tb-default browser, and wrote down notes for Patrick to be able to remove the original package from our archive.
=== Finish preparing metapackages, fix miscellaneous bugs ===
Date: 2025-08-29
Fixed a bunch of known issues both that I noticed and that Patrick noticed. Finished getting the metapackages ready to merge, and pushed them.
== 2025-08-28 ==
=== Audit metapackages, fix several bugs ===
Date: 2025-08-28
Fixed several known issues in the Trixie port of Kicksecure. Also audited all metapackages and moved a lot of dependencies to other metapackages as appropriate. Will be doing some further testing before finally pushing everything.
== 2025-08-27 ==
=== Further polish on metapackages, attempt initial builds of Kicksecure and Whonix with new metapackages ===
Date: 2025-08-27
The initial builds mostly look good, some packages are getting incorrectly installed on Whonix but that should just be a matter of reorganizing which packages go in which metapackages.
== 2025-08-26 ==
=== Development on metapackage helper script ===
Date: 2025-08-26
Added dm-metapackage-helper to developer-meta-files. The script is in a mostly usable state, there are some issues that still need taken care of but most of its features are complete. Also started porting the metapackages to the new format defined in Dev/metapackages.
== 2025-08-25 ==
=== USBGuard discussion, metapackage restructuring work ===
Date: 2025-08-25
Wrote most of a script for managing the Kicksecure and Whonix metapackages. Also discussed USBGuard-related concerns on the Kicksecure forums and the Qubes OS mailing list.
=== Fix release-upgrade noninteractive behavior, move dpkg-noninteractive ===
Date: 2025-08-25
Made it so that legacy-dist's release-upgrade script will operate in non-interactive mode if DEBIAN_FRONTEND=noninteractive is set in the environment. Also moved dpkg-noninteractive from usability-misc to helper-scripts.
== 2025-08-24 ==
=== Research restructuring metapackages ===
Date: 2025-08-24
Attempted to implement the system documented on Dev/metapackages for Kicksecure's and Whonix's metapackages. Discovered that the two most straightforward ways of doing this had serious downsides that were best avoided. Discussed with Patrick and created a new, better plan that should be a lot more efficient and less verbose.
== 2025-08-23 ==
=== Finish removing initramfs-tools support from Kicksecure ===
Date: 2025-08-23
Dracut is now the only supported initramfs management system in my arraybolt3/trixie branches.
=== live-build MR work (policy-rc.d) ===
Date: 2025-08-23
Realized that some of my live-build merge requests had feedback on them that I had failed to respond to for multiple months due to being busy with other work. Attempted to get one of them (the policy-rc.d handling MR) into a usable state, however I discovered an issue with it that will need fixed before it's merge-ready. Dropped this task relatively quickly since it isn't high-priority, and was done mostly to keep a good relationship with upstream.
=== Submit discussion around USBGuard on Kicksecure forum and Qubes ML ===
Date: 2025-08-23
Asked both the Kicksecure and Qubes OS community for input on our USBGuard configuration.
== 2025-08-22 ==
=== Start removing initramfs-tools support ===
Date: 2025-08-22
Started removing almost all initramfs-tools-related code from the Kicksecure and Whonix codebases.
=== Work on optimizing memory usage of Qubes-Whonix ===
Date: 2025-08-22
Disabled memlockd in general, disabled emerg-shutdown on Qubes, replaced some sleep calls with a lower-memory alternative "light_sleep", and researched possible ways of reducing RAM consumption in sdwdate-gui and privleap.
=== Actually fix derivative-maker merge issue ===
Date: 2025-08-22
Patrick was able to successfully merge my fork of derivative-maker. Had to delete and recreate the arraybolt3/trixie branch without submodule updates to fix the issue.
== 2025-08-21 ==
=== Document USBGuard ===
Date: 2025-08-21
Documented what USBGuard does, what it should be used for, how to configure it, and how to disable and re-enable it.
=== Attempt to fix derivative-maker merge issue ===
Date: 2025-08-21
Re-merged all of Patrick's branches into my arraybolt3/trixie branches in an attempt to fix merge issues. This does not appear to have fully fixed the issue though, so I'll be re-cloning derivative-maker here and attempting to do the merge that way, fixing issues as I run into them.
=== Kicksecure LXQt testing, merge, cleanup ===
Date: 2025-08-21
Merged the LXQt branches into the arraybolt3/trixie branches for all relevant repositories. Did more testing, found and documented some more issues that will need resolved as time goes on (I'll make separate tasks for these).
== 2025-08-20 ==
=== Get an almost alpha-quality Kicksecure LXQt VirtualBox image built ===
Date: 2025-08-20
Most known issues with the Kicksecure VM build are now fixed and the desktop appears usable now. The sysmaint session is also working properly and now has a status panel. Whonix-Gateway failed to build for unknown reasons.
== 2025-08-19 ==
=== More Kicksecure LXQt porting ===
Date: 2025-08-19
Finally got a Kicksecure build with a recognizable desktop. There's still a lot of issues (sysmaint mode is broken for instance), but it's getting closer.
== 2025-08-18 ==
=== Kicksecure LXQt port bugfixes ===
Date: 2025-08-18
Found and fixed a bunch of bugs in the Kicksecure LXQt port. Many problems still remain, but the desktop is almost usable and much more well-behaved than the original port.
== 2025-08-17 ==
=== Create initial rough port of Kicksecure to Wayland + LXQt ===
Date: 2025-08-17
Successfully build a Kicksecure-LXQt VirtualBox image. The resulting image is far from daily-drivable and numerous issues were noted down during and after the portingp process, but the basic proof of concept looks like it will work.
=== Research disabling "set as default browser" buttons in browsers offered by browser-choice ===
Date: 2025-08-17
Was able to get Firefox's requests to be set to the default browser to stop, but was not able to figure out how to configure Brave in the same way. Asked for help on the Brave forums and got a potentially helpful response.
=== More security-misc PR merging ===
Date: 2025-08-17
Merged in more contributions from raja-grewal.
=== Fix architectural issue with live-hardener's remount logic ===
Date: 2025-08-17
I originally wrote live-hardener assuming that mountpoints would show through overlayfs mounts. I was incorrect, and this resulted in issues on UEFI-based systems installed from the Kicksecure ISO. Reworked live-hardener significantly to fix this issue.
== 2025-08-16 ==
=== Merge tb-default-browser functionality into open-link-confirmation, research disabling default browser requests ===
Date: 2025-08-16
tb-default-browser should no longer be needed in Trixie. Also determined how to stop default browser popups from appearing in the latest version of Firefox so that people don't unintentionally override open-link-confirmation.
We might want to allow users to change what order open-link-confirmation considers browsers in, since right now it's just hardcoded to use an alphabetical order (thus someone with Brave and Firefox installed will always use Brave by default whether they like it or not).
=== Skip initramfs-specific code in grub.d scripts when using Dracut ===
Date: 2025-08-16
Added some conditionals to our grub.d scripts to skip initramfs-tools-specific code if initramfs-tools is not installed.
=== Respond to forum posts, switch Dracut to using hostonly sloppy mode in Trixie ===
Date: 2025-08-16
Added the needed configurattion to Dracut to use hostonly sloppy mode by default. Also answered some forum posts, including bug reports.
== 2025-08-15 ==
=== More Xfce-on-Wayland investigation ===
Date: 2025-08-15
Found more issues with using Xfce with Wayland. Ultimately I think we need to use LXQt. Will wait for final confirmation from Patrick before beginning to port things to LXQt though.
=== Implement live mode notification when booting Kicksecure 18 in non-persistent modes ===
Date: 2025-08-15
If the user boots Kicksecure 18 in persistent mode, no notification will be displayed, but if they boot in live mode, a notification will be shown. This should help reduce user confusion.
=== More misc. Trixie port tasks, mostly merging security-misc PRs ===
Date: 2025-08-15
Marged a bunch of security-misc PRs into my arraybolt3/trixie branch of security-misc. Did some other cleanup at the same time.
== 2025-08-14 ==
=== Finish dist-installer-cli deb822 port, submit deb822 ports for review ===
Date: 2025-08-14
Finally got the deb822 code in dist-installer-cli to a functional state. Submitted it and the rest of the deb822 changes for review by pushing them to the tip of the appropriate repos' arraybolt3/trixie branches.
== 2025-08-13 ==
=== Refactor dist-installer-cli to support deb822 sources ===
Date: 2025-08-13
Haven't tested the new code yet, but it's pretty close to done. Had to completely rework how the pieces of each sources line were handled in order to support and deb822 formats. The current code retains support for the one-line format as well.
=== GRUB Xen command line patch version 5 ===
Date: 2025-08-13
Revised the GRUB patch for Xen command line parsing yet again, fully tested it and resubmitted it. The review process is taking a lot of back-and-forth but is gradually making progress.
== 2025-08-12 ==
=== Continued work on deb822 porting in derivative-maker and live-build ===
Date: 2025-08-12
Finally got the live-build deb822 code to work well enough to generate ISOs successfully with no one-line format files left after the build. Also got both VM and ISO builds of Kicksecure to work with derivative-maker using deb822 throughout. We're probably pretty close to this working.
=== Reply to latest review comments on GRUB patch for Qubes boot modes ===
Date: 2025-08-12
Daniel and Vladmir gave reviews on two different parts of the GRUB patch. Replied to both of them.
=== Reply to bug reports for Kicksecure/Whonix 17.4.4.6 ===
Date: 2025-08-12
We got a couple of bug reports from users who misunderstood how some of our features were intended to work and thought they were bugs. Replied to both forums posts.
== 2025-08-11 ==
=== Add deb822 sources format support to upstream dependencies of derivative-maker ===
Date: 2025-08-11
Both grml-debootstrap and live-build need to support deb822 sources files for us to switch entirely to deb822 for Trixie. Neither of them already do however. Filed a PR for grml-debootstrap on Github, tested and working. Also filed a draft MR for live-build, this one isn't entirely working yet but a lot of the work has been done.
== 2025-08-10 ==
=== Misc Trixie port work ===
Date: 2025-08-10
Did a lot of little fixes on the Trixie port codebase. Also started work porting everything to using the new deb822 sources format for apt (this will require changes to live-build and grml-debootstrap to fully finish).
=== Debug VM RCU stalls on Windows 11 + VirtualBox ===
Date: 2025-08-10
Determined that Hyper-V was indeed the reason our Whonix and Kicksecure virtual machines were experiencing hangs during bootup on Windows 11, determined how to reproduce the issue reliably, found that the existing documented workaround didn't work, and reported back both a working workaround and an actual solution (how to disable Hyper-V).
== 2025-08-09 ==
=== Fix live-hardener running in ISO live mode, fix and disable emerg-shutdown on Bookworm ===
Date: 2025-08-09
live-hardener was running in ISO live mode when it wasn't supposed to. It is now disabled if ISO live mode is detected.
On top of that, emerg-shutdown was getting confused into thinking that /dev/sr0 had been ejected when it hadn't, which was killing the Kicksecure installation process in VirtualBox. I added a fix for the bug itself (untested), but also disabled emerg-shutdown on Bookworm entirely since it's not mature enough yet.
== 2025-08-08 ==
=== Begin sdwdate refactoring ===
Date: 2025-08-08
The short-term goal is to add type hinting throughout the codebase so it passes mypy, and remove classes since they're used inconsistently and in confusing ways. Many of the Python files now have type hints added, but there's still a decent amount left that needs hinted and refactored.
== 2025-08-07 ==
=== Integrate SSH configuration into Trixie port ===
Date: 2025-08-07
Added SSH configuration files to the arraybolt3/trixie branch of security-misc, and integrated a warning about those files into legacy-dist's release-upgrade script. Also tested to ensure a Kicksecure 18 VM could SSH into another Kicksecure 18 VM with the new default SSH config.
=== More sdwdate code reading, discover bug preventing fixing of very slow clocks ===
Date: 2025-08-07
Read through some of the anondate-related code, got a better understanding of the security guarantees when working with Tor consensus and certificate lifetime, and found a bug where anondate-get was unintentionally discarding all output from an anondate command used for determining the approximate current time. Submitted a bug fix.
== 2025-08-06 ==
=== Research three finger salute concepts, implementation strategy, and issues ===
Date: 2025-08-06
Wrote down some notes about how to implement a secure attention key handler in emerg-shutdown, how the handler would behave, why it would be advantageous, and what limitations it would need to overcome to function properly. Will likely start implementing it once Wayland is working in Trixie (since currently greetd + wlgreet is a critical component of the design).
=== Implement more emerg-shutdown improvements ===
Date: 2025-08-06
Implemented "paranoid mode" (untested), initramfs integration, hardened GCC compile options, and changed the default panic key to Ctrl+Alt+End.
=== Fix privleap regression tests and failing systemd units in live mode ===
Date: 2025-08-06
Under Trixie, live mode breaks a couple of systemd services that aren't critical to the system's operation. Added files to grub-live to disable those units in live mode. Also debugged regression test failures in privleap under Trixie and solved them (they were mostly caused by an imporperly built test environment and some benign environment variable differences). Also got black, mypy, and pylint to pass when analyzing privleap.
== 2025-08-05 ==
=== Prepare for review of initial Trixie port alpha ===
Date: 2025-08-05
The Trixie port isn't ready for a stable release, and won't be for a while longer since we have substantial features we want to implement, but it is ready for branches to be reviewed. Hopefully this means we will be able to start reviews and alpha testing soon.
== 2025-08-04 ==
=== Rework GRUB Xen command line parsing patch after review ===
Date: 2025-08-04
Made several changes to the Xen command line parsing patch after a review from Daniel Kiper. Also fixed a bug I noticed while reading through and replying to the review notes. Fully retested the patch, and sent a new version with all requested changes made.
== 2025-08-03 ==
=== Continue developing Trixie port ===
Date: 2025-08-03
Fixed all remaining known issues with both Kicksecure and Whonix Trixie builds (and unfortunately discovered a couple of new issues in the process). So far amd64 ISO, VBox, and KVM builds appear to work. Have not yet tested cross-builds, and have not yet tested Qubes builds (those will have to wait until after we have packages available at least in trixie-developers).
=== emerg-shutdown improvements ===
Date: 2025-08-03
Made emerg-shutdown and ensure-shutdown start earlier in the boot process, and added an example systemd unit for blocking shutdown, useful for verifying that ensure-shutdown works. This ended up requiring a lot more fiddling with systemd than expected, but did end up working.
=== Reply to Daniel Kiper's review of GRUB Xen command line parsing patch ===
Date: 2025-08-03
Daniel replied to the patch I sent with some review notes. Wrote an in-depth reply, noting some places where I disagreed on things and also noting down a possible problem with double NUL-termination of a string. This will be used when writing the next iteration of the patch.
== 2025-08-02 ==
=== File Dracut feature request for overlayfs size customization ===
Date: 2025-08-02
Requested the addition of a kernel parameter to Dracut that will allow customizing the size of the writable tmpfs overlay in live mode.
== 2025-08-01 ==
=== More trixie port bugfixes ===
Date: 2025-08-01
Fixed a bunch more issues discovered during the Trixie port. Shared the list of current known issues with Patrick, and pushed all code to arraybolt3/trixie branches in my forks of all Kicksecure and Whonix repos.
== 2025-07-31 ==
=== Trixie port refinement ===
Date: 2025-07-31
Got a Kicksecure ISO and a pair oF Whonix KVM virtual machines to build. Identified and fixed several UI and functionality issues. Still quite a bit of work left before things are done.
== 2025-07-30 ==
=== Start porting Kicksecure to Trixie ===
Date: 2025-07-30
Attempted to get a Trixie-based build of the Kicksecure ISO to function properly. Didn't get a build to work yet, but got many, many issues fixed.
== 2025-07-29 ==
=== Add flatpak updating to upgrade-nonroot ===
Date: 2025-07-29
Made it so that running upgrade-nonroot would update flatpaks as well as apt packages. This should prevent users from ending up in a mess if they choose to install their web browser via Flatpak.
=== Create permanent shared folder shortcut for Thunar ===
Date: 2025-07-29
Used a GTK bookmark to add the VM shared folder to Thunar in vm-config-dist.
=== Implement stuck shutdown overriding in emerg-shutdown ===
Date: 2025-07-29
The feature is not enabled by default since it requires some tuning by the end user to get it working acceptably, but it exists and is now documented.
== 2025-07-28 ==
=== Test docker on Whonix-Workstation ===
Date: 2025-07-28
We received a report that Docker containers in Whonix-Workstation weren't able to reach the Internet even when configured to use Whonix-Gateway's Tor. I tested this and was not able to reproduce the issue.
=== Read sdwdate source code in preparation for refactor ===
Date: 2025-07-28
Read through the sdwdate code, to get an understanding of how it works and why it does things in specific ways. This should be the last bit of prep work needed before actually beginning to refactor sdwdate to add the features Patrick requested.
=== emerg-shutdown usability and reliability enhancements ===
Date: 2025-07-28
Added code to emerg-shutdown that disabled panic-on-warn and panic-on-oops before shutdown, then switches to a TTY, and then finally shuts down. This appears to work reliably finally. Also added a --instant-shutdown mode for using emerg-shutdown from other applications, made it so new keyboards would be properly autodetected (for the shutdown key combo feature), and added the ability to configure the shutdown key combo.
== 2025-07-27 ==
=== Find emergency shutdown hang culprit ===
Date: 2025-07-27
Our panic-on-oops.service unit is causing the hangs on physical hardware with Intel graphics, because the i915 graphics driver is throwing a kernel warning during shutdown and that is turned into a kernel panic by our code. A good workaround will probably be to switch to a TTY before issuing the final shutdown command.
=== Review login security documentation ===
Date: 2025-07-27
Double-checked the existing documentation for login security. Didn't find much missing, except that we didn't mention that SSH is not installed by default. Added that to the SSH wiki page.
=== regreSSHion research ===
Date: 2025-07-27
As discussed with Patrick.
== 2025-07-25 ==
=== Warn about passwordless sysmaint account even when password is locked ===
Date: 2025-07-25
systemcheck's login security check previously considered a missing-but-locked password "good enough" for any account, and thus displayed the password as "Locked" with green-colored text. This has now been changed to "Locked (Absent)" for all accounts. The text is still shown as green for non-sysmaint accounts, but for the sysmaint account specifically (which is automatically unlocked when booting into a sysmaint session), this condition is shown in yellow.
=== Add sysmaint-panel buttons for Whonix-Gateway features, remove irrelevant buttons ===
Date: 2025-07-25
Made it so that networking and browser-related buttons were not displayed on Whonix-Gateway or Whonix-Workstation. Added four tools specific to Whonix-Gateway to the system maintenance panel.
=== Make sysmaint-panel launch automatically on non-Qubes Whonix-Gateway ===
Date: 2025-07-25
Added code to anon-gw-base-files that can detect if the system is a non-Qubes Whonix-Gateway, and that will autolaunch the System Maintenance Panel if so.
=== Attempt to port Kicksecure theme to LXQt + Wayland ===
Date: 2025-07-25
Looked into what would be necessary to mostly or entirely replicate Kicksecure's existing theming on LXQt. After some effort, I managed to get a functional LXQt session working with labwc and Wayland, and after some more fiddling managed to theme the desktop decently well. This will be useful when we port to Wayland in the future.
=== Fix browser-choice bugs ===
Date: 2025-07-25
Patrick found a bug on step 2 of the wizard that would allow proceeding past the page without properly selecting an option. This turned out to be one of a family of bugs affecting this particular page. These issues have now been fixed, however the way in which the button enable/disable code works may need changed if further issues show up.
== 2025-07-24 ==
=== Research, discuss Tor Browser and default browser difficulties ===
Date: 2025-07-24
Talked with Patrick about the current shortcomings of our default browser mechanism, and possible ways to resolve them for Trixie. (Resolving them for Bookworm would likely be too dangerous.) This included discussion of how to make it possible to launch Tor Browser in a sysmaint session.
=== Review zsh configuration ===
Date: 2025-07-24
Found some bugs in, and places to improve, our zsh config. Submitted a relatively small patch to resolve those issues.
=== Add systemcheck test for ensuring su is locked down ===
Date: 2025-07-24
Created a test in systemcheck that checks the permissions and ownership on /usr/bin/su and reports if they differ from 744 0:0.
=== Make systemcheck login security check suitable for Qubes OS ===
Date: 2025-07-24
Reworked the autologin code in check_login_security.bsh so it would work as expected under Qubes OS, and removed the condition that caused the test to be skipped on Qubes.
== 2025-07-23 ==
=== Investigate theming improvements, Wayland migration path ===
Date: 2025-07-23
Made several suggestions for improving the Kicksecure and Whonix theming with Xfce, in the hopes that this work could be later transferred to LXQt without too much effort. Also compared Xfce and LXQt on Wayland, and discussed issues and limitations with Patrick.
=== Finish systemcheck audit and fixes ===
Date: 2025-07-23
Finished testing systemcheck's verbose mode on all supported virtualization platforms. Found several bugs and bogus errors in the process, submitted fixes for all of them.
== 2025-07-22 ==
=== Work on fixing systemcheck errors across all supported VM platforms ===
Date: 2025-07-22
Patrick noticed a lot of spurious errors being spit out by systemcheck, and some more serious looking errors under Whonix. I started debugging some of these - some of them can safely be silenced, others are the result of actual bugs in livecheck that (so far just AppArmor config issues). Will finish this tomorrow most likely.
=== Add livecheck applet name to context menu, fix some bugs ===
Date: 2025-07-22
Fixed bugs in livecheck, and added an extra "action" to the livecheck context menu showing the applet's name. (Also made an alternate implementation that put the applet name in the exit button in case that was desirable. Me and Patrick both didn't like that variation as much, and Patrick merged the one with the applet name below the exit button.)
=== Add further browser-choice integrations ===
Date: 2025-07-22
Added browser-choice to the Kicksecure Qubes template app menu, added a mention of it to setup-wizard-dist, and improved the wording in open-link-confirmation to hint to the user that they may need to install a browser themselves if they haven't already.
=== Implement browser-choice improvements ===
Date: 2025-07-22
Went through Patrick's list of requested improvements to browser-choice and implemented all but one of them. The remaining one looked too complicated, so I left notes about difficulties there for our consideration.
== 2025-07-21 ==
=== Find firmware component resulting in shutdown issues ===
Date: 2025-07-21
Narrowed down the problematic firmware causing emerg-shutdown failure to the i915 firmware. Either that firmware or the corresponding driver is most likely interacting poorly with some configuration present in Kicksecure.
=== Integrate browser-choice with Kicksecure, Whonix ===
Date: 2025-07-21
Fixed some browser-choice user interface issues, added a launcher for it to sysmaint-panel, removed Firefox and Thunderbird from Kicksecure and Whonix, added browser-choice, made dummy-dependency able to replace browser-choice, and worked on the derivative-update script since I ended up syncing my derivative-maker fork with Whonix upstream.
=== Resend GRUB Xen command line patch ===
Date: 2025-07-21
No reply from the GRUB developers has been received since the last time I sent the patch, so I rebased it onto the current tip of GRUB's git master, then resent it.
== 2025-07-20 ==
=== Investigate read-only root on Debian 12, Kicksecure 17 ===
Date: 2025-07-20
Determined what was needed to get Debian and Kicksecure to boot with a read-only root filesystem. Mounted minimal RAM-based overlays to get things working. In production, we'd also need to have a persistent data partition. Both Debian 12 and Kicksecure 17 were able to be configured to boot to a working GUI with a read-only root partition, and Firefox worked for web browsing.
=== Attempt to fix rtests for Whonix-Workstation after hardening qrexec ===
Date: 2025-07-20
The new Whonix-Workstation qrexec behavior when opening files in other VMs broke the regression tests for it. Attempted to fix these by adding code to confirm opening a file in a new DispVM.
=== Add back legacy policies for sdwdate-gui-qubes ===
Date: 2025-07-20
This should prevent breakage when sdwdate-gui is upgraded to use the new architecture.
=== Study sdwdate code and timesync wiki, take notes ===
Date: 2025-07-20
Looked at requested enhancements and potential implementation strategies, security concerns, and limitations. No concrete changes made yet, just getting a good understanding of the theory and a working understanding of code internals.
=== Find package causing shutdown failures on Kicksecure ===
Date: 2025-07-20
After much searching, I finally narrowed down the shutdown failures to the firmware-* package group, and eventually narrowed it down to firmware-misc-nonfree. This package does not cause shutdown to fail on vanilla Debian 12, but it does cause problems on Kicksecure, so presumably something we're doing is interfering with a device in an unexpected way. Further research still needed.
=== Attempt to file Tor Browser feature request for signed metadata ===
Date: 2025-07-20
Used Anon-Ticket to file the request, and also requested a Tor Gitlab account. Both are pending moderation.
== 2025-07-18 ==
=== Fix Whonix-Workstation StandaloneVM bugs ===
Date: 2025-07-18
Fixed a couple of sysmaint-related issues (failure to format home disk, incorrectly attempting to access the update proxy when it isn't necessary) and some deeper issues with Whonix StandaloneVM creation (NetVM set incorrectly to sys-firewall, default DispVM set incorrectly to default-dvm).
=== Add software installation risk warning to browser-choice ===
Date: 2025-07-18
Added warnings for browser installation options that enable a third-party apt repository. Also added a general warning about how software installation is inherently risky, and linked it to a newly written warning on the wiki explaining why one must trust software they run.
== 2025-07-17 ==
=== Improve Qt UI build process for browser-choice, sysmaint-panel ===
Date: 2025-07-17
Stopped including autogenerated UI code files in Git. Integrated UI-to-Python translation into the package build process for both packages and added a "clean" feature for getting rid of obsolete autogenerated code.
=== Research improving systemd shutdown reliability ===
Date: 2025-07-17
Did not find a setting in systemd to provide a "master kill switch", the closest that can be done is creating a unit that force-kills the system using magic sysrq (to my awareness). Should file a systemd feature request for this.
=== Write ticket for discussing stable vs. rolling release concerns ===
Date: 2025-07-17
Created a post on Kicksecure's developer forums for stable and rolling release discussion. Mapped out some pros and cons, some possible ways forward, and linked to the existing wiki page on the topic.
=== Test, bugfix browser-choice ===
Date: 2025-07-17
Ensured that browser-choice worked on Whonix-Workstation and in Whonix qubes under Qubes OS. Found and fixed several bugs in the process.
=== Document problems with read-only Debian ===
Date: 2025-07-17
Wrote down known issues with making Debian fully read-only, and possible ways of resolving them. Useful for future Verified Boot research.
== 2025-07-16 ==
=== browser-choice enhancements ===
Date: 2025-07-16
Implemented several enhancements for browser-choice, including creating new plugins, adding a network check, removing the "launch after install" checkbox from sysmaint sessions, etc. Still needs testing.
=== Fix "Open in other qube" button in Whonix-Workstation with qrexec PR ===
Date: 2025-07-16
The qrexec PR against qubes-core-admin-addon-whonix currently in flight was breaking the "Open in other qube" button in Whonix-Workstation. Marek suggested a fix for this, which I tested, verified worked, and implemented.
=== Final emerg-shutdown debug attempt ===
Date: 2025-07-16
Discovered that emerg-shutdown worked properly under plain Debian 12. Attempted to determine what configuration in Kicksecure was breaking it. So far, the kernel command line does not seem to be the issue, nor does the modprobe settings, sysctl settings, or any modprobe or sysctl settings embedded in the initramfs (if any). Still did not find a workaround or a fix. Delaying further emerg-shutdown development until the Trixie port.
== 2025-07-15 ==
=== Debug emerg-shutdown failure to shut down ===
Date: 2025-07-15
While developing emerg-shutdown, I discovered that many times the system would only partially shut down when emerg-shutdown was triggered. The screen would go black, and external drives would lose power, but the power LED would remain lit and the fans of the machine would keep spinning. This is happening on two different computers with radically different hardware. The cause for this is still unknown. Attempted to find a workaround, did not succeed.
=== Audit, polish application menus for Kicksecure and Whonix qubes ===
Date: 2025-07-15
Compared existing app menu entries to those of other qubes and reviewed app menu entries available in VirtualBox VMs to determine what app menu items would be best to include for each VM variant. Changed qube configuration accordingly.
=== Further work on Qubes-Whonix qrexec hardening ===
Date: 2025-07-15
Added and tested qrexec configuration to qubes-core-admin-addon-whonix that allows opening new files in already-open AppVMs. Also documented some shortcomings with this solution.
== 2025-07-14 ==
=== Continued emergency shutdown development ===
Date: 2025-07-14
Added the ability to specify alternative keys in the rescue key mechanism, so for instance you can make Ctrl+Alt+Delete work as an instant shutdown without having to rely on left ctrl or right ctrl specifically. Also fixed optical disk support, and tested on both physical and virtual hardware. Virtual machines are working perfectly, but physical hardware is getting "stuck" during shutdown for unknown reasons. Further investigation needed.
=== Document development and use considerations for stable and rolling releases ===
Date: 2025-07-14
Wrote down detailed information about the security impact of stable vs. rolling release models and how those release models interact with other software release models. Also wrote suggestions for staying secure when using a stable release, which we may use when developing new features.
=== Implement dracut initramfs xz compression ===
Date: 2025-07-14
Set the compress="xz" setting in Dracut using dist-base-files.
== 2025-07-13 ==
=== Add panic key support to emergency shutdown code ===
Date: 2025-07-13
The emergency shutdown service is now capable of monitoring for a particular "panic" key combo and immediately shutting down the system when that key combo is detected. It operates at the evdev layer, thus does not depend on a GUI to work right. Needs real-world testing, but some testing outside of a real-world setting has already been done.
=== Review qrexec config on Qubes R4.3 for possible Whonix-Workstation guest escapes or IP leaks ===
Date: 2025-07-13
Was not able to find an easy escape mechanism, but I did find a possible IP leak mechanism that required substantial user interaction. Files a Qubes feature request for locking this down, along with a pull request to implement it.
=== Test dracut zstd compression with maximum compression settings ===
Date: 2025-07-13
Determined that this mode generated a slightly larger file than xz while performing significantly worse.
=== Add explanatory comments to derivative-update ===
Date: 2025-07-13
Noted down why it is more detailed refs/* specifiers cannot be used in particular parts of the code, and why a use of git symbolic-ref -q -- HEAD was safe.
== 2025-07-11 ==
=== Document how a verified boot mode would work with Whonix-Gateway and others ===
Date: 2025-07-11
Took the discussion around verified boot implementation I had with Patrick, and attempted to use that info to update the documentation in the user-sysmaint-split wiki page.
=== Finish SSH wiki page review ===
Date: 2025-07-11
Polished the server configuration file a bit (allowing IPv6, enhancing MAC choices), and reviewed the rest of the page.
=== Document shared folder usage for Kicksecure and Whonix ===
Date: 2025-07-11
Documented how to use the revamped vm-config-dist functionality, both for VirtualBox and KVM.
=== Review more suggestions and fixes for derivative-update ===
Date: 2025-07-11
Looked at some more changes Patrick made to derivative-update and TODO comments he left in the code. Code changes looked good. Left some notes in chat, implemented suggestions that could be implemented.
== 2025-07-10 ==
=== Research SSH cryptography algorithms ===
Date: 2025-07-10
Fixed some minor issues on the SSH wiki page, and revamped the recommended client configuration file. Did a lot of research into the security properties of the various algorithms offered by SSH and which ones were best in various scenarios, and documented that research to justify the changes to the recommended encryption settings.
== 2025-07-09 ==
=== Whonix-Gateway verified boot discussion ===
Date: 2025-07-09
Talked with Patrick about how verified boot should work on the software side of things, and how it would look on Whonix-Gateway (and other machines without user-sysmaint-split) as opposed to machines with user-sysmaint-split.
=== Fix known browser-choice issues ===
Date: 2025-07-09
Worked through the list of known issues in browser-choice and fixed all of them. Also created further TODOs and a list of things to consider for further development.
== 2025-07-08 ==
=== Get browser-choice into an alpha quality state ===
Date: 2025-07-08
browser-choice is now mostly functional. There are several known issues and the code has not been thoroughly tested, but it's to the point where it can be used to install and uninstall some browsers.
== 2025-07-07 ==
=== More browser-choice development ===
Date: 2025-07-07
Got the second screen of the wizard mostly implemented.
=== Research, benchmark, and suggest a new default for Dracut compression algorithms ===
Date: 2025-07-07
Suggested that we switch to xz compression by default since it provides a very small initramfs and is still acceptably fast (a bit faster than what we use now). Suggested zstd as an acceptable alternative if xz was undesirable.
=== Add --set-home switch to sudo command for running Wayland GUI apps as root ===
Date: 2025-07-07
--set-home appeared to be the default anyway, but it doesn't hurt anything and it's useful to keep from accidentally creating root-owned files in other users' home directories.
== 2025-07-06 ==
=== Continue browser-choice development ===
Date: 2025-07-06
Got functional code written for parsing plugin files, displaying browsers to the user, and checking for if a browser is installed and how. So far it's mostly working.
=== Add root account to systemcheck login security check ===
Date: 2025-07-06
Made the root account be listed along with other accounts in systemcheck's login security check. Also added special fields for account with a locked or restricted password, and made it so that login security issues on the root account would be shown in red text.
=== Rewrite vm-config-dist shared folder code ===
Date: 2025-07-06
The previous code in vm-config-dist wasn't fully functional and didn't allow the sysmaint user to access shared folders. Rewrote the code to be more flexible, take into account all needed edge cases, and avoid using flaky VirtualBox automounting.
=== Add hwclock sync to sdwdate and bootclockrandomization ===
Date: 2025-07-06
Added code to sync the hardware clock with the system clock to both of the above mentioned packages.
=== More derivative-update polish and simplification ===
Date: 2025-07-06
Rewrote parts of derivative-update with Patrick's help. Most of the more complicated features were removed in favor of keeping the script easy to use and less complex.
== 2025-07-04 ==
=== Research SSH post-quantum cryptography ===
Date: 2025-07-04
Looked into how PQC currently worked in the version of OpenSSH in Trixie, and wrote some suggestions for how we should configure and document OpenSSH cryptography in Kicksecure.
=== Update documentation for running Wayland applications as root ===
Date: 2025-07-04
Added a note about an environment variable Qt needs to work right in this situation. Also verified that lxsudo didn't work for this purpose, and clarified documentation around launching applications as root to guide users to using sudo rather than lxsudo when dealing with Wayland.
=== Start implementing browser-choice widgets and plugins ===
Date: 2025-07-04
Got many UI widgets for browser-choice working. Also wrote the plugins, added icons to the repo, and wrote a helper script for architecture support checks.
=== Create Qubes /etc/hosts ominous warning fix ===
Date: 2025-07-04
Moved the protected files config for /etc/hosts (and also /etc/hostname) to whonix-base-files. This should hopefully fix the ominous warning issues.
=== Hand off remaining Docker issues to tabletseeker ===
Dare: 2025-07-04
Documented current progress on derivative-maker-docker and set it aside as per Patrick's recommendations in the task list.
== 2025-07-03 ==
=== Begin writing browser-choice ===
Date: 2025-07-03
Worked on several Qt Designer UI files for various parts of the browser-choice UI. Not all of the UI has been laid out yet, and no functional code has been written yet.
=== Research, find possible fix for /etc/hosts issue in Qubes-Whonix ===
Date: 2025-07-03
Found the likely cause of Qubes-Whonix "ominous warning" error messages mentioning /etc/hosts, and suggested a solution. Patrick approved the suggestion, so I will likely be implementing the solution soon.
=== Enhanced time synchronization docs ===
Date: 2025-07-03
Read through and added some NTP and hardware clock info to the Network Time Synchronization wiki page.
=== derivative-update fixes ===
Date: 2025-07-03
Fixed bugs and TODOs in derivative-update. It should still probably be considered beta-quality, but it's significantly more robust than previously now. Also researched Docker UUID issues, did not find an good fix yet.
=== Double-check erst_disable pull requests ===
Date: 2025-07-03
Made sure the erst_disable pull requests were safe and correct after they were merged.
== 2025-07-02 ==
=== Create derivative-update, revamp Docker code in derivative-maker ===
Date: 2025-07-02
Created the derivative-update script for checking out refs in derivative-maker and fetching new commits for it in a secure fashion. Also applied a bunch of fixes to the Docker code that were previously offered for tabletseeker's repository.
=== Comment on remaining IPv6 discussion ===
Date: 2025-07-02
Added a comment to a previously missed IPv6 discussion.
== 2025-07-01 ==
=== File feature request for user/system package separation in Kicksecure ===
Date: 2025-07-01
Filed a feature request for separating user and system packages on the forums, and documented a possible way of implementing it using virtualization. Will continue discussion on this.
=== Research, document Status messenger ===
Date: 2025-07-01
Determined that Status was most likely not a good messenger to recommend, and documented why.
=== Research lsblk failure in Docker, file bug report against Docker ===
Date: 2025-07-01
Determined that zeha's suggested fix for the Docker issue would not work. Filed a bug against Docker for the issue. We'll probably have to port the appropriate location in the grml-debootstrap code to use blkid to resolve this, or wait for Docker to be fixed.
=== Submit derivative-maker-docker changes to tabletseeker's repo ===
Date: 2025-07-01
Integrated my previous work on derivative-maker-docker into tabletseeker's work, and also added a prototype of an --update-repo option. Filed a PR to integrate it.
=== Investigate clock widgets for sysmaint session ===
Date: 2025-07-01
Did more clock widget research and tested a widget, tdc. Didn't find one that would work. We'll have to write our own in some way most likely.
=== Review, suggest fixes for erst_disable removal PR in debug-misc ===
Date: 2025-07-01
Reviewed a debug-misc PR from raja-grewal that removed the erst_disable kernel parameter from the kernel command line, along with a few other fixes. Noticed some errors in the PR and suggested fixes for them.
=== Fix screen locker in sysmaint sessions ===
Date: 2025-07-01
Added xscreensaver to the appropriate Kicksecure metapackage and added configuration for it in vm-config-dist to prevent it from automatically locking the screen or displaying a real screansaver by default.
== 2025-06-30 ==
=== Research, document Wire messenger ===
Date: 2025-06-30
Determined that Wire was likely not a good chat messenger choice due to experimental Linux support and previously broken end-to-end encryption.
=== Investigate grml-debootstrap /dev cloning ===
Date: 2025-06-30
To fix a grml-debootstrap bug resulting in mis-detection of partition type UUIDs, I implemented a /dev filesystem cloner as a proof-of-concept, to see if cloning /dev was even practical. It turned out to be doable. Shared the code in the appropriate grml-debootstrap bug report and requested feedback.
=== Review, approve PR for fixing potentially unsafe Bluetooth config ===
Date: 2025-06-30
bluez upstream mis-documented their TemporaryTimeout option, leading us to believe that setting it to 0 would prevent temporary Bluetooth devices from persisting. What it actually did was made temporary Bluetooth devices always persist. Ensured that the PR for removing the incorrect configuration looked correct, and that the fixed documentation for TemporaryTimeout was actually accurate.
=== Review, approve erst_disable PR for security-misc ===
Date: 2025-06-30
Reviewed a PR from raja-grewal that disables ACPI ERST support to make it harder to persist dangerous crash data in firmware flash storage. Approved. I did not manage to review the accompanying PR for debug-misc yet.
=== Documented arp_ignore=1 settings for advanced networking with Whonix-Gateway ===
Date: 2025-06-30
Wrote documentation for downgrading arp_ignore=2 to arp_ignore=1, along with when doing so would be necessary. This will be needed for users who are putting a VPN after their Tor connection, and for users who are using Windows as a Whonix-Custom-Workstation.
=== Added comments to IPv6 and tb-updater Github issues ===
Date: 2025-06-30
Commented on some Github issues Patrick asked me to look at. tb-updater may need automation to make it faster to update, and some IP addresses in the IPv6 PRs from Daniel were verified as safe.
=== Add battery indicator to user and sysmaint system trays ===
Date: 2025-06-30
Determined why a battery indicator wasn't appearing in the systrays in both user and sysmaint modes, and added additional configuration to fix that for new builds of Kicksecure and newly created user accounts. This won't fix it for existing user accounts, there's not a whole lot that can be done about that.
== 2025-06-29 ==
=== Write and integrate sanitize-string ===
Date: 2025-06-29
Wrote a Python library and utility that combined the functionality of the stecho and strip-html utilities. Named it sanitize-string as Patrick's suggestion. Integrated it throughout Kicksecure's codebase.
=== Fix minor issues with livecheck output_func chunking implementation ===
Date: 2025-06-29
Added an infinite loop guard, fixed behavior when only a single argument was passed, and added argument count checking.
=== Remove old genmon livecheck widget ===
Date: 2025-06-29
After rewriting livecheck as a Python applet, we forgot to actually remove the old XFCE-specific genmon widget that was once serving the equivalent purpose. Removed now.
=== Finish derivative-maker-docker review ===
Date: 2025-06-29
Fixed several TODOs, discussed challenges with Patrick and got ISO builds working. Also filed a grml-debootstrap bug for fixing VM image builds.
== 2025-06-27 ==
=== Begin full audit of derivative-maker-docker ===
Date: 2025-06-27
Started a thorough usability and code quality audit of derivative-maker-docker. Wrote down several notes in my local repository, will be fixing noted issues soon.
=== Enhance msgcollector output_func ===
Date: 2025-06-27
Made it so that output_func could handle very long strings, such as journalctl output. Took a while to figure out an efficient chunking algorithm that was also resistent to problems caused by UTF-8 characters.
=== Fix missing rm_conffile migration command in sdwdate-gui ===
Date: 2025-06-27
Ensured that rm_conffile could be safely reverted later, then added the needed commands to sdwdate-gui's maintainer scripts to enable a smooth migration to the new architecture.
== 2025-06-26 ==
=== Add Delta Chat and IRC client documentation to Whonix chat client docs ===
Date: 2025-06-26
Briefly documented the installation and use of irssi, WeeChat, and Quassel Chat (all IRC clients) on the Whonix wiki. Added a warning to the HexChat wiki page that HexChat is no longer maintained. Documented Delta Chat on its own wiki page.
=== Review "seat belts and airbags for Bash" ===
Date: 2025-06-26
Watched a presentation on writing robust Bash code at Patrick's request. Learned some new tips in the process. The presentation had some errors in it, some of which were practical in nature (i.e. mis-describing how to use Bash features such as regexes), so I tried to pull out what I could verify as accurate, added notes to the dev/bash wiki page, and made some notes of my own for new tricks I didn't know before.
=== Add user-sysmaint-split and Qubes-specific design changes to browser-choice ===
Date: 2025-06-26
Patrick pointed out several shortcomings with our current browser-choice design specifications related to user-sysmaint-split and Qubes OS. Integrated his suggestions into the design documentation and also added some design changes of my own to resolve the issues.
=== Rename sdwdate-client/server tag to sdwdate-gui-client/server ===
Date: 2025-06-26
Fixed the qubes-core-admin-addon-whonix and qubes-core-admin-addon-kicksecure code to use a different, more accurate tag name for qrexec policies used by sdwdate.
== 2025-06-25 ==
=== Research and implement robust HTML stripping ===
Date: 2025-06-25
Implemented an HTML stripper and integrated it into Kicksecure's codebase. The stripper uses Python's HTML parser for part of its job, but should work under adversarial conditions.
=== Review, approve 3mdeb verified boot spec ===
Date: 2025-06-25
Reviewed the full verified boot specification made by collaboration with 3mdeb. Looked good, approved.
=== Finish sdwdate-gui rewrite and accompanying Qubes OS changes ===
Date: 2025-06-25
Pushed all sdwdate-gui changes and opened an issue for adding qubes-core-admin-addon-kicksecure to Qubes OS. Once everything is merged, sdwdate-gui should work in Kicksecure qubes properly.
== 2025-06-24 ==
=== Ported Xen command line parsing patch back to Qubes OS and fully retested the patch on Qubes ===
Date: 2025-06-24
The pvgrub pull request for in-vm kernel boot mode support was outdated. I finally managed to get the patch for Xen command line parsing that was most recently submitted to the FSF ported back to Qubes OS's pvgrub code, tested it against the same test suite used for the upstream patch, and submitted it for review and hopefully merging later on.
=== Public zuluCrypt security bug report ===
Date: 2025-06-24
The zuluCrypt local privilege escalation issue discovered during the polkit audit task has been taken out of embargo after the Debian Security Team recommended I upload the bug report directly to the BTS. This is now done.
=== Fix memory management issues in sdwdate-gui rewrite ===
Date: 2025-06-24
PyQt5 makes it possible to corrupt or leak memory even in Python as it turns out, typical Python automatic memory management can't be fully trusted to do the right thing. Attempted to resolve this, fixing a client crash issue caused by faulty memory management. Further auditing may be necessary to ensure these kinds of issues are fully resolved. Also got confirmation from Marek that creating a "qubes-core-admin-addon-kicksecure" would be a good way forward for fixing the root bug this rewrite was intended to fix (the qrexec errors caused by Kicksecure templates).
=== Contribue to 3mdeb verified boot discussion ===
Date: 2025-06-24
Tried to clarify a potentially confusing point related to Microsoft key handling in Sovereign Boot.
== 2025-06-23 ==
=== Debug and polish sdwdate-gui rewrite ===
Date: 2025-06-23
Got the rewrite of sdwdate-gui working on both Qubes OS and on "vanilla" Kicksecure and Whonix. A significant amount of additional effort will be needed to get all the moving pieces (mostly qrexec policies and Qubes-specific config) in place, but the application itself is now working quite well and can likely be considered beta-quality.
== 2025-06-22 ==
=== Further development, debugging on sdwdate-gui rewrite ===
Date: 2025-06-22
Rewritten sdwdate-gui is relatively close to functional at this point. Further debugging and testing on Qubes OS still needed, but it's very close to working.
== 2025-06-19 ==
=== Finish polkit configuration audit ===
Date: 2025-06-19
Finished compiling the results of the audit and shared them with Patrick.
== 2025-06-18 ==
=== Begin audit of default polkit configuration ===
Date: 2025-06-18
Began auditing the existing polkit rules and actions in my Kicksecure development VM for possible security weaknesses.
== 2025-06-13 ==
=== More sdwdate-gui rewrite work ===
Date: 2025-06-13
Mostly worked on writing the client component, still untested. Most of the remaining work will be testing and bugfixing from here.
== 2025-06-12 ==
=== Continue work on sdwdate-gui rewrite ===
Date: 2025-06-12
Finished writing the server component, still untested. Started work on writing the client component and researched how to proxy a UNIX socket over qrexec to make it work properly in Qubes OS.
=== Finish approx package caching work in derivative-maker ===
Date: 2025-06-12
Finished working out most of the bugs in the approx package caching implementation in derivative-maker. This should get our ability to build working again. (Patrick discovered some remaining minor bugs and has added fixes for them as well.)
== 2025-06-11 ==
=== Work on replacing apt-cacher-ng with approx in derivative-maker ===
Date: 2025-06-11
Something changed about the SSL configuration for fasttrack.debian.net, and now apt-cacher-ng is exhibiting extremely weird and non-functional behavior with that repository. There is no clear fix, so we're replacing it with the approx package caching proxy. Did most of the work for this, I have clearnet builds working and Tor builds almost working.
== 2025-06-10 ==
=== Start work on sdwdate-gui rewrite ===
Date: 2025-06-10
Used current implementation plan and existing code as a guide and started rewriting sdwdate-gui into a client-server system. So far things seem to be working fairly well.
=== Write down results of polkit research ===
Date: 2025-06-10
Replied on the Kicksecure forums to the development task for researching polkit's security. Also discussed security concerns and future work in this area with Patrick.
=== Remove Firefox from Kicksecure template app menu ===
Date: 2025-06-10
Successfully got a template build of Kicksecure for Qubes R4.3 that lacked Firefox in the application menu. Uploaded the change needed for this. Also added sysmaint-panel to the application menu at the same time since it's useful in sysmaint mode.
== 2025-06-09 ==
=== Research polkitd security concerns ===
Date: 2025-06-09
Looked into how polkitd works and whether it was a possible security risk. I don't personally see anything wrong with its method of operation, and it is a critical component of the system used with systemd, so it cannot simply be removed. I did notice what appeared to be a sandbox escape vulnerability in polkitd's systemd configuration, but the issue didn't appear serious, doesn't appear mitigatable, and isn't considered an issue by systemd upstream after discussion with them.
=== Get Kicksecure template builds to work on Qubes R4.3 again ===
Date: 2025-06-09
Set up qubes-builderv2 on my Qubes machine again after having reinstalled it recently. Discovered that the builder.yml file had to be configured specially to work on R4.3. Documented the needed config change.
=== Redesign sdwdate-gui-qubes backend ===
Date: 2025-06-09
Read through previous discussions and discussed with Patrick and Marek how to reimplement the sdwdate-gui-qubes backend to fix existing architectural issues. Came up with a new design that appears to be agreed upon as good, will be implementing soon.
== 2025-06-08 ==
=== Lots of improvements to systemcheck ===
Date: 2025-06-08
Added several new features to systemcheck at Patrick's request, including OS EOL detection, Secure Boot detection, and more. They should probably be tested more thoroughly, but seem to work initially.
=== Add BTRFS support back to Calamares ===
Date: 2025-06-08
Now that we have live-hardener, it is theoretically possible to boot a BTRFS system in live mode and have live mode actually do its job correctly, so BTRFS is now added back to the list of supported filesystems and will be accessible from the user interface.
=== Add read-only mode back to livecheck ===
Date: 2025-06-08
Read-only mode had gotten dropped during the development of the new livecheck applet, since it was missing from live-mode.sh in helper-scripts. Re-added the feature and tested it to make sure it worked.
=== Document live-hardener and livecheck Python applet ===
Date: 2025-06-08
Added documentation to the Kicksecure wiki for live-hardener and the new implementation of livecheck.
=== Make live-hardener more robust ===
Date: 2025-06-08
Made live-hardener's error handling more robust. Also added a test script, and fixed up lsblk output parsing.
=== Debug stprint helper-scripts CI failure ===
Date: 2025-06-08
A bug that slipped by both me and Ben during development and review of the stprint closed stdin fix patches resulted in stcatn only fixing up the last line of a file passed to it. This resulted in CI failure when trying to sanitize one Java file in the trojan-source repo. Found and fixed bug.
=== Research argon2id LUKS hardening for Kicksecure ===
Date: 2025-06-08
Researched how to increase argon2id memory consumption, whether it was worth doing, and whether it was worth documenting. Replied to the Kicksecure forums user who suggested hardening in this area.
== 2025-06-06 ==
=== Create unit tests for live-mode.sh and get_writable_fs_lists.sh ===
Date: 2025-06-06
The tests simulate a large number of mount configurations and ensure that the scripts behave as expected in all tested situations.
=== Add additional privileged "privleap" group to privleap ===
Date: 2025-06-06
In our privleap config, we originally had the sudo group as a privileged group that was able to run all or nearly all predefined privleap actions. This failed to take into account the possibility that someone would not want to grant sudo group membership to an account that needed to run privleap actions, since the sudo group could be a security risk even if the sudo executable could not normally be run.
To resolve this, the privleap group is now automatically created when privleap is installed, that group is allowed to run all of the same privleap actions that could be executed by the sudo group, and privleap is now able to take a group name in the allowed-users group, allowing one to grant a user account access to privleap by simply adding it to the privleap group, no further config modifications required.
=== Document new remount-secure implementation plan ===
Date: 2025-06-06
Added documentation for the remount-secure daemon idea to the remount-secure development wiki page.
== 2025-06-05 ==
=== Research remount-secure implemention ideas ===
Date: 2025-06-05
Read through the existing remount-secure code and some of the discussions. Shared some thoughts on the existing design and an idea for a new design that could detect at runtime when new filesystems are introduced and remount them securely. Also discussed these ideas with Patrick in chat.
=== Improve live-hardener writable filesystem detection ===
Date: 2025-06-05
live-hardener now parses only /proc/self/mounts rather than parsing /etc/fstab directly, allowing it to catch more writable filesystems.
=== Make Calamares tell livecheck when an OS is being installed ===
Date: 2025-06-05
Added functionality to livecheck to monitor for when a particular file is created to know when Calamares is installing the OS. livecheck will now show a notice in the system tray that OS installation is underway and not show an error indicator while that is happening. Once Calamares is done installing the OS, livecheck will return to its original mode. Added a couple of shellprocesses to our Calamares config to actually create and remove the signal file for this.
=== Discover bootloader installation bug, create fix ===
Date: 2025-06-05
Debugged why the fallback bootloader wasn't being properly installed for someone using the most recent Kicksecure ISO. Found out this was because of our boot entry naming changes. Created and tested a fix.
== 2025-06-04 ==
=== Integrate Marek's review suggestions into Xen command line GRUB patch ===
Date: 2025-06-04
Implemented all of Marek's suggestions, then fully retested the patch using the test suite designed previously. All tests passed. Submitted new version of patch to GRUB upstream.
=== Thoroughly test, fix up enhanced live mode ===
Date: 2025-06-04
Tested enhanced live mode code thoroughly, fixing a bunch of bugs and reducing logic duplication in the process. Should be ready for review and merge.
=== Approve stprint utilities PR from Ben ===
Date: 2025-06-04
Looked at the latest changes to the stprint utilities PR from Ben for fixing crashes when stdin is closed. Everything looked good, approved PR and Patrick has now merged it.
== 2025-06-03 ==
=== Develop live mode enhancements ===
Date: 2025-06-03
Created a systemd service that would find dangerous writable filesystems in fstab and remount them read-only, then mount RAM-based overlays on them. Also enhanced the livecheck code even further to be able to handle NFS, virtual machine shared folders, and removable vs. non-removable disks (not just mountpoints).
=== Clean up Docker-related issues in derivative-maker ===
Date: 2025-06-03
Fixed some remaining issues in the derivative-maker-docker code, and submitted fixes for several other derivative-maker bugs that impacted ISO builds done in Docker.
=== Another review of stprint utilities PR ===
Date: 2025-06-03
Reviewed latest changes to stprint utilities PR, one fix needed made still but otherwise it's ready.
== 2025-06-02 ==
=== Finish Python implementation of livecheck ===
Date: 2025-06-02
Tested and added some features to the Python livecheck implementation. Seems to be working well, pushed all code changes to Git and submitted for review.
=== Review new derivative-maker-docker commits from tabletseeker ===
Date: 2025-06-02
tabletseeker added some additional features to the derivative-maker-docker PR, which I reviewed and left some comments on.
=== Review updated stprint utilities from Ben Grande ===
Date: 2025-06-02
Ben Grande updated some of the stprint-family utilities to avoid a closed stdin file descriptor from causing utility crashes. Reviewed the new code, suggested a few changes. Looks mostly good.
== 2025-06-01 ==
=== Develop Python implementation of livecheck ===
Date: 2025-06-01
Got a Python implementation of livecheck mostly working, and made changes to other packages to adjust for the new livecheck and live-mode.sh code. Haven't fully tested or pushed yet.
=== Get derivative-maker-docker PR to build a working Kicksecure image ===
Date: 2025-06-01
Did enough debugging of derivative-maker and the Docker PR that I was able to get a working Kicksecure image to boot. Approved pull request, will be contributing additional fixes to derivative-maker later.
== 2025-05-31 ==
=== Continue debugging of derivative-maker-docker pull request ===
Date: 2025-05-31
Found another bug in the Docker pull request, reported it and suggested a fix. Also found a bug in derivative-maker itself with disabling initramfs rebuilds, and another one with genmkfile installation of dependencies. This seems pretty close to working.
== 2025-05-30 ==
=== Document how to add additional systemd units to sysmaint-boot.target ===
Date: 2025-05-30
Documented how to configure a systemd unit to start in a sysmaint session, without requiring modifying sysmaint-boot.target's config file. This avoids problems with system files being overwritten during a system update.
=== derivative-maker fix, review, docker work ===
Date: 2025-05-30
Found and fixed a build failure in derivative-maker, tested Docker pull request and found some issues that needed resolved.
=== Verified boot discussion, create framework for mocking up user interface ===
Date: 2025-05-30
Reviewed the latest verified boot spec document, pointed out some issues, and submitted a UI mockup + framework for mocking up further parts of the user interface.
== 2025-05-29 ==
=== Mostly finish new version of Xen command line GRUB patch ===
Date: 2025-05-29
Fixed all issues mentioned by Daniel Kiper, then did a thorough re-review of the code and fixed several other issues. Still need to actually submit the patch to the GRUB mailing list.
== 2025-05-28 ==
=== Begin work on fixing Xen command line GRUB patch ===
Date: 2025-05-28
Got an Arch Linux installation with Xen working (which took a significant amount of time). Attempted to build GRUB, but gnu.savannah.org was operating in a degraded state so I wasn't able to finish the job.
=== Review derivative-maker-docker PR from tabletseeker ===
Date: 2025-05-28
Looked through the code, pointed out some issues and made suggestions for improving things. Looks like a very good change in general. Did not scan the patch for malicious Unicode or attempt to run the code yet.
=== Reply to review from Daniel Kiper on GRUB Xen command line parsing patch ===
Date: 2025-05-28
Daniel reviewed my patch submitted to GRUB, pointing out several coding style and readability changes that needed to be made and several areas where I forgot to check for errors after allocating or reallocating memory. Responded to the review, will be fixing the issues he brought up soon. Also clarified the methodology for environment variable exports after another developer expressed a concern about how data was being passed from Xen to grub.cfg.
=== Sovereign Boot discussion on bootloader enumeration ===
Date: 2025-05-28
Talked with Michał from 3mdeb about whether we want to enumerate all bootloaders available to the system, what heuristics we should use for prioritizing them, and what the behavior should be when dealing with large numbers of bootloaders.
== 2025-05-27 ==
=== Review, approve maybebyte's permission-hardener bugfix ===
Date: 2025-05-27
Reviewed the final iteration of maybebyte's bugfix for allowing ssh-agent's permissions to be set properly. Looked correct to me, worked properly in my testing. Approved the PR, Patrick has merged it.
=== Review Kicksecure and Whonix codebase changes over last two weeks, determine systemd repart issue root cause ===
Date: 2025-05-27
Due to a mistake on my part, we ended up with commented-out code in derivative-maker that previously fixed partition type UUIDs for systemd-repart. This resulted in systemd-repart breaking, as one would expect. Suggested that we put the commented-out code back into production to fix this. Also reviewed all changes in the Kicksecure and Whonix main codebases that occurred over the earlier two-week hiatus, pointing out some bugs I noticed in the process.
=== Finish fixing default user code in Qubes OS boot modes ===
Date: 2025-05-27
Marek pointed out another few issues in my default user patch, one that could potentially cause a unit test failure, and some issues with code formatting. Fixed all of them. Also started getting a system prepared that would allow me to run dom0-specific unit tests on Qubes OS.
=== More discussion on Sovereign Boot ===
Date: 2025-05-27
Replied to more comments in the 3mdeb sovereign boot (previously "verified boot") discussion.
== 2025-05-26 ==
=== Review Ben Grande bugfix for closed stdin with stcat and similar tools ===
Date: 2025-05-26
Ben noticed that stcat, stcatn, sttee, and stsponge all misbehaved if they were given a blank, closed stdin (i.e. by running them as stcat <&-). I reviewed the bugfix he submitted for this. Unfortunately it was not sufficient on its own to fix the issue, but it was a good step in the right direction.
=== Review permission-hardener pull requests from maybebyte ===
Date: 2025-05-26
A Github user named "maybebyte" submitted a bug fix and a performance improvement to permission-hardener. Reviewed both pull requests and commented on them. The performance improvement looks mergeable and good, the bug fix needs a change to avoid introducing a possible security issue.
=== Ensure /var/cache/tb-binary permissions aren't a problem with user-sysmaint-split ===
Date: 2025-05-26
Marek noticed that /var/cache/tb-binary would end up owned by sysmaint due to user-sysmaint-split on Whonix-Workstation templates. Looked through the code and did testing to ensure this wasn't a problem.
=== Verified boot discussion ===
Date: 2025-05-26
Read through some critical verified boot related chats, replying to them to clear up confusion, point out possible issues. and highlight ideas I thought were good.
=== Add default user customization fixes to boot modes as suggested by Marek ===
Date: 2025-05-26
Marek had some suggestions for how to improve the default user code submitted earlier. Implemented those suggestions, ensured regression tests passed after changes were added.
== 2025-05-12 - 2025-05-25 ==
Scheduled hiatus from Kicksecure and Whonix work to help with an imminent hardware release for Kubuntu Focus. Ad-hoc work done during that time:
=== Add default user customization mechanism to Qubes OS boot modes ===
Date: 2025-05-18
Marek reported an issue where the default user qrexec overrides set by user-sysmaint-split resulted in the software updater breaking. After discussion with Marek and some experimentation, we decided to make it so that boot modes can customize the default user for a VM on the dom0 side. Implemented this and submitted a PR for it.
== 2025-05-11 ==
=== Study Simplex Chat ===
Date: 2025-05-11
Part of chat messenger research. Determined the features and defenses built into Simplex Chat, experimented with actually using it, and documented its features, how to install it, and how to get started using it.
=== Review sysmaint-boot.target wanted units ===
Date: 2025-05-11
Looked at all systemd units depended upon by sysmaint-boot.target. Removed some potentially unnecessary or dangerous units, enabled a unit that looked important and has been previously left as a TODO.
=== Fix broken user login without autologin when using user-sysmaint-split ===
Date: 2025-05-11
Fixed some logic errors that resulted in the sysmaint session being incorrectly selected when attempting to log in manually.
== 2025-05-10 ==
=== Review Whonix wiki chat messenger page ===
Date: 2025-05-10
Reviewed the page, fixed a few things, also added some data about Matrix chat and its shortcomings.
=== Review stecho PR from Ben Grande ===
Date: 2025-05-10
Reviewed an stecho PR from Ben, suggesting some changes and verifying that the code worked as expected.
== 2025-05-09 ==
=== Begin development of Python implementation of livecheck ===
Date: 2025-05-09
Researched what would be needed to reimplement livecheck in Python and began writing it. This will allow live-monitoring of the system's persistence state.
=== Get initial iteration of emergency shutdown feature working ===
Date: 2025-05-09
Got the emergency shutdown C executable and associated tooling working. More testing needed and an additional feature needs implemented before this is ready to deploy.
=== Fix file permission problem with append-shared ===
Date: 2025-05-09
There was a bug in append-shared (part of helper-scripts) that was resulting in files being set to 0600 file permissions. Determined the root cause and wrote a patch to fix the problem.
=== Fix GRUB being improperly configured with installations that use grub-cloud ===
Date: 2025-05-09
Discussed and helped fix a bug that resulted in the grub-cloud-amd64 package being configured with a variable it doesn't actually use.
== 2025-05-08 ==
=== Research, continue to develop emergency shutdown feature ===
Date: 2025-05-08
Discovered the original approach I was taking for the emergency shutdown utility was not suitable for our purposes, as it was crash-prone when the root device vanishes. Planned out and started implementing a new program that should be immune to crashing before shutdown.
=== Fix installation failure with UK English locale ===
Date: 2025-05-08
Discovered a superior way of setting the console keymap based on the X11 keymap, allowing us to avoid problems with mismatched names between X11 and console keymaps. Implemented this new method.
=== Implement systray for sysmaint session ===
Date: 2025-05-08
Used Trayer to provide a systray in sysmaint sessions. Did not yet add trayer to any particular metapackage for Kicksecure, but suggested to Patrick that it might go in non-qubes-enhancements-gui. This allows the user access to things like the sdwdate GUI and network manager applet.
== 2025-05-07 ==
=== Mostly implement emergency shutdown on USB key removal ===
Date: 2025-05-07
Got a proof-of-concept to work for the most part, there's still some bugs in the device detection code and the current implementation of the shutdown routine is unsafe and can't be relied on. The basic concept works though. Will continue to polish.
=== Review, polish browser-choice design changes ===
Date: 2025-05-07
Reviewed Patrick's latest changes to the browser-choice application design, added some extra requested UI elements. Also tried to document better what would happen if someone created an unofficial plugin that allowed installing a closed-source browser.
=== Add network management features to sysmaint-panel ===
Date: 2025-05-07
Added a button for launching nmtui to the panel. Also added a network status indicator.
After discussion with Patrick, we would like to implement some form of systray to avoid duplicating code.
=== Review verified boot spec PR ===
Date: 2025-05-07
Left some notes about the verified boot spec PR, looked mostly good to me.
== 2025-05-06 ==
=== Research, begin prototyping emergency shutdown feature ===
Date: 2025-05-06
Started to work on developing a feature that will allow the user to emergency-shutdown a Kicksecure system (live or otherwise) by abruptly removing the USB drive containing the operating system from the running system. Obviously for systems that have Kicksecure installed on an internal drive this won't be very useful, but anyone that has Kicksecure installed or flashed to an external USB will benefit from this.
=== Further research for grub-live enhancements ===
Date: 2025-05-06
Suggested the creation of a dedicated PyQt5 application to replace the current implementation of livecheck, which would be desktop-environment-independent and use mount event monitoring to trigger updates of the current persistence state (i.e., are all writable mounts on the system "live", are some of them persistent, and if some of them are persistent, are some of those persistent mounts likely to be dangerous).
=== Fix broken mouse integration in sysmaint sessions under KVM ===
Date: 2025-05-06
Discovered that mouse integration required spice-vdagent to be launched as the end user on login for mouse integration to work. Added it to the list of non-root services to run on sysmaint login.
=== Attend Zarhus Developer Meetup 0x1 ===
Date: 2025-05-06
Attended a virtual event hosted by 3mdeb where several projects related to 3mdeb's Zarhus operating system and surrounding technologies were discussed and demonstrated. Patrick also attended this. Research results from ram-wipe testing were shared. Gave some feedback on that and some of the other projects.
== 2025-05-05 ==
=== Fix systemcheck update advice, add log search to sysmaint-panel ===
Date: 2025-05-05
Added a button for searching the system logs in sysmaint-panel. Also made it so that systemcheck offers the right advice about how to update the system regardless of whether the user is booted into a sysmaint session or a user session (or doesn't have user-sysmaint-split installed at all).
=== Discuss proper fix for grub-live semi-persistence bug with Patrick ===
Date: 2025-05-05
Discussed with Patrick how to properly fix this bug. Added some points to research and came up with a preliminary implementation plan for fixing the issue.
=== Fix environment variable handing in grml-debootstrap RPi PR ===
Date: 2025-05-05
Mika pointed out that my PR made it so that the size of the virtual machine to be generated could not longer be passed in through a VMSIZE environment variable. Fixed, tested the fix and it worked.
=== Research, comment on search engine discussion on Kicksecure forums ===
Date: 2025-05-05
Did some research into suggested search engines on Kicksecure's forums, offered suggestions on which ones are likely worth inclusion based on the security and privacy each engine looked like it most likely provided from my perspective.
== 2025-05-04 ==
=== Improve live mode detection ===
Date: 2025-05-04
Switched to using mount point checking rather than kernel command line parsing to detect the live mode the system was booted in. Also made livecheck detect the "semi-persistent mode" bug where the root directory is read-only but /home is writable.
=== Get kloak v2 ready for alpha testing ===
Date: 2025-05-04
Fixed remaining known bugs in kloak v2, implemented command line parsing. There are likely still bugs and memory leaks, but it appears mostly usable at this point.
== 2025-05-03 ==
=== Mostly finish Kloak functionality ===
Date: 2025-05-03
Fixed tap to click and monitor hotplug issues, added input device hotplug support (libinput did most of the heavy lifting there for me), fixed a UI bug resulting in the virtual cursor not being fully drawn, and ''finally'' implemented jitter insertion! At this point the program is mostly done, there's some more bugs to fix and some code quality improvements to make but most of the functionality is now there!
== 2025-05-02 ==
=== More kloak v2 bugfixing, polish build system ===
Date: 2025-05-02
Removed generated code from the codebase and included the Wayland protocol XML files directly. Running make will generate needed additional files from those protocol files. Also fixed some mouse behavior issues, enabled touchpad tap-to-click, improved GUI update performance by doing incremental buffer updates, and removed a spurious warning.
== 2025-05-01 ==
=== Fix mouse and virtual cursor behavior in kloak v2 prototype when using multiple monitors ===
Date: 2025-05-01
Prevented the virtual cursor from going off-screen when using a monitor layout that leaves voids in the compositor-global space. This ended up being shockingly difficult but doable. The current implementation is somewhat rough and probably can be polished further, which is part of what I'll be working on tomorrow.
=== Test more changes to Dracut hostonly fixes ===
Date: 2025-05-01
Was pinged by a Fedora developer to retest a Dracut PR that makes sloppy hostonly initrds significantly more generic than previously. Tested on an encrypted Trixie VM, worked.
=== Make sysmaint-panel background for Whonix VMs distinct ===
Date: 2025-05-01
Previously sysmaint-panel always used a Kicksecure-like desktop background. This was confusing, so now a Kicksecure-like background is used on Kicksecure, a Whonix-Gateway background is used on Whonix-Gateway, a Whonix-Workstation background is used on Whonix-Workstation, and a black background is used on everything else.
=== Fix documentation and networking for RPi grml-debootstrap PR ===
Date: 2025-05-01
Documented the new RPi-related options in grml-debootstrap in the manpage. Also noticed that virtual machine images automatically use --defaultinterfaces, and made it so that Raspberry Pi installations worked the same way in that regard.
=== Further design work on browser-choice ===
Date: 2025-05-01
Reviewed Patrick's changes to the design documentation. Reworked some parts of plugin design, removed the ability to install or remove multiple packages for a single browser at once.
== 2025-04-30 ==
=== Multi-monitor support in kloak v2 prototype ===
Date: 2025-04-30
Got multi-monitor support and monitor hotplug *mostly* working. Some things aren't quite correct still, but the bulk of the work needed for this to be functional is now done. Still need to write code to keep the mouse from going beyond the boundaries of the screens, and there's some glitchiness that needs worked out.
=== curl-prgrs security review and polish ===
Date: 2025-04-30
Read through the source code of curl-prgrs (from helper-scripts), noticed some things that could use fixing and fixed them. Didn't find anything particularly worrying from a security standpoint.
=== Discuss, design browser choice application with Patrick ===
Date: 2025-04-30
Discussed the need for a browser choice application, internal and UI design elements, created mockups and tried to flesh out a rough idea of how it would be implemented under the hood.
== 2025-04-29 ==
=== Fix keyboard handling in kloak v2 prototype ===
Date: 2025-04-29
Got modifier keys to work. At this point multiple monitor and monitor hotplug support are our main remaining hurdles, once that's done we should be able to simply add the anonymizing code and this should be ready for testing.
=== Fix ISO boot menu consistency ===
Date: 2025-04-29
Figured out how to get the boot menu entries for the ISO's boot menu to be similar to those used on installed systems. Committed changes to three repos to make this work right.
== 2025-04-28 ==
=== Submit grml-debootstrap PR for following the Discoverable Partition Specification ===
Date: 2025-04-28
Got the DPS compliance code working, submitted it upstream for review. Only works on host operating systems that have a parted that supports the type command (for Debian that means Trixie and newer).
=== Document Wayland security shortcomings for labwc and other wlroots-based compositors ===
Date: 2025-04-28
Keylogging is still a possible concern on many Wayland compositors, including labwc. Documented why and gave links to info about the issues resulting in this problem.
=== Fix sysmaint-boot-cleanup error message during ISO shutdown ===
Date: 2025-04-28
This was only occurring if the ISO was booted in unrestricted admin mode, and was simply due to the fact that the unit was missing after uninstalling user-sysmaint-split (which is done automatically when booting in unrestricted admin mode). Changed user-sysmaint-split's prerm script to disable the systemd units shipped in user-sysmaint-split during uninstallation.
=== Fix inconsistencies in boot menu handling on installed systems ===
Date: 2025-04-28
Made it so that similar terminology was used whether user-sysmaint-split is installed or not, fixed font size for "Choose boot mode" text. Applied changes to both Kicksecure and Whonix.
== 2025-04-27 ==
=== More work on emulated input in kloak v2 ===
Date: 2025-04-27
Emulated input is now mostly working, the mouse works well on a single-screen system. Keyboard is still a bit of a mess since modifier keys aren't working, that will have to be sorted out later.
=== Add unrestricted admin boot mode for Kicksecure on Qubes ===
Date: 2025-04-27
This boot mode removes the user-sysmaint-split package during system boot to allow access to sudo. When used in AppVMs, this removal is only temporary due to the ephemeral nature of most of an AppVM's root filesystem.
=== Add CI to RPi grml-debootstrap PR ===
Date: 2025-04-27
Developed working Github Actions CI tests for the Raspberry Pi images. Added to the existing pull request.
== 2025-04-26 ==
=== Bugfixes and more features for Kloak v2 ===
Date: 2025-04-26
Fixed a few bugs in the kloak v2 implementation. Added relative pointer movement support, implemented mouse grabbing and some emulated input stuff. Next steps are to intercept keyboard events, then support for display and input hotplug, then the actual anonymization features can be implemented.
=== Review first-time source code contributor policy ===
Date: 2025-04-26
Read through the policy. Made a suggestion for how to clarify it, which Patrick approved of and implemented.
== 2025-04-25 ==
=== Work on grml-debootstrap CI for Raspberry Pi ===
Date: 2025-04-25
Played with QEMU on arm64 some, discovered limitations in ARM virtualization and asked upstream grml-debootstrap what approach I should take for further development.
=== Overhaul GRUB theme to avoid hardcoding ===
Date: 2025-04-25
Removed all hardcoded text from the GRUB theme images, replacing them with text labels. Also changed wording in order to work with Patrick's new boot menu design.
== 2025-04-24 ==
=== Fix spurious systemd-growfs errors on boot ===
Date: 2025-04-24
Patrick discovered that newly built VMs were showing systemd-growfs errors for no apparent reason. This was the result of an fstab file being erroneously included in the initramfs. Fixed this issue. Also reviewed a lot of previous changes to derivative-maker and fixed some bugs.
=== Add repository-dist-wizard button to sysmaint-panel ===
Date: 2025-04-24
Added a launcher button for repository-dist-wizard. Also discovered that pkexec was launching processes with the wrong umask value, asked for some help resolving this in #debian on OFTC and was able to fix the issue with their help. Pushed changes to both sysmaint-panel and security-misc.
=== Review and test further dracut PRs ===
Date: 2025-04-24
Work is underway upstream to make hostonly sloppy mode much more generic than previously. Tested some more code to help with this effort.
== 2025-04-23 ==
=== Harden tor-ctrl a bit more ===
Date: 2025-04-23
Add some extra code to tor-ctrl to make it more robust.
=== Finish preparing pvgrub2 patch, test on Arch Linux and submit to FSF ===
Date: 2025-04-23
Got the patch working on upstream GRUB, tested it thoroughly using both upstream GRUB and upstream Xen on Arch Linux. Submitted the patch to the FSF and informed ITL of the new submission attempt.
== 2025-04-22 ==
=== Make pvgrub2 patch more robust in preparation for resubmission to FSF ===
Date: 2025-04-22
Made the validation code stricter, also made it so that paramaters from Xen will only be turned into GRUB environment variables if they start with xen_grub_env_. Still need to test this in a vanilla setting before this is ready to send to the FSF a second time.
=== Test Dracut hostonly-related PRs ===
Date: 2025-04-22
Tested a couple of PRs from jozzsi and reported back the results. Looks like we likely have a good path forward for getting hostonly mode to work as needed and avoid problems with encrypted systems.
=== Discuss movement of kloak project maintenance to Whonix ===
Date: 2025-04-22
Wrote a comment to vmonaco indicating that Whonix would be fine with being the official kloak upstream, and also mentioning our current plans for rewriting kloak. vmonaco intends to comment on our current implementation plans on the Whonix forums.
=== Research P argument to slub_debug ===
Date: 2025-04-22
Researched what the P argument (poisoning) to slub_debug would do and whether it would be useful for us to improve security. Discovered that it will actually reduce security, and advised against setting it.
== 2025-04-21 ==
=== More kloak v2 development, publish current prototype state on Github ===
Date: 2025-04-21
Got a layer-shell surface with a transparent overlay displaying a sort of virtual cursor to work. Hardware support is still very limited and functionality is sorely lacking (there aren't actually any anonymization features yet), but most of the proof-of-concept work is done at this point and further development should hopefully be substantially easier and quicker.
=== Further discussion on Dracut hostonly configuration ===
Date: 2025-04-21
Continued to discuss problems with the current state of Dracut's hostonly options with the maintainers and other distro developers. Probably will be testing PRs tomorrow.
== 2025-04-20 ==
=== Continue to work on kloak v2 prototype ===
Date: 2025-04-20
So far I have managed to create a drawable surface under Wayland, which will be important to the virtual cursor feature intended for kloak v2. Working on wiring in libinput.
=== Security audit tor-ctrl source code ===
Date: 2025-04-20
Read through the entire source code of tor-ctrl, looking for potential security issues. Reported results to Patrick in chat.
== 2025-04-18 ==
=== Investigate issues caused by invalid symlinks in Git repositories and other contexts ===
Date: 2025-04-18
After we had a symlink in helper-scripts who's target filename was actually the file contents of a script, Patrick asked me to research the security impact of weird symlinks like this. In my testing, the only real problem I could cause with weird symlinks is making a Git repo unable to be cloned until symlinks were disabled, by committing and pushing a symlink with an overly long name to the repository. This is not a severe issue and is not considered a security problem by Git upstream. I also observed that symlinks could be used as a form of data storage, but this in and of itself isn't a security hazard.
=== Attempt to reproduce /tmp/user/1000 root ownership issue under Qubes ===
Date: 2025-04-18
Marek reported that a Whonix-Gateway template was encountering issues with /tmp/user/1000 being owned by the root user during a test. I attempted to reproduce this on Qubes R4.3, but was unable to do so and could not find a likely culprit for the issue.
=== Switch derivative-maker and live-build to using new Dracut autobuild prevention mechanism ===
Date: 2025-04-18
For the sake of build speed, we wanted to stop building and rebuilding the initramfs multiple times during the image build procedures for Kicksecure and Whonix. Patrick implemented a very good solution for this for VMs, I ported that solution to work for ISO builds as well.
=== Verify ram-wipe on Trixie works without LUKS ===
Date: 2025-04-18
Successfully got ram-wipe working on a Debian Trixie VM without LUKS disk encryption. Reported steps for build and installation to 3mdeb.
== 2025-04-17 ==
=== Fix privleapd stdout streaming and sdwdate-log-viewer ===
Date: 2025-04-17
Discovered why privleapd's stdout streaming wasn't working properly (using blocking I/O when non-blocking was needed), and fixed it. Also resolved some buffering issues and added the ability for leaprun to tell privleapd to prematurely terminate an action it requested. Finally, made sdwdate-log-viewer stream log output rather than only sending info once.
=== Review systemd-repart changes by Patrick ===
Date: 2025-04-17
Reviewed, looks good to me, should keep systemd-repart from being used on anything except newly built VMs.
=== Debug dracut+LUKS failure on Trixie, help fix ram-wipe issues on LUKS systems ===
Date: 2025-04-17
Discovered that dracut was failing to install the crypttab file into the initramfs during initramfs generation. Filed a Debian bug for fixing this and shared a workaround with 3mdeb. Also found and helped fix some ram-wipe problems. Reportedly ram-wipe is still not working on non-LUKS systems for some reason though, going to continue debugging that tomorrow.
== 2025-04-15 ==
=== Fix sysmaint-boot failure on first sysmaint login ===
Date: 2025-04-15
Discovered that user-sysmaint-split's sysmaint-boot script was failing on the first sysmaint login, due to an issue with the home directory for the sysmaint account not yet existing. Resolved this by moving some configuration writing code to sysmaint-session and sysmaint-session-wayland. Also did some refactoring to reduce code duplication between the two session scripts.
=== Fix weird symlinks in helper-scripts ===
Date: 2025-04-15
Patrick had symlinks turned off in Git, and so the symlinks for append-once and overwrite were appearing as plaintext files for him. He then attempted to replace the symlinks with scripts, but Git converted the scripts back into symlinks in a very weird way. Fixed this, replacing the broken symlinks with real script files.
=== Rework systemd-repart code ===
Date: 2025-04-15
My initial systemd-repart root resizing implementation was wrong, because it enabled systemd-repart for all systems, including existing systems. We only want it enabled on newly built VMs. Reworked systemd-repart support to do this (though Patrick has pointed out since then that it will still be enabled on distribution morphed systems, so this wound up being incomplete).
=== Further research for kloak version 2, start writing boilerplate code ===
Date: 2025-04-15
Did a lot of research for figuring out how to create a Wayland client that will allow drawing the virtual cursor planned for this. Also wrote a high-level overview of how the updated kloak code will work internally to use as a roadmap. Still mostly in the research stage at this point.
== 2025-04-14 ==
=== Research libei, layer-shell, xtest implementation details for kloak mouse fingerprinting prevention ===
Date: 2025-04-14
Did a lot of research into different components that could be used in implementing mouse fingerprinting prevention, on both X11 and Wayland. An implementation that works on both platforms may be difficult, but Patrick has indicated he'd be happy with a Wayland-only solution. Unless an X11-capable implementation turns out to be relatively easy to implement, Wayland will be the target for the new features of kloak.
=== Find "fix" for RPi4 USB boot, publish abridged instructions on RPi Debian bug tracker ===
Date: 2025-04-14
Discovered that the issue with RPi4 USB boot not working with U-Boot was a consequence of the version of U-Boot in Bookworm, and isn't a problem in Trixie. Also found a likely reason for why things were broken, which I documented. Posted instructions on converting a Debian RPi installation to using U-Boot + GRUB on the Debian RPi bug tracker.
=== Review, discuss RAM dump utility from 3mdeb ===
Date: 2025-04-14
Looked over the UEFI application code for dumping RAM created by 3mdeb. Suggested some efficiency improvements.
== 2025-04-13 ==
=== Continue verified boot firmware discussion ===
Date: 2025-04-13
Reviewed a video shared by 3mdeb on implementing the measured boot and firmware authentication features currently in Heads, in UEFI. Left some feedback.
=== Review, correct some information on Raspberry Pi 4 boot ===
Date: 2025-04-13
Looked at Patrick's reformatting of the RPi 4 boot documentation, noticed some inaccuracies in the data I had previously written and some issues and fixed them.
== 2025-04-11 ==
=== Review stcatv from Ben Grande ===
Date: 2025-04-11
Code looked good to me and worked in testing. Asked for a change to be made, otherwise approved of the new utility.
=== Re-review and test pstore crash log disabling PR ===
Date: 2025-04-11
Reviewed latest changes, tested and verified they work. Approved and handed off to Patrick.
=== Further debugging and research on mouse fingerprinting ===
Date: 2025-04-11
Managed to get touchpad fingerprinting resistance working to some degree. The current implementation of mouse fingerprinting resistence causes significant lag and choppiness in mouse movement, me and Patrick discussed some ideas for how we could avoid that in the final version of the code.
=== File feature request for Debian-signed shim binaries ===
Date: 2025-04-11
Filed a wishlist bug upstream asking for Debian-signed shim binaries to be made available. This should eventually help Debian be better-supported by the verified boot firmware that we're currently designing.
=== Implement FDE passphrase changing in helper-scripts and sysmaint-panel, firmware discussion ===
Date: 2025-04-11
Created the crypt-pwchange script in helper-scripts and integrated it into sysmaint-panel. Tested, works well. Also discussed firmware and verified boot some more with Patrick and 3mdeb.
== 2025-04-10 ==
=== Polish, publish enhanced mouse fingerprinting prevention for kloak ===
Date: 2025-04-10
Found and resolved a bug that was causing horizontal motion to be strangely restricted when kloak was enabled. Also fixed an undesirable behavior leading to the mouse pointer jumping in straight horizontal and vertical lines. Pushed changes to Git, and left notes on the forums. Touchpad events still need to be anonymized better.
=== Add button for changing the GRUB password to sysmaint-panel ===
Date: 2025-04-10
Patrick wrote a GRUB password changer utility, this utility is now exposed in the sysmaint-panel user interface for easy access.
=== Research, implement systemd-repart automatic resizing ===
Date: 2025-04-10
Learned how to use systemd-repart and systemd-growfs to automatically take advantage of all space in a grown disk image. Once the research was done, it turned out to be relatively easy to implement for real, so I did so.
=== File upstream feature requests to Debian for U-Boot + GRUB RPi support ===
Date: 2025-04-10
Also asked the grml-debootstrap people if they'd be happy with implementing such support when and if it is present upstream.
=== Finish writing append, append-once, overwrite utilities ===
Date: 2025-04-10
Wrote all three utilities into one file as a multicall executable with symlinks for accessing the other modes.
== 2025-04-09 ==
=== Rewrite append-once ===
Date: 2025-04-09
The bash version of append-once had some shortcomings both functionally and code-related. Rewrote it in Python to provide better error handling, performance, and edge case handling. Still need to implement a couple of other tools (namely append and overwrite).
=== Run updatecheck in sysmaint sessions ===
Date: 2025-04-09
updatecheck is now usable and useful in a sysmaint session after Patrick's extensive enhancements, so it is now enabled in sysmaint sessions.
=== Fix possible lockout scenario with a normal user account automatically logging into a sysmaint session ===
Date: 2025-04-09
Due to changes that had been made to the sysmaint session script, it was no longer terminating when the sysmaint-panel application terminated. This meant if you attempted to log into a sysmaint session using a normal user account, you would be given a failure message and then left on a black screen. If this happened automatically due to corrupted autologin state, this would essentially lock the user out of the system until they disabled autologin in sysmaint mode. Resolved this by making the entire sysmaint session terminate once sysmaint-panel terminates.
=== Discuss verified boot and firmware with 3mdeb ===
Date: 2025-04-09
Discussion ongoing, initial chat was relatively brief but a ''lot'' of good info was shared by both sides.
=== Test and polish RPi grml-debootstrap pull request, mark as ready for review ===
Date: 2025-04-09
Ran thorough tests for both native and cross builds on the RPi image support PR. Found and fixed a couple of issues in the process. The PR is now marked ready for review, and can hopefully be merged soon.
== 2025-04-08 ==
=== Prototype enhanced mouse fingerprinting protection ===
Date: 2025-04-08
Implemented the mouse fingerprinting protection algorithm I described earlier on the Whonix forums. This ended up running into a substantial hurdle, which I mentioned on the forums. The general idea appears sound, but some additional effort will be required to make it actually work correctly. See https://forums.whonix.org/t/better-mouse-obfuscation/21445/3
=== Ensure update-grub is called when switching initramfs generators ===
Date: 2025-04-08
While researching live mode detection, I found out that the GRUB configuration wasn't being regenerated when switching from dracut to initramfs-tools or vice versa. Determined why and pushed a fix in grub-live.
=== Research more robust live mode detection ===
Date: 2025-04-08
Looked at the mount info for the root directory in various different boot modes (persistent, live dracut, live initramfs-tools, iso live). The returned info is different for the modes that need to be differentiated, and can potentially be used rather than kernel parameters. Also looked at the source code of live-boot and dracut to see how reliable the mount info was.
=== Review updatecheck in detail ===
Date: 2025-04-08
Read through all of the goals Patrick wrote down for updatecheck and reviewed the code to see if they were implemented as intended. Found and fixed a minor bug and polished the documentation a bit in the process.
=== Fix assumption that user-sysmaint-split is installed in setup-wizard-dist ===
Date: 2025-04-08
Fixed setup-wizard-dist so that it can detect whether user-sysmaint-split is installed or not and adjust the documentation it shows accordingly.
=== Polish and add Qubes information to user-sysmaint-split documentation ===
Date: 2025-04-08
Read through the entire user-sysmaint-split Wiki page, corrected some issues and added missing data, and added documentation related to Qubes OS.
=== Review, suggest ways of improving append-once ===
Date: 2025-04-08
Read through append-once, wrote down some possible shortcomings and how they could be resolved. I'm wanting to port this to Python, so I didn't actually do the work yet, since I don't want to do this and then find out that was the wrong thing to do.
=== Start discussion about RPi GRUB + U-Boot support upstream ===
Date: 2025-04-08
Sent an email to the Debian RPi image maintainer and the debian-arm mailing list regarding our work on GRUB + U-Boot support on the Raspberry Pi. Gave links to the currently ongoing work and guides and offered to help with upstreaming it.
=== Research, comment on trailing whitespace dangers ===
Date: 2025-04-08
Wrote a comment about trailing whitespace and its potential dangers on the Whonix forums, after researching ways it could be used maliciously and creating examples.
== 2025-04-07 ==
=== Enhance software management in sysmaint-panel ===
Date: 2025-04-07
Added package reinstall, remove, purge, and override actions to the software management window in sysmaint-panel. Also added some built-in documentation.
=== Work out rough edges in Raspberry Pi bootloader documentation ===
Date: 2025-04-07
Figured out how to get u-boot to boot the Pi automatically and documented how. Also fixed a few more issues, added detailed documentation on the configuration placed in config.txt, and added ideas for working around a problematic postinst script in raspi-firmware.
=== Review minimal firmware + advanced bootloader wiki draft ===
Date: 2025-04-07
Reviewed Patrick's writeup on a firmware and bootloader combination that might make Verified Boot simpler and more secure. Added some fixes and enhancements, including a more in-depth boot flow concept.
== 2025-04-06 ==
=== Tint terminal red in sysmaint mode ===
Date: 2025-04-06
Added some framework to sysmaint-boot for doing one-time sysmaint user configuration modifications. Used that new framework to set the sysmaint user's terminal color to a shade of dark-ish red to warn about admin access and remind the user what mode they're in.
=== Research depthcharge firmware ===
Date: 2025-04-06
Looked into what depthcharge was, how the boot process works with it, and what features it offers. Does not appear to be directly usable for our use case. Documented what features it offers and why it is likely non-ideal.
=== Fix updatecheck UI, add Internet connection checking ===
Date: 2025-04-06
Added a test to updatecheck to see if a non-loopback IP was available (indicating possible Internet access), this way updatecheck can stay quiet if it is being used on a fully airgapped system. (This can be fooled if the system is connected to a network without Internet access, however we don't want to ping an external IP for privacy reasons.) Also fixed a user interface issue so that notifications look and work better.
=== Polish Unicode scanning utility ===
Date: 2025-04-06
Looked at Patrick's unicode-show script, made it more efficient and made it show trailing whitespace as potentially dangerous.
=== Research, document booting Debian on the RPi 4 with U-Boot and GRUB ===
Date: 2025-04-06
Successfully got Debian 13 to boot on a Raspberry Pi 4B with 8 GB RAM, using U-Boot and GRUB rather than using direct kernel boot. Documented the full process on the boot development wiki page.
== 2025-04-05 ==
=== Review bad Unicode detection tooling, discuss firmware ===
Date: 2025-04-05
Reviewed all of the new tooling Patrick wrote for bad Unicode detection. Identified some potential issues and filed followup tickets. Also discussed RPi and firmware development with Patrick.
=== Review latest safe-print changes, fix minor issues and file followup ticket ===
Date: 2025-04-05
Fixed a couple manpage issues, an unneeded dependency in debian/control, and filed a ticket for improving the efficiency of sttee.
=== Fix bug preventing grml-debootstrap OS installation on some physical devices ===
Date: 2025-04-05
Discovered that it was impossible to use grml-debootstrap to install to a device named /dev/sda, due to how device names were being handled. Created a bugfix and appended it to my RPi support PR.
== 2025-04-04 ==
=== Develop preliminary Raspberry Pi support in grml-debootstrap ===
Date: 2025-04-04
Added the ability to generate Raspberry Pi images to grml-debootstrap. So far seems to work fairly well, I was able to create a bootable image that I could flash to an SD card and boot up on the Pi. Still needs thoroughly tested.
=== Submit GRUB boot mode patch on grub-devel mailing list ===
Date: 2025-04-04
Finished preparing the patch and sent it upstream as a draft, requesting feedback and noting some potential issues.
== 2025-04-03 ==
=== Attempt to test GRUB boot mode patch on Fedora, prep to send upstream ===
Date: 2025-04-03
Attempted to build vanilla Xen and GRUB from source, so I could test my patch in an otherwise unmodified environment. Used Fedora 41 as the host OS. Unfortunately, due to seemingly pervasive linker bugs, I was unable to actually test in this environment. Did most of the prep work for sending the patch upstream to the FSF.
== 2025-04-02 ==
=== Test PV mode for pvgrub PR for boot modes ===
Date: 2025-04-02
Figured out why PV mode wasn't working for me (it was most likely an issue with the VM itself), and managed to test PV mode pretty thoroughly. Posted test results on the GitHub draft PR.
=== Improve privleap messaging when trying to create a comm socket for an expected disallowed user ===
Date: 2025-04-02
There are some users on a Kicksecure or Whonix system that can be expected to try to create a comm socket, but that shouldn't actually be allowed to have one. (The lightdm and sddm users are good examples - these users are fully logged into when the greeter screen is displayed, but they shouldn't be allowed to run leaprun actions.) Added the needed bits to privleap so that expected disallowed users can be configured and the error messages surrounding them can be handled properly.
=== Fix Whonix X event buffering PR ===
Date: 2025-04-02
Marek pointed out that newly created Whonix VMs wouldn't end up with event buffering enabled until a qubesd restart with the current PR. Fixed this.
=== Prevent custom autologin configuration from breaking sysmaint boot ===
Date: 2025-04-02
Made the configuration files that trigger graphical sysmaint autologin much higher in priority than they were previously, to keep user configuration from overriding them. If a user overrides them anyway, they will almost certainly have done so intentionally.
=== Get sysmaint live mode working ===
Date: 2025-04-02
Some of our bootloader config generator scripts had a bug that was resulting in the root disk not being mounted in sysmaint live mode. This has now been corrected.
== 2025-04-01 ==
=== Polish pvgrub Xen cmdline support, begin thorough testing ===
Date: 2025-04-01
Fixed several issues with the Xen command line parsing in pvgrub, including adding string sanitization and working overflow checking. PVH mode seems to be working very well, however PV mode is broken for unknown reasons (the command line isn't being seen at all).
== 2025-03-31 ==
=== Create prototype PR with pvgrub Xen cmdline support ===
Date: 2025-03-31
Got Xen command line parsing to work reasonably well in pvgrub. Published a draft PR with the patch. It's not perfect yet, but the concept is working well and points to work on are identified.
== 2025-03-30 ==
=== Further work on pvgrub and boot modes ===
Date: 2025-03-30
Got the prototype code to work entirely. Now working on writing an actual parser for the Xen command line passed to pvgrub, making it export secondary kernel parameters as an environment variable that can be used within grub.cfg (as per Marek's request in the Qubes Matrix room).
=== Implement --check option in leaprun ===
Date: 2025-03-30
Added a --check option to leaprun (and support for it in privleapd) for checking if a user is authorized to run a particular action. Also wrote regression tests for it.
== 2025-03-29 ==
=== More pvgrub experimentation ===
Date: 2025-03-28
Got basic kernel parameter passing to work with PV virtualization, still working on getting PVH to work. (Fighting with symbol definitions there, I can't quite get the Linux kernel loader code to access a pvh start info structure from Xen. Probably just a linker issue.) isn't Also discussed the eventual implementation end goal with Marek.
== 2025-03-28 ==
=== Investigate pvgrub modifications for enabling boot modes with in-vm kernels on Qubes ===
Date: 2025-03-28
Looked into what pvgrub was, how it worked, what features it offered at the moment, and what could be done to extend it to allow getting kernel parameters from dom0 into a VM using an in-vm kernel. Created a prototype patch that takes the Xen-provided command line to GRUB, and appends it to the Linux kernel command line. It doesn't build properly yet, and this implementation won't be usable in the long run, but once the basic idea works, it can be fleshed out into something better.
=== Test and debug IPv6 PRs ===
Date: 2025-03-28
Did a significant amount of testing on Daniel's IPv6 PRs. Found and reported some bugs, overall looks very promising, just has some rough edges to smooth out.
== 2025-03-27 ==
=== Re-review DanWin's IPv6 PRs ===
Date: 2025-03-27
Did a full review of DanWin's IPv6 pull requests, finding a few points of concern and pointing them out. Also prepared to test the PRs, I intend on doing the testing tomorrow.
=== Lots of bug discovery and fixing ===
Date: 2025-03-27
While trying to get the screen lock button working in sysmaint-panel, I uncovered quite a few bugs in the Kicksecure stack (autologinchange warning about missing passwords at the wrong times, updatecheck's systemd unit starting improperly in sysmaint sessions, and repository-dist not making a derivative.list file on first boot if first boot is into a sysmaint session). Got the screen lock button fixed, and also fixed the other discovered bugs.
== 2025-03-26 ==
=== Add screen lock button to sysmaint-panel (mostly working) ===
Date: 2025-03-26
Added a button to sysmaint-panel for immediately locking the screen. Doesn't entirely work yet as the xscreensaver daemon isn't being started, and my initial attempts at getting it to start properly are not working.
=== Implement lightweight update notifier ===
Date: 2025-03-26
Added a lightweight notification system to systemcheck for informing the user when system updates are available. This does NOT offer to install the updates for the user, but does direct them to use the system maintenance panel for installing updates. It might be useful in the future to remove the redirect to sysmaint-panel if sysmaint-panel isn't actually installed.
=== Added autologin and password warnings to pwchange and autologinchange respectively ===
Date: 2025-03-26
Changed pwchange to warn when setting a password for a user if autologin is enabled for that user. Also changed autologinchange to warn if no password is set for a user when disabling autologin for that user.
=== Improve documentation for user-sysmaint-split ===
Date: 2025-03-26
Added more detailed Qubes OS documentation for user-sysmaint-split. Also documented how to use the user-sysmaint-split uninstallation boot option.
=== Fix error message when launching sysmaint-panel from account 'user' in sysmaint mode ===
Date: 2025-03-26
Added a new dialog to sysmaint-panel for dealing with this particular error edge case, directing the user to sign in with account sysmaint.
=== Add timeout locking for sysmaint-panel buttons ===
Date: 2025-03-26
Added code to sysmaint-panel to make it so most buttons in the panel lock into disabled mode after being clicked and take five seconds to unlock, thus reducing the likelihood of accidental double-clicks.
=== Remedy confusion with updates installation button in sysmaint-panel ===
Date: 2025-03-26
Made it so that both the "Check for Updates" and "Install Updates" buttons work without password authentication even if a password is set on the sysmaint account. Also made the "Install Updates" button check for updates first.
=== Fix output formatting issue with sysmaint-panel launched commands ===
Date: 2025-03-26
Fixed the output format so that commands run with terminal-wrapper show with all arguments on one line rather than one argument per line.
== 2025-03-25 ==
=== Polish login security documentation ===
Date: 2025-03-25
Moved around and polished the documentation for password and autologin configuration. Also wrote documentation for the System Maintenance Panel, and added some info about login security and when it matters to the Login wiki page. Adjusted systemcheck to point to the Login wiki page for documentation on login security, and also made sysmaint-panel be installed by default on Kicksecure.
=== Fix autologinchange output ===
Date: 2025-03-25
autologinchange was outputting information to both stdout and stderr without any clear reason for why each stream was chosen. Corrected this. Also prevented notifications about GUI autologin not being configurable under Qubes OS from showing up during upgrades, and added an "INFO:" prefix to that same notification.
=== Refactor qrexec overrides in user-sysmaint-split ===
Date: 2025-03-25
Discussed downsides of the qrexec override mechanism in user-sysmaint-split, and ways to improve it. Came up with a better method to use here and implemented it.
=== Document purposes of GRUB configuration files on the Kicksecure ISO ===
Date: 2025-03-25
Documented each file in the Kicksecure ISO's GRUB configuration, along with what purpose it serves. Documentation is in a similar style to the previously written documentation about how Kicksecure and Whonix packages affect GRUB configuration.
=== Discuss and fix grub-cloud handling ===
Date: 2025-03-25
Discussed whether or not to nullify the GRUB_TERMINAL and GRUB_TERMINAL_OUTPUT variables in VM images with Patrick. Ultimately we decided to nullify both variables.
== 2025-03-24 ==
=== Research mouse fingerprinting prevention techniques ===
Date: 2025-03-24
Looked into how to better frustrate mouse fingerprinting with kloak. Wrote down an implementation plan and rationale on the Whonix forums and also asked Qubes OS developers for input in the Qubes OS Matrix room.
=== Briefly research how to implement software update notifications ===
Date: 2025-03-24
Looked at systemcheckdaemon, which later became canary-daemon. Discussed how to implement software update notifications with Patrick.
=== Adjust X event buffering enablement PR for Qubes ===
Date: 2025-03-24
Adjusted my PR to qubes-core-admin-addon-whonix so that existing Whonix VMs also had X event buffering enabled. Tested, works.
=== Review grml-debootstrap sw-raid simplification PR ===
Date: 2025-03-24
Reviewed a PR from zeha on grml-debootstrap that merged non-sw-raid and sw-raid code paths for GRUB installation. Looked good, worked well for Kicksecure.
== 2025-03-23 ==
=== Reduce derivative-maker ISO build times by avoiding some needless initramfs updates ===
Date: 2025-03-23
Got dracut to be installed earlier in the build process when making a Kicksecure ISO, and modified live-build so that it skips some unneccessary initramfs regenerations. This patch isn't perfect, but it took the number of initramfs updates from nine down to five, a 50% reduction in unnecessary builds. This made amd64 builds about two and a half minutes faster.
=== Documented Kicksecure and Whonix packages that affect GRUB ===
Date: 2025-03-23
Added documentation to the GRUB development page about what packages in Kicksecure and Whonix affect GRUB, and how. Also reorganized some of the existing documentation about upstream bootloader packages.
=== Fix fallback bootloader installation in upstream Calamares ===
Date: 2025-03-23
Made a PR in Calamares for fixing fallback bootloader installation for Debian, by adding distro-specific code. This PR might not end up being merged however, as dalto8 does not like the idea of adding distro-specific code like this to Calamares. Discussed briefly on Github.
=== Adjust Calamares configuration to write to /etc/default/grub.d rather than /etc/default/grub ===
Date: 2025-03-23
Calamares provides a prefer_grub_d option in its grubcfg module, so I enabled that. Unfortunately, the feature was broken for Debian (it didn't add a .cfg filename extension at the end of the configuration file it generates), so this wasn't enough on its own. Added some workaround configuration and made a (now merged) PR fixing the feature upstream.
=== Create PR for enabling X event buffering on new Whonix VMs ===
Date: 2025-03-23
Created a PR for qubes-core-admin-addon-whonix that enables event buffering on new VMs. This isn't complete though, Patrick would prefer if it was effective for existing VMs as well.
=== Thoroughly review stprint, specifically utility emulation ===
Date: 2025-03-23
Re-reviewed the entirety of stprint, focusing particularly on the utility emulation features. Left change requests.
== 2025-03-22 ==
=== Fix fallback bootloader installation with GRUB code improvements in grml-debootstrap ===
Date: 2025-03-22
The continuous integration tests for grml-debootstrap stopped passing after my last PR, because ARM64 images couldn't boot. This was because I was failing to instruct grub-install to install GRUB to the fallback bootloader location as well.
== 2025-03-21 ==
=== Deduplicate GRUB installation code in grml-debootstrap ===
Date: 2025-03-21
Refactored parts of grml-debootstrap to remove the grub_install function from the main grml-debootstrap script, leaving only the GRUB installation code in chroot-script.
== 2025-03-20 ==
=== Review and comment on stprint utility emulation ===
Date: 2025-03-20
Patrick requested that Ben add some features to the stprint PR for emulating several common tools like cat, echo, sponge, tee, etc., adding ANSI sequence sanitization to the functionality generally offered by these tools. I looked over a sample implementation proposed by Ben and left some comments.
=== Adapt user-sysmaint-split to work seamlessly with Qubes OS ===
Date: 2025-03-20
Modified several Kicksecure components so that user-sysmaint-split "just works" on Qubes OS. Boot modes are advertised and set up, qrexec and qubesdb overrides are put in place to switch the default user to sysmaint, and several things that didn't work right under Qubes (such as some buttons in sysmaint-panel and the feature that kept the sysmaint user from logging into a non-sysmaint graphical session) were fixed so they work right. Waiting on an upstream PR to qubes-core-qrexec before this is ready for review and merge.
== 2025-03-19 ==
=== Review and comment on 3mdeb verified boot work ===
Date: 2025-03-19
Read through all of the documentation written in 3mdeb's Verified Boot repository, adding comments where appropriate. Also discussed solutions for verified boot on mutable Linux distros with Patrick.
=== Polish qrexec enhancement for user-sysmaint-split ===
Date: 2025-03-19
Working on the patch to allow ephemeral qrexec config to work. The existing implementation manually made a directory using mkdir in a systemd unit, which was clunky and able to be replaced with the help of systemd-tmpfiles. Reimplemented the change with systemd-tmpfiles at Marek's request.
=== Review final implementation of grml-debootstrap compatibility patch ===
Date: 2025-03-19
Patrick made changes to my existing patch to make it cleaner and make it work on his machine (for some reason my patch worked on my machine but not his). Looked good to me.
== 2025-03-18 ==
=== Investigate, begin work on enabling user-sysmaint-split and boot modes by default in Qubes-Whonix-Workstation ===
Date: 2025-03-18
Started looking into what's necessary to get user-sysmaint-split installed by default, enabled, and working properly on Whonix-Workstation under Qubes OS. The current plan after discussion with Marek is to force apps to launch as user sysmaint when booted in sysmaint mode, and override several other things to "sysmaint-ify" the system when booted in this mode. A Qubes feature that allows configuration for qrexec to be put in an ephemeral location is currently being worked on by me.
=== Improve systemcheck login security table output ===
Date: 2025-03-18
Made the table systemcheck displays in the check_login_security step more orderly and easier to understand.
=== Research permission-hardener failure with files under /usr/lib/live/mount ===
Date: 2025-03-18
Investigated a bug report with permission-hardener failing to harden several files located under /usr/lib/live/mount. In conclusion, it looks like the user probably tried to distribution-morph a Debian Live ISO rather than using Kicksecure's Live ISO. This isn't supported. We should add code to permission-hardener to warn if a user tries this.
== 2025-03-17 ==
=== Clarify autologin details ===
Date: 2025-03-17
Added some lightweight documentation so that users would know that the autologin configuration tooling in Kicksecure only handled GUI autologin, not CLI autologin.
=== Redo grml-debootstrap compatibility patch for derivative-maker ===
Date: 2025-03-17
Discussed with Patrick the best way to implement the derivative-maker patch for making it compatible with the newest version of grml-debootstrap. Re-implemented the patch in a different way based on our discussion. Tested, works.
=== Fix user mixup bug in privleap ===
Date: 2025-03-17
While fixing a bug with PAM integration, I accidentally introduced a bug that resulted in environment variables in privleap actions being mixed up as a result of getting the calling user and target user confused. This is now fixed, and additional tests have been added to the test suite so that that this kind of bug is very unlikely to go unnoticed in the future.
== 2025-03-16 ==
=== Adjust derivative-maker to work with new grml-debootstrap code ===
Date: 2025-03-16
The grml-debootstrap PR for better GRUB UEFI handling was merged a few days back, but derivative-maker was not yet ready to use it for building Kicksecure images. Added code that enables the newer version of grml-debootstrap to be used properly. This currently directly edits /etc/default/grub rather than diverting it to avoid causing problems with the normal, non-cloud GRUB bootloader packages (which use ucf rather than traditional conffiles). Patrick had wanted to use a diverting solution, so more discussion and possibly reworking will probably be done on this before merge.
=== Review and benchmark new safe-print code from Ben Grande ===
Date: 2025-03-16
Ben found a (generally) much faster way to sanitize text in stprint, and requested I benchmark it to ensure it actually was faster reliably. I reviewed the new code, then did benchmarking and reported the results. The new way of sanitizing text is indeed much faster in almost all situations, with the exception of being barely slower when dealing with very short input strings.
=== Audit and complete privleap logging improvements ===
Date: 2025-03-16
Looked at all places where privleap executables (including privleapd) log or output data for the user to look at, and ensured the wording changes requested by Patrick were applied and passed regression tests.
=== Discuss, review, polish password and autologin handling ===
Date: 2025-03-16
All of the password and autologin handling code was merged, but there were (seemingly) a few loose ends to clean up. After some discussion and study, it turned out there were quite a few things left to fix up, such as sysmaint account handling when user-sysmaint-split wasn't installed, proper handling of run_once flags and user configuration, re-enabling setup-wizard-dist on Kicksecure, etc. Fixed all remaining known issues.
== 2025-03-15 ==
=== Review merge conflict resolution on user-sysmaint-split ===
Date: 2025-03-15
Ensured a merge conflict Patrick had to resolve when working with user-sysmaint-split password / autologin polish was resolved properly, at Patrick's request. Everything looked good to me.
== 2025-03-14 ==
=== Improve privleapd logging ===
Date: 2025-03-14
Changed wording in many log messages, and added username information in places that didn't have it before. Would like to do one more thorough audit before considering this completely done.
=== Fix umask handling in privleap ===
Date: 2025-03-14
Discovered that privleapd was starting processes with the wrong umask settings in some situations, due to the new PAM integration. umask is applied process-wide, not thread-local, which caused problems. Fixed the issue by moving the PAM integration code out of privleapd and into a shim script.
=== Fix leapctl@1000.service trying to start too early ===
Date: 2025-03-14
There was a missing After= line in the systemd unit for leapctl@.service. Added, should be fixed now.
=== Add comment about module load prevention and exiting with code 1 ===
Date: 2025-03-14
Made a comment on a bug report by Patrick arguing that we should continue to use exit 1 in scripts that block kernel module loading.
== 2025-03-13 ==
=== Update default browser development docs and read discussions ===
Date: 2025-03-13
Read through prior discussion on what the default browser for Kicksecure should be and where it should be gotten from. Updated some documentation, and am thinking about potential ways to get a browser more secure than firefox-esr into Kicksecure. Added a comment on the Whonix forums with some ideas.
=== Check up on IPv6 and GRUB co-installation conflict resolution PRs ===
Date: 2025-03-13
Pinged Daniel about his IPv6 PRs, to see if there were any updates. There were some issues I ran into last time I tried to use the PRs that I haven't received a response to yet.
Also checked up on the GRUB BIOS+UEFI co-installation conflict resolving MR in Debian. After a conversation in #debian-devel, I learned this is indeed too late to go into Debian Trixie, thus it will have to wait until Forky or until a rolling-release form of Debian is implemented.
=== Harden the sysmaint manual login assistance code slightly ===
Date: 2025-03-13
Made it harder to run into issues with the wrong X session being selected during login. This should ease the use of user-sysmaint-split for users who disable autologin.
=== Fix pre-existing issue in Qube Manager with list modification ===
Date: 2025-03-13
Marta reviewed my Qube Manager PR for adding boot mode support, and disliked a workaround I was using to avoid having to change a function in Qube Manager that modified a list in-place when it should have operated on a copy of the list. After explaining the rationale for the workaround, she asked if I could try to fix the core issue. I was able to successfully do this. Changes are pushed and ready for review.
== 2025-03-12 ==
=== Make it easier to use sysmaint mode without sysmaint autologin ===
Date: 2025-03-12
Added code to user-sysmaint-split that automatically selects the sysmaint session for login when booting in sysmaint mode, by manipulating display manager state files. The file changes that are done when booting in sysmaint mode are reverted when booting in user mode again. This could probably use more polish though, if a user logs into sysmaint mode twice in a row I believe the display manager will get "stuck" in sysmaint mode until the user selects a different desktop session manually.
=== Added notes about Lubuntu Update and the creation of a minimal update notifier to the wiki ===
Date: 2025-03-12
Added some info about Lubuntu Update to the Automatic Updates wiki page, since we may be able to use it as the base of an updater application or update notifier. Also wrote down some things about making a minimal update notifier that doesn't handle the task of installing updates.
=== Fix qubes-manager PR for boot mode support ===
Date: 2025-03-12
Added some missing tests, rebased changes.
=== Finish fixing up password and autologin polish ===
Date: 2025-03-12
Finished all remaining requested changes from Patrick and submitted the code for re-review. open-link-confirmation is working, autologin changes are working, ISO builds are working. Note that setup-wizard-dist hasn't actually been enabled on Kicksecure GUI systems, so notifications won't show up yet. That probably should still be done, but the ticket for this task has gotten very long and we probably should make a new ticket for re-enabling setup-wizard-dist.
== 2025-03-11 ==
=== Get open-link-confirmation to work in sysmaint mode ===
Date: 2025-03-11
Finally figured out the remaining issues with getting open-link-confirmation to work in sysmaint mode, and pushed fixes for those issues. It turned out to be because we were failing to call dbus-update-activation-environment --systemd --all in the sysmaint-session script.
=== Debug test failures for stprint with Ben Grande, more review ===
Date: 2025-03-11
Determined the root cause of the stprint test failures with help from Ben (a missing ncurses-related runtime dependency). Also re-reviewed all code. I only saw one potential issue remaining, and proposed a change that will resolve it.
== 2025-03-10 ==
=== Polish default password and autologin enhancements ===
Date: 2025-03-10
Patrick left me a list of enhancements needed for the default password and autologin enhancement code before it could be merged. I implemented many of these, but had trouble getting open-link-confirmation to work reliably in a sysmaint session. Solved many of the problems here, but there are still some more that need fixed.
=== Review Ben Grande's latest stprint changes ===
Date: 2025-03-10
Ben Grande added some fancy terminal information reading features for customizing the list of allowed SGR codes based on the terminal in use. There were also some new environment variables that can be used to control the program. Most everything is working well, but there was a test failure that I can reproduce but that isn't happening for him. Further research needed to determine why.
=== Refactor user creation code in maintainer scripts to avoid duplication ===
Date: 2025-03-10
Refactored most of the user creation code from the dist-base-files postinst and the user-sysmaint-split preinst into a library shipped as part of helper-scripts. Tested, appears to work.
=== Get regression tests for Qube Manager boot mode support to run in CI ===
Date: 2025-03-10
Got a test commit pushed that ran the regression tests for Qubes Manager for my PR in Qubes OS's CI infra. The tests passed, but Marek mentioned an area where coverage could be improved.
== 2025-03-09 ==
=== Change default shell for sysmaint account to zsh ===
Date: 2025-03-09
Added code to the user-sysmaint-split preinst for setting the sysmaint account's shell to zsh. May need to make the package depend on zsh now.
=== Further Qubes boot mode support polish, get initial qubes-core-admin PR merged ===
Date: 2025-03-09
Fixed more problems with Qubes boot mode support (mostly in qubes-manager, but also a bit in qubes-core-admin). The qubes-core-admin PR was merged by Marek, but I filed a second PR to fix an issue that was only discovered in qubes-manager near the tail end of my work. This second PR is almost ready to merge. qubes-manager needs a testing commit pushed to demonstrate that the regression tests pass with it.
=== Fix permissions bug in tb-updater ===
Date: 2025-03-09
tb-updater has a special script that runs only in DispVMs that copies Tor Browser from a persistent directory to the user's home directory. Due to a mix-up when using mkdir --parents, this was resulting in ~/.cache being owned by root. Fixed with an extra chown call.
== 2025-03-07 ==
=== Polish remaining password and autologin handling issues ===
Date: 2025-03-07
Adjusted derivative-maker to add autologin configuration to ISOs and VMs for both user and sysmaint modes. Also resolved an issue where the systemcheck GUI did not launch in sysmaint mode.
=== Fix test coverage issues with qubes-core-admin Qubes boot mode support ===
Date: 2025-03-07
Added some extra tests to hit some missed edge cases. Also explained why one edge case was unreachable code.
=== Fix cosmetic issue with privleapd restart failing in the middle of a config file format migration ===
Date: 2025-03-07
Determined why privleapd was sometimes failing to restart in the middle of an upgrade (config files only being partially upgraded at restart time). The issue was purely cosmetic and didn't cause errors, so it was fixable by simply hiding the issue. (In this situation, other packages will have installed configuration files that will cause a second privleapd restart attempt when it will actually work.)
== 2025-03-06 ==
=== Add better autologin and password handling to user-sysmaint-split and related code ===
Date: 2025-03-06
Changed several repos so the user had more control over autologin, added autologin enabling/disabling software, and adjusted systemcheck so it could report on account password and autologin state.
== 2025-03-05 ==
=== Research ways of fixing blank default password problems under Kicksecure ===
Date: 2025-03-05
A blank default password can be a security liability in some scenarios, so we want to get rid of that. We also want to allow the user to control autologin more easily. Got together a checklist of things to do and started implementing it.
=== Change derivative-maker live-build step to use flavor_meta_packages_to_install ===
Date: 2025-03-05
Previously I was re-determining the right metapackage to use for ISO builds based on the flavor of ISO being built. Changed to use the existing flavor_meta_packages_to_install variable for consistency and ease of future changes. Made ISO test builds after this, the new code appears to work.
=== Fix remaining issues with Qubes boot mode support ===
Date: 2025-03-05
Fixed the broken event handler with help from Marek. Regression tests now pass.
=== Make changes to Calamares hybrid installation PR requested by Adriaan ===
Date: 2025-03-05
Adriaan mentioned some things he wanted refactored and tweaked. Implemented all requested changes.
=== Point out a few remaining safe-print issues ===
Date: 2025-03-05
Reviewed the latest iteration of the safe-print code, noticed a few problems left and reported them.
== 2025-03-04 ==
=== Resolve most remaining issues with Qubes boot mode support ===
Date: 2025-03-04
Fixed some pylint issues in qubes-core-admin and a window size problem in qubes-manager. Fixing the pylint issue broke an event handler however, so this isn't quite finished yet. Asked Marek for advice on how to move forward since I wasn't sure how to resolve the issue correctly.
=== Re-work GRUB co-installability MR with feedback from pham ===
Date: 2025-03-04
Pascal Hambourg (pham) informed me that the way I was resolving the conflicts between grub-pc and grub-efi-{amd64,ia32} would cause a conflict between grub-common and grub-cloud-{amd64,arm64}. Also pointed out that the ucf package was being depended on by the wrong packages now. Fixed both issues, verified that the fix still allows co-installability to work as intended.
=== Fix privleap PAM integration issue causing spurious logins ===
Date: 2025-03-04
Determined why sometimes running privleap actions would result in the target user becoming logged in (it turned out to be pam_systemd.so's fault). This was because Debian's default PAM configuration assumes that things that interact with PAM and don't have special PAM config are going to be starting interactive sessions. Added a PAM configuration file that ensures that privleapd could only start non-interactive sessions. This fixed the bug.
=== Look at bookworm-backports-staging ===
Date: 2025-03-04
Turns out one is supposed to enable a bookworm-backports-staging repo when using the fasttrack repo. This sounds scary, but as it turns out this repo should be safe to enable. Recommended to Patrick that we enable this.
=== Look at apt pinning situation for Qubes linux-firmware package updates ===
Date: 2025-03-04
Looked at code from Marek that pulls a new linux-firmware package from debian-backports into Debian-based VMs. Left a comment regarding the potential safety issues there, ultimately I think what Marek is doing is probably the best way that the situation he's facing can be solved.
== 2025-03-03 ==
=== Create merge request for resolving GRUB package conflicts ===
Date: 2025-03-03
Developed and submitted an MR to Debian that allows grub-pc and grub-efi-{amd64,ia32} to be installed alongside each other. Tested, appears to work in a VM for me.
=== Do another review on Ben Grande's safe-print code ===
Date: 2025-03-03
I had mistakenly failed to look at this for a few weeks due to not noticing that review had been requested from me. Ben pinged me, and I was able to do the review now. Virtually all points of my review were cosmetic in nature, and the few that weren't, weren't that big of a deal. I suspect we will be ready to merge after the next review.
=== Privleap bugfixing and polishing ===
Date: 2025-03-03
Added new features, updated documentation, researched bugs and reported back findings. Virtually everything is fixed, but there's a mystery with users getting incorrectly logged in, and I couldn't reproduce an upgrade issue that caused configuration to fail to load even when it appeared fine.
== 2025-03-02 ==
=== Get proof-of-concept grub-pc + grub-efi-amd64 co-installability working ===
Date: 2025-03-02
Managed to get a build of GRUB that allowed grub-pc and grub-efi-amd64 to install at the same time and be able to update their respective bootloaders properly. Also discovered that the reason the BIOS bootloader doesn't install right out of the box when you do this is because the postinst script expects BIOS GRUB to be installed manually once before the postinst will update it (this is usually done by an installer). Asked on #debian-devel if there were additional issues to check, since it appears to me that the packages don't actually conflict, at least not in an easily visible way.
=== Get Calamares hybrid GRUB support into a reviewable state, discuss with dalto8 ===
Date: 2025-03-02
Fixed the last issue with the hybrid GRUB support PR that was keeping me from asking for review. dalto8 almost immediately reviewed it, and discussed some issues with me (which I got resolved). Currently awaiting further review.
=== Add PAM integration to privleap ===
Date: 2025-03-02
Took the knowledge learned from reading the code of OpenDoas (plus some info derived from sudo's source code) and got PAM integration working, TMP and TMPDIR are now being set properly.
=== Ping HW42 about the root elevation qrexec work, comment on template service blocking ticket ===
Date: 2025-03-02
Gave HW42 a ping to see how things are coming along with the root elevation qrexec ticket (where attempting to gain root in an AppVM pops up a window in dom0 asking if the user wants to allow this). Also added a comment to the Qubes issue about keeping services from running in templates, the solution that was being suggested there doesn't look like it would work, but the solution Kicksecure is using with user-sysmaint-split does work.
=== More Qubes boot mode review, fix data consistency problem ===
Date: 2025-03-02
Got the data consistency issue fixed with Marek's help. Also fixed an issue with the regression tests. This is hopefully close to complete, there's an issue with Qube Manager's window being too tall and some pylint gripes that still need dealt with.
== 2025-03-01 ==
=== Continue to work on Qubes boot mode support ===
Date: 2025-03-01
Implemented Marek's idea for making boot mode updates more seamless. Things mostly work, however there's a data consistency issue in Qube Manager that is resulting in the user being told that the active boot mode's kernel options are set to a value that they aren't set to.
=== Finish polishing kloak documentation ===
Date: 2025-03-01
Added a threat model section and some additional bits of polish to the documentation on kloak.
== 2025-02-28 ==
=== Enhance documentation for keystroke and mouse deanonymization ===
Date: 2025-02-28
Added better documentation for kloak and Qubes event buffering. Mostly done, some minor changes still need to be made for this to be good.
=== More fixes and testing on Qubes OS boot mode support ===
Date: 2025-02-28
Did a self-review of the Qubes OS boot mode support code in qubes-core-admin, fixing some bugs in the process. Also discussed some potential behavior changes in the code with Marek, he has an idea for making boot mode updates more seamless in the future that I'll probably end up implementing.
=== Clean up remaining rough edges on grml-debootstrap UEFI enhancement PR ===
Date: 2025-02-28
Ensured all conversations on the grml-debootstrap UEFI enhancement PR were marked as resolved. Also ran through the last test scenario I felt was necessary and reported the results. Awaiting another iteration of review, this is hopefully close to complete.
== 2025-02-27 ==
=== Run thorough tests on most of the grml-debootstrap UEFI enhancement PR ===
Date: 2025-02-27
Ran a very thorough suite of tests on grml-debootstrap to ensure that image builds succeeded and the resulting images worked properly in 36 different scenarios. The only thing I can think of that probably should still be tested is to see if grml-debootstrap can properly modify the host's UEFI variables when doing a physical hardware install.
=== Study how OpenDoas uses PAM for integrating PAM support into privleap ===
Date: 2025-02-27
Patrick brought up integrating privleap with PAM for the sake of better temp directory handling. I studied how to use PAM, including taking a close look at how OpenDoas uses PAM. Made notes, and shared high-level takeaways from the research which will be used for implementation later on.
=== Iterate with Marek on Qubes boot mode support ===
Date: 2025-02-27
Discussed Qubes boot mode development with Marek on GitHub issues and in comments on a commit to my fork of qubes-manager. Fixed several issues, and added the ability to assign a pretty name to the fallback "no extra parameters" boot mode. Needs a thorough self-review before submitting for re-review.
=== Fixed Kicksecure template build failure, tested template for bugs reported by unman ===
Date: 2025-02-27
Figured out why the Kicksecure template was failing to build (I accidentally introduced the issue when doing a different bugfix). Made a PR to resolve this in qubes-builderv2, which Marek has already merged. Once I got the template to build properly, I installed and tested it on my Qubes R4.3 system. The issues unman reported don't seem to be a problem any longer, thus this should be complete.
== 2025-02-26 ==
=== Start debugging Kicksecure template build failure ===
Date: 2025-02-26
Was trying to figure out how to fix the issues reported by unman with the Kicksecure template, only to discover qubes-builderv2 is unable to build the template properly on Qubes OS R4.3. The template that ends up being built is a very minimal pure Debian template. This appears to be a bug in qubes-builderv2 itself - it can't find the template-kicksecure repository to run the code that makes the template into Kicksecure. It instead is looking for a template repository named +.
== 2025-02-25 ==
=== More polish on Qubes boot mode support ===
Date: 2025-02-25
Wrote more unit tests, fixed bugs, did manual testing. The only thing that hasn't been dealt with yet that should be is figuring out how to name the default (blank) boot mode.
== 2025-02-24 ==
=== Post-review improvements to Qubes boot mode support ===
Date: 2025-02-24
Marek gave a very thorough review, pointing out some shortcoming and issues in the boot mode code. Responded to each point, and did a number of fixes and enhancements locally. These have not yet been pushed, as they need tested and need unit tests written for them.
=== Respond to grml-debootstrap review, test requested changes ===
Date: 2025-02-24
Tested some changes that were requested by zeha and mika, replied to questions. Looks like the PR is close to being merged.
== 2025-02-23 ==
=== Prepare Qubes boot mode support for initial review ===
Date: 2025-02-23
Substantially rearchitectured the boot mode support after a conversation with Marek, did a bunch of testing and fixing, and wrote most of the needed unit tests. Everything works so far, marked as ready for review.
== 2025-02-22 ==
=== Investigate privleap PAM integration, fix documentation ===
Date 2025-02-22
Fixed a documentation issue in privleap. Also researched PAM integration possibility and looked at possible environment sanitization. Left comments from research on the appropriate GitHub issues.
=== Require all privleap rules to have auth data ===
Date: 2025-02-22
Added code to privleap that refuses to use an action definition that lacks authorization data (i.e. AuthorizedUsers and AuthorizedGroups). Also modified Kicksecure's privleap configuration to be compliant with this change and added/fixed regression tests.
== 2025-02-21 ==
=== Fix policy-rc.d script conflicts in live-build and derivative-maker ===
Date: 2025-02-21
Debugged issues with the policy-rc.d script being shipped in user-sysmaint-split, discovered an issue in live-build that broke the file and determined the details of a similar problem in derivative-maker. Fixed both problems, now the policy-rc.d script is remaining in position properly.
== 2025-02-20 ==
=== Change privleap action header format ===
Date: 2025-02-20
Ben recommended I change the format of privleap action headers from [action-name] to something similar to [action:action-name] (where all actions are prefixed with action: to distinguish them from other kinds of headers). Implemented this, and made changes throughout the rest of the Kicksecure and Whonix codebases to match.
=== Add config check to privleap postinst, stop using dh_installsystemd ===
Date: 2025-02-20
Added a configuration check to privleap's postinst script. While doing this, I discovered dh_installsystemd appeared to be interfering with the postinst script in weird ways, debugged how to use it as intended, determined it wasn't suitable for privleap, and forcibly disabled it via an override in debian/rules.
=== Implement tests for privleapd config reload without restart ===
Date: 2025-02-20
Added regression tests for config reload support. Everything passes. Also did quite a bit of test refactoring and minor bugfixing in the middle of this and other privleap-related tasks.
=== Investigate tor-verify-config privleap rule conflict ===
Date: 2025-02-20
Looked at the report and discussed possible solutions with Patrick. We decided to use || true on systemctl start invocations to avoid a broken apt installation if privleapd is upgraded on a system with invalid configuration.
== 2025-02-19 ==
=== Start implementing privleap configuration reload without restart ===
Date: 2025-02-19
Implemented a feature in leapctl and privleapd that allows instructing privleapd to reload its configuration without restarting the server entirely. The implementation keeps the old configuration in the event the new config is invalid. Needs unit tests written for it.
=== Test and research Qubes boot mode support ===
Date: 2025-02-19
Tested the existing implementation of Qubes boot mode support, discussed implementation details with Marek. Some of the solution will work as-is but some of it needs rearchitectured.
=== Research policyrcd-script-zg2 ===
Date: 2025-02-19
Downloaded and read through the code of policyrcd-script-zg2. It didn't turn out to behave the way we expected, and doesn't look suitable for the use case we had in mind.
=== More privleap polishing again ===
Date: 2025-02-19
Tackled several more issues from Ben's and Marek's reports, fixing many rough edges in the code and resolving several bugs.
=== Improve sdwdate-gui status passing ===
Date: 2025-02-19
Made sdwdate-gui use a tmpfiles.d snippet to create the temp dir for storing status messages passed via qrexec. Also changed the directory the untrusted status file was saved to. This prevents issues when using /run/user/1000 in the qrexec policy, and makes the code less complex.
== 2025-02-18 ==
=== More privleap polishing 2 ===
Date: 2025-02-18
Fixing bugs filed by Ben Grande. Probably will have quite a bit more of this to do.
== 2025-02-17 ==
=== More privleap polishing ===
Date: 2025-02-17
Fixing bugs filed by Ben Grande. Probably will have quite a bit more of this to do.
== 2025-02-16 ==
=== Mostly finish implementing boot mode support in Qubes OS ===
Date: 2025-02-16
Tested and worked out several bugs in Qubes OS boot mode support. Things appear to be working for the most part after debugging, I intend on doing more thorough testing in the near future (probably tomorrow).
=== Fix bad ownership (and likely bad permissions) on /run/user/1000 on Qubes-Whonix ===
Date: 2025-02-16
A change we made to prevent writing temp files to /tmp for security ended up inadvertantly causing /run/user/1000 to be owned by root, and probably set to permissions 755. Fixed this by explicitly creating and setting the owner and permissions of /run/user/1000 in sdwdate-gui.
=== Write policy-rc.d file for keeping services from starting on install in sysmaint mode ===
Date: 2025-02-16
Wrote a script for /usr/sbin/policy-rc.d that prevents deb-systemd-invoke from starting or restarting units that aren't supposed to be started while in sysmaint mode. This transparently avoids interfering with user mode and unrestricted admin mode. This needs more work, as derivative-maker also modifies policy-rc.d, and I have not yet taken that into account.
=== Make privleapd start before basic.target ===
Date: 2025-02-16
Added the needed systemd configuration to make privleapd start before basic.target was reached. This allows privleap to be used basically as soon as early system boot is complete.
=== Fix privleap error due to conflicting rules ===
Date: 2025-02-16
anon-gw-anonymizer-config had a privleap rule that conflicted with a rule in systemcheck. Found the issue and renamed the rule in anon-gw-anonymizer-config. (This wasn't causing privleapd to crash outright because of a bug in privleap that was only resolved yesterday.)
== 2025-02-15 ==
=== Work through all resolvable privleap issues filed by Ben Grande ===
Date: 2025-02-15
Implemented all requested features and fixed all reported bugs that were fixable. Some of the issues need further input from Patrick or more info from Ben to resolve, those are still left open.
== 2025-02-14 ==
=== More privleap test polishing ===
Date: 2025-02-14
Fixed some issues with the run_autopkgtest script, fixed other issues in privleap, and replied to the issues and code comments submitted by Ben Grande.
== 2025-02-13 ==
=== privleap automated test suite polishing, bugfixing ===
Date: 2025-02-13
Worked on fixing several issues reported by Ben Grande and noticed by myself in privleap, polishing autopkgtest support, fixing docs, and preventing installation failure in more edge cases.
=== Work on implementation of Qubes OS boot mode support ===
Date: 2025-02-13
Got the backend implementation for boot modes mostly working. Found a bug that prevents the feature from working correctly and reported it as well. At the moment the backend implementation allows a template to advertise arbitrary boot modes with a single kernel parameter, set default boot modes one time, and can boot VMs in a selected boot mode. Multi-kernel-parameter boot modes will require https://github.com/QubesOS/qubes-issues/issues/9775 to be solved.
=== Read, make notes on 3mdeb RAM decay research ===
Date: 2025-02-13
Read through both 3mdeb blog posts on RAM data decay and cold boot attacks. Added notes to the wiki as appropriate.
== 2025-02-12 ==
=== Write spec for and begin work on user-sysmaint-split support in Qubes OS ===
Date: 2025-02-12
Wrote several iterations of a spec for user-sysmaint-split in Qubes OS, going back and forth with Marek to figure out the implementation strategy. Started writing some code that actually implements the spec as well. Ultimately the job looks like at least parts of it will be less difficult than expected.
=== Ticket cleanup, comment on Qubes OS-related kloak issues ===
Date: 2025-02-12
Helped get two Qubes OS issues closed by commenting on them and requesting them to be closed as implemented. Also followed up on an issue related to Qubes OS in vmonaco's original kloak repository. Did miscellaneous ticket cleanup as well, tidying up some loose ends left over from the "WAITING ON" section mostly.
=== Further work on Calamares hybrid boot support ===
Date: 2025-02-12
Made it so that BIOS boot partitions are specially labelled in the installer, sorta. The exact implementation isn't great, but it works, and the alternative implementation I tried didn't work. This may be acceptable as-is, but I'm waiting on feedback from upstream.
=== Miscellaneous fixes to user-sysmaint-split and sudoless app ports ===
Date: 2025-02-12
* Fixed a bug where installing privleap along with all the other sudoless apps would result in a failed install due to privleapd starting at the wrong time.
* Made it so the sysmaint account could actually use privleap again (a new whitelisting feature locked it out).
* Fixed a race condition in user-sysmaint-split that could result in a normal boot automatically logging into sysmaint mode
* Corrected a typo'd directory name in usability-misc.
== 2025-02-11 ==
=== Fix some final bugs in the grml-debootstrap hybrid boot PR ===
Date: 2025-02-11
The shim bug noticed earlier was resolved, along with a couple other minor issues (see https://github.com/grml/grml-debootstrap/pull/299#issuecomment-2652560971)
== 2025-02-10 ==
=== More iteration on grml-debootstrap hybrid boot enhancement PR ===
Date: 2025-02-10
Added hybrid boot support to chroot-script (which allows hybrid boot to work on physical disk installs), and polished the existing code to meet upstream's requirements. The only potential issue left is that shim isn't being installed on arm64 (amd possibly also amd64?) physical disk installs.
=== Remove lightdm dependency from sysmaint-panel ===
Date: 2025-02-10
sysmaint-panel didn't actually need lightdm as a dependency, and the dependency was causing problems with Qubes OS, so I removed it.
=== Fix DispVM support in sudoless tb-updater ===
Date: 2025-02-10
A bug was discovered in the sudoless tb-updater code that resulted in Tor Browser having to be redownloaded on every single VM launch. This turned out to be because the mount script responsible for making things work right on DispVMs was failing to run, due to privleapd not being started by the time the script was run. The script actually ran as root, so it didn't need leaprun (or even sudo, which it originally used) to function, so I replaced the leaprun code with equivalent code that didn't require dropping privileges.
== 2025-02-09 ==
=== Revisit and polish Calamares hybrid boot support ===
Date: 2025-02-09
Went back to an open draft PR against Calamares for adding hybrid BIOS+UEFI boot support, fixing issues and making the feature much more practical and easy to use.
=== Research Qubes selective sudo access implementation steps ===
Date: 2025-02-09
Read through four Qubes OS tickets to get a good grasp on how to implement the qrexec-based selective sudo access feature. Studied and wrote a spec for how a pam_qrexec.so plugin for PAM could work without bypassing password auth improperly. Also reviewed GUI mockups from Marta and discussed some ideas to make the user interface more friendly. I wasn't able to start work on actual code yet as HW42 has requested I hold off until he's finished doing his packaging, for the sake of avoiding work duplication.
=== Add crash recovery, enhanced first-time install setup, and more security hardening to privleap ===
Date: 2025-02-09
Added code to privleap that allows it to recover from a crash or lockup with minimal user interruption. Also added an "allowed users" feature to prevent unauthorized users from being able to communicate with the privleapd server, and enhanced the postinst script so that things would work properly after privleap is first installed without requiring a reboot.
=== Investigate next steps for selective sudo access and sysmaint boot Qubes features ===
Date: 2025-02-09
Looked into implementation details and intended methodology for implementing these two Qubes OS features. Came up with some good plans and tried to coordinate development with Qubes OS devs some. Next step is to create a concrete specification for the intended behavior of the selective sudo access feature (it's going to be a lot more complicated than originally thought). sysmaint boot features should hopefully be substantially simpler and not need a formal specification.
== 2025-02-08 ==
=== Add systemd-notify support to privleap, enhance restart-on-upgrade code ===
Date: 2025-02-08
Changed the service type of privleapd.service from exec to notify, and added code to privleapd that informed systemd when service start was complete. Also fixed up the code that enables and (re)starts privleapd on package installation. Things seem to be working pretty good, however recovery in the event of a server crash has not yet been implemented.
== 2025-02-07 ==
=== Research safety of using live-build debian-installer build from Git ===
Date: 2025-02-07
Looked into whether the MitM vulnerability with previously found in live-build when enabling debian-installer was still present when using the option to build debian-installer from Git source. This does appear to still be an issue, the attacker would just have to replace a udeb rather than replacing the installer initramfs itself. Also, using debian-installer built from Git does not work when building Bookworm images due to too-old udebs in Bookworm.
=== Make user-sysmaint-split uninstall boot option use dummy-dependency ===
Date: 2025-02-07
Previously the uninstall boot option was using apt directly, which will cause a problem once Kicksecure depends on user-sysmaint-split. Switched to dummy-dependency to prevent this from being a problem.
=== Add systemd trigger for privleapd restart on upgrade ===
Date: 2025-02-07
Added a systemd trigger that restart privleapd (and recreates open comm sockets) if configuration changes during an upgrade. Tested and ensured it works. I have not yet tested how this interacts with upgrade-nonroot however, it's possible it could result in an interrupted upgrade, this needs to be researched.
=== Adjust sdwdate-gui-qubes status temp file location ===
Date: 2025-02-07
Changed the location of the status temp file used by sdwdate-gui-qubes to /run/user/100/sdwdate/. Verified that this works. Also adjusted privleap to use a systemd executable prefix rather than a bash shell command for preventing login failure if privleapd fails to start, at the suggestion of marmarek.
== 2025-02-06 ==
=== Enhance privleap tests, discuss relocating temp folder used by NewStatus qrexec policy ===
Date: 2025-02-06
Added tests to privleapd that ensures invalid ASCII is rejected reliably. Also discussed with Patrick where to move the temp file written by the whonix.NewStatus qrexec policy for informing sys-whonix that a new Whonix qube with sdwdate running has been launched. Good location for temp files agreed upon.
=== Ensure Whonix qubes aren't broken when installing privleap and sysmaint-augmented applications without user-sysmaint-split ===
Date: 2025-02-06
Previously if you installed privleap and something that had a privleap rule that mentioned the sysmaint account installed on a Whonix qube without user-sysmaint-split, the qube would break because of login failure. Tested and ensured the fixes below resolved this issue.
=== Prevent login failure if privleapd fails to start ===
Date: 2025-02-06
Previously if privleapd failed to start, the leaprun commands defined in user@.service.d would fail and thus login would be broken. Now the failure is silently ignored. leaprun obviously won't function if this occurs, but at least login will succeed.
=== Allow privleapd to function if nonexistent users and groups are present in configuration ===
Date: 2025-02-06
There are legitimate reasons for users and groups that don't exist to be defined as authorized in privleap's configuration. privleapd now simply skips over these, rather than erroring out when one is encountered.
=== Fix isomd5sum bug in derivative-maker ===
Date: 2025-02-07
Currently there is code that ensures isomd5sum is installed if needed, however this code is unnecessary because it turns out the bug that inspired its creation is actually a configuration issue in derivative-maker. Fixed the config issue and removed the superfluous code.
== 2025-02-05 ==
=== Sync live-build with upstream ===
Date: 2025-02-06
Got upstream's live-build changes synced back into our live-build, ensuring the finished product was still capable of building a working Kicksecure ISO. Filed a couple of MRs to fix upstream bugs (one of which turned out to be a downstream bug, but the other one of which was a legitimate upstream bug).
=== Fix sudoless sdwdate-gui-qubes ===
Date: 2025-02-06
Tested and fixed the bugfix for the sdwdate-gui-qubes bug. All Whonix VMs now appear in the GUI as intended.
=== Add Wayland documentation to the Wiki where appropriate ===
Date: 2025-02-06
Searched for various forms of "X11", "X.org", "X server", etc., looking for any X11-specific documentation and adding Wayland documentation alongside when needed.
=== Create work-in-progress fix for sudoless sdwdate-gui bug under Qubes OS ===
Date: 2025-02-05
Discovered that sdwdate-gui was not functioning as expected under Qubes OS after the sudoless port - only the sys-whonix VM had sdwdate controls available. Determined the likely root cause of the bug and pushed a fix for it, this still needs tested though.
== 2025-02-04 ==
=== Add quick uninstall boot option to user-sysmaint-split ===
Date: 2025-02-04
Added code to user-sysmaint-split and sysmaint-panel that allows quickly uninstalling user-sysmaint-split via a boot option in GRUB. If a password is set on the sysmaint account, this requires authentication.
=== Fix user-sysmaint-split bug with autologin breaking on uninstallation ===
Date: 2025-02-04
Discovered that a supposedly ephemeral config file was being left on the disk when uninstalling user-sysmaint-split from sysmaint mode, resulting in autologin breaking. Refactored the sysmaint-boot script and added functionality for removing these kinds of config files so that the functionality of the system would be properly restored after uninstallation.
=== Try to implement ephemeral unrestricted sudo in Kicksecure templates ===
Date: 2025-02-04
Attempted to implement code to hack around Qubes OS lacking features needed for user-sysmaint-split to work right. Basically the idea was to make it so that templates had an unrestricted sudo while AppVMs had restricted sudo. This was going to be implemented with symlinks and an apt hook, but ultimately this ended up running into a number of worrying edge cases, ultimately ending with Patrick and I deciding to abandon this method and focus further effort in this area on adding features to Qubes OS to make user-sysmaint-split work well.
=== Fix upgrade-nonroot sudoless port ===
Date: 2025-02-04
The upgrade-nonroot port had some bugs and inefficient code, which has now been fixed.
== 2025-02-03 ==
=== Investigate allowing unrestricted admin in Kicksecure, Whonix Qubes templates ===
Date: 2025-02-03
We would like unrestricted admin mode to work properly on Kicksecure and Whonix under Qubes OS, but only when booted into a TemplateVM. Originally we were going to use bind mounts on the sudo and pkexec executables for this, but I discovered this breaks dpkg. Designed a revised plan with help from Patrick.
=== Audit Kicksecure and Whonix packages for sudo, pkexec usage, port to privleap where applicable ===
Date: 2025-02-03
Found many more places in Kicksecure and Whonix where sudo and pkexec were being used, determined which areas should use privleap instead, and ported them. This should allow fully sudoless Kicksecure and Whonix to function mostly normally. Some more parts could be ported if we had identity verification support via passwords in privleap, but what can be done without that should now be done and is ready for review.
== 2025-02-02 ==
=== Implement sudoless support in all needed packages with sudoers config ===
Date: 2025-02-02
Got every package in Whonix and Kicksecure that ships a sudoers config and also needs functionality retained in sudoless mode ported to use privleap where necessary. At this point most of the features in Kicksecure and Whonix should function correctly even if user-sysmaint-split is installed and the user is booted in sysmaint mode. More auditing and a lot more review works needs done before this can be considered fully complete, but this is a decent step in that direction. Ended up implementing more features in privleap to make this work (most notably adding the ability to configure multiple users and groups as being able to execute a specific action).
== 2025-02-01 ==
=== Add persistent user support, UID handling, and full root access to privleap ===
Date: 2025-02-01
Made it so the root account could run any action at any time, also made it so UIDs and GIDs could be used in place of user and group names in several areas, and added support for "persistent users" which have always-available comm sockets that cannot be destroyed easily. This is to make systemcheck work with privleap.
=== Discuss and investigate grub-cloud-amd64 issues for grml-debootstrap ===
Date: 2025-02-01
Filed a bug report against grub-cloud, attempted to ping the maintainer and also discussed issues with slow amd64 boot with the grml-debootstrap developers and with Patrick.
== 2025-01-31 ==
=== Write Qubes OS ticket for user-sysmaint-split support ===
Date: 2025-01-31
Wrote an in-depth explanation of what will allow for ideal user-sysmaint-split support in Qubes OS, summarizing a bunch of things from a conversation I had with Marek and Demi on Matrix.
=== Use privleap in upgrade-nonroot rather than sudo ===
Date: 2025-01-31
Ported upgrade-nonroot to use privleap. Also set DEBIAN_FRONTEND='noninteractive' in apt-get-update-plus to mitigate the risk of the apt process freezing during updates.
=== Find a fix for the missing icons in the Kicksecure template's Thunar ===
Date: 2025-01-31
Figured out that qubes-gui-agent-xfce needed to be installed in the qube for things to work. Added it to kicksecure-qubes-gui in kicksecure-meta-packages.
=== Implement grub-cloud use in grml-debootstrap ===
Date: 2025-01-31
Tweaked the grml-debootstrap PR to use grub-cloud on amd64 VMs when enabling UEFI. Also simplified some code and filed a bug report about a confusing comment in the grub-cloud postinst script.
== 2025-01-30 ==
=== Investigate grub-cloud usability for grml-debootstrap ===
Date: 2025-01-30
Investigated grub-cloud's feature set and how to use it. Looks like it will probably do what we want.
=== More hardening and polish on privleap ===
Date: 2025-01-30
Made the privleap code more readable, added security hardening to avoid leaking info about available privleap actions to the caller in the event the user wants to keep them secret, added some UID and GID handling logic to mitigate mistakes that could result in actions unintentionally running with some degree of root access, and improved the tests. Also made it clear that autopkgtest was the only supported way of running the regression tests.
== 2025-01-29 ==
=== Safe-print code review, second pass ===
Date: 2025-01-29
Reviewed Ben's safe-print program again. Made some suggestions, overall the code looks very good.
=== Finish privleap tests, polish code ===
Date: 2025-01-29
privleap's tests now pass reliably, code is essentially feature-complete except for a footgun with TargetUser. Going to fix that.
== 2025-01-28 ==
=== Mostly finish tests for privleap ===
Date: 2025-01-28
All tests are now written and mostly working, however some of them are race condition prone and are not functioning as intended for unknown reasons. Once this is resolved and the tests pass reliably when using autopkgtest, this job will be complete.
== 2025-01-27 ==
=== Further work on privleap tests ===
Date: 2025-01-27
Added more tests for privleapd, refactored and debugged the existing tests for maintainability.
== 2025-01-26 ==
=== Review safe-print code from Ben Grande ===
Date: 2025-01-26
Reviewed the safe-print program Ben wrote. Needs more thorough review due to the complexity of some of the regexes, but for the most part it looks good.
=== Write testing framework for most of privleap ===
Date: 2025-01-26
Wrote tests for most of privleap. The server still needs significant testing, but both leaprun and leapctl are now able to be quickly tested reasonably thoroughly.
== 2025-01-25 ==
=== Additional privleap hardening and refactoring ===
Date: 2025-01-25
Shortened functions, fixed bugs, and changed how some parts of the code worked so that mypy passes entirely clean and pylint almost passes (with the exception of griping about some "TODO" comments). Still need to port to using real logging rather than just print, and need to write detailed tests.
=== Follow up on grml-debootstrap PR ===
Date: 2025-01-25
Answered some questions and suggestions with the grml-debootstrap PR, also fixed a typo at zeha's request.
== 2025-01-23 ==
=== Harden privleap code ===
Date: 2025-01-23
Added extensive type annotations to get the code to pass mypy. Also fixed the majority of all pylint gripes (there's still a few more to tackle which I'll finish up soon).
=== Test helper-scripts PR extensively ===
Date: 2025-01-23
Ran a large battery of tests against Ben's helper-scripts PR. Found one bug in the code, which I reported. Once this is fixed the new user management library should be ready to merge.
== 2025-01-22 ==
=== More sudoless porting, using privleap where applicable ===
Date: 2025-01-22
Ported more things to be sudoless and use privleap, including the very complex systemcheck application. Made very significant progress, added several needed features to privleap in the process.
=== Make input validation in privleap better ===
Date: 2025-01-22
Added many more input validation checks to privleap to catch several possible errors, mostly around invalid usernames.
=== Give the helper-scripts PR another review ===
Date: 2025-01-22
Reviewed the latest iteration of Ben's helper-scripts PR. Mostly ready to go.
=== Respond to power management feature request on forums ===
Date: 2025-01-22
Pointed out problems with use of AI for generating bug reports and feature requests, argued against the suggestions in the post since they could have negative security and usability consequences.
== 2025-01-21 ==
=== Sudoless development, privleap integration ===
Date: 2025-01-21
Started integrating privleap into Kicksecure code in place of passwordless sudo calls. Ended up adding two substantial features to privleap (stdout/stderr streaming and running processes as non-root users) in order to make it suitable for our use case.
=== Fix permission-hardener behavior with symlinks and hardlinks ===
Date: 2025-01-21
Made permission-hardener fully and properly resolve symlinks rather than treating them as separate files. Also made it reject hardlinks entirely because those have the same problems as symlinks for our use case, but are difficult and resource-intensive to trace the way we can trace hardlinks.
=== Document reasoning behind polkit fix (and fix Wayland too) ===
Date: 2025-01-21
Documented why launching the polkit agent manually is required. Also added the needed code to do so to the Wayland session launcher as well.
== 2025-01-20 ==
=== Enable user-sysmaint-split on Kicksecure ISO ===
Date: 2025-01-20
Enabled user-sysmaint-split in the Kicksecure ISO package list file and in live-build. Built the ISO, tested it, works.
=== Add diagnostics to permission-hardener ===
Date: 2025-01-20
Added a feature to permission-hardener so that running permission-hardener print-diagnostics will collect info useful for a bug report.
=== Review updates to helper-scripts PRs by Ben Grande ===
Date: 2025-01-20
Did another review, left comments with suggestions and requests for fixing some things.
=== Enable SSH in user-sysmaint-split's sysmaint-boot.target ===
Date: 2025-01-20
Just had to add ssh.service to a couple of spots in the systemd unit.
=== Test Kicksecure Qubes OS template in preparation for release ===
Date: 2025-01-20
Rebuilt and tested the Kicksecure Qubes template. Worked, though required a tweak to the template to get it to build.
== 2025-01-19 ==
=== Review helper-scripts and user-sysmaint-split PRs from Ben Grande ===
Date: 2025-01-19
Did code review on two PRs. +1 on the changes, with some minor changes requested to the user manipulation library.
=== Add Qubes OS config for passwordless-root ===
Date: 2025-01-19
Added Qubes OS config to helper-scripts for passwordless-root. That's the only place the config looked like would fit without requiring changes that we don't want to make with adding a qubes-kicksecure package.
Had to untangle some repo issues with derivative-maker, so this took longer than expected.
=== Research possible vuln with access to /dev/xen devices ===
Date: 2025-01-19
Did research and discussed issues with the Qubes OS developers to figure out the potential impact of user-level /dev/xen device access, and potential ways to mitigate them.
=== Get privleap to beta-quality status ===
Date: 2025-01-19
Extensively tested privleap, fixed tons of bugs, improved code quality, improved documentation, and did stress testing to see how it would hold up against a DoS attack. Performs decently even when under attack, appears to function well in all tested situations. Should be considered beta-quality still since only I've tested it, and it hasn't been tested in real-world scenarios.
== 2025-01-18 ==
=== More privleap development ===
Date: 2025-01-18
Got privleap to actually work! All the basic concepts are laid down, and while it's still fragile, it is functional. Most of the development work is done at this point.
=== Write comment about upgrade-nonroot concerns ===
Date: 2025-01-18
Wrote a long comment on the Kicksecure forums refuting an overly dramatic report of a low-impact security issue in upgrade-nonroot.
== 2025-01-17 ==
=== Begin writing privleap ===
Date: 2025-01-17
Spent a bunch of time writing the privleap escalation framework, including refining the spec, creating a library for clients and servers to use, and writing the beginnings of the privleapd server. Attempting to design it in such a way as to be resistant to DoS attacks and crafted data attacks. Published current state of the code on GitHub at https://github.com/ArrayBolt3/privleap.
== 2025-01-16 ==
=== Sudoless development, write spec for privleap ===
Date: 2025-01-16
Worked more on getting tools in Kicksecure to not require root. Also wrote a specification for a new privilege escalation tool, privleap, which will be available even in user mode (not sysmaint) to avoid losing too much functionality. Did initial design with Patrick.
== 2025-01-15 ==
=== Fix Polkit in sysmaint mode for Kicksecure ===
Date: 2025-01-15
Figured out why polkit (and thus pkexec, gparted, and zuluCrypt) were all broken under sysmaint mode, and resolved the issue. We weren't starting a necessary authentication agent.
=== Discuss security improvements with Qubes OS devs, refactor kicksecure-meta-packages and qubes-whonix ===
Date: 2025-01-15
Converted two metapackages under qubes-whonix into transitional packages, merging them with kicksecure-qubes-cli and kicksecure-qubes-gui as appropriate. Also ended up starting a conversation over security and usability improvements for Kicksecure and Whonix under Qubes OS with the Qubes developers. Fully realizing the advantages of user-sysmaint-split under Qubes OS may require a substantial amount of additional work, including kernel- and bootloader-level development.
=== Rebuild, test, and debug the Kicksecure template again ===
Date: 2025-01-15
Built a fresh Kicksecure template and tested it. Discovered it still had some substantial issues that prevent it from being made official, most notably the lack of proper icons in Thunar and other XFCE applications. It's better than it was previously though.
=== Review and improve Patrick's modifications to permission-hardener migration code ===
Date: 2025-01-15
Reviewed, discussed, and made some more improvements to security-misc, to help avoid possible bugs and improve the code's robustness with string splitting.
== 2025-01-14 ==
=== Fix issues in Kicksecure Qubes template ===
Date: 2025-01-14
Found several packages that would be useful in the kicksecure-qubes-cli and kicksecure-qubes-gui metapackages, and added them. Also tried to get qubes-builder-v2 to let me build a template image with this, but ran into serious issues in so doing and gave up after a few failed attempts. May require custom code to get that to work.
=== Investigate CI failure on grml-debootstrap pull request ===
Date: 2025-01-14
Looked into why my PR was failing CI. Turns out the test CI run Patrick did ran more tests than upstream runs, and the one test that flunked on upstream's tests was because of a network issue while downloading deb packages (so most likely transient). Was able to get a working Bullseye build with grml-debootstrap without problems (Bullseye was the version that failed upstream).
=== Research safety of permission-hardening polkit-agent-helper-1 ===
Date: 2025-01-14
Did a bunch of tests on a baremetal Kicksecure install for seeing if polkit-agent-helper-1 was safe to disable or not. Ultimately it appeared to have no functional effect when disabled.
=== Publish security vulnerability details for live-build ===
Date: 2025-01-14
Published the full PoC for the live-build MitM vulnerability, along with recommendations about how to mitigate it. Reported it on the appropriate Debian bug report.
=== Fix new_mode database corruption from old permission-hardener ===
Date: 2025-01-14
Discovered that the new_mode database suffered from very similar problems to the existing_mode database, and added logic for repairing that as well.
=== Speed up permission-hardener migration code ===
Date: 2025-01-14
Added some extra logic to the permission-hardener migration code to allow it to only scan specific packages for modified files, rather than scanning every package on the system. permission-hardener migration is now nearly instant.
== 2025-01-13 ==
=== Add a shutdown systemctl unit to user-sysmaint-split ===
Date: 2025-01-13
Make user-sysmaint-split automatically lock the sysmaint account password on shutdown. This is done with a systemd unit that runs at shutdown.
=== Polish permission-hardener v1 to v2 migration code ===
Date: 2025-01-13
Made several changes to the migration code at Patrick's request, fixing various minor issues and improving code quality.
== 2025-01-12 ==
=== Experiment with allowing grub-pc and grub-efi to be co-installed ===
Date: 2025-01-12
Did a test build of the GRUB bootloader that allowed grub-pc and grub-efi to be co-installed. Initial results seem promising, although work will be needed to make it function properly. Reported results on a related bug in Debian.
=== Test IPv6 PRs again, report results to DanWin ===
Date: 2025-01-12
Managed to get the IPv6 PRs to allow a whonix-gateway and whonix-workstation VM to communicate to each other over IPv6. The gateway is still using IPv4 to talk to the Tor network however. Reported to DanWin.
=== Remove leaked resolv.conf from VM and ISO builds ===
Date: 2025-01-12
Added code to initializer-dist that removes a leaked resolv.conf file from VM and ISO builds. Mostly tested, I didn't test the final iteration due to the amount of time it was taking, but I would be pretty surprised if it didn't work.
=== Develop permission-hardener migration code for v1 to v2 upgrade ===
Date: 2025-01-12
Made it so that permission-hardener can automatically fix its state on upgrade by installing a static state file via the postinst. Tested and appears to work.
=== Further improvements to grml-debootstrap PR ===
Date: 2025-01-12
Made several improvements to the grml-debootstrap PR, including cutting out the ARM_EFI_TARGET variable, fixing EFI bootloader installation on i386 and arm64, and making cross-building arm64 on amd64 actually work.
== 2025-01-11 ==
=== Polish EFI handling in grml-debootstrap PR ===
Date: 2025-01-11
Added a --efi-id option to the grml-debootstrap PR, and got the EFI bootloader to be installed by the Debian package rather than requiring an explicit grub-install command.
=== Fixed rads integration in user-sysmaint-split ===
Date: 2025-01-11
Made sysmaint-boot.target launch the rads service rather than doing it in the sysmaint-boot script. Tested on both a KVM-accelerated VM and a QEMU-emulated one to attempt to shake out race conditions.
=== Further polish on dist-installer-cli ===
Date: 2025-01-11
Improved the security of many sudo calls, removed the need for a bunch of shellcheck overrides, and did a lot of testing and debuging on my work from yesterday.
== 2025-01-10 ==
=== Fix issues with dist-installer-cli updates (untested) ===
Date: 2025-01-10
Refactored my earlier work on dist-installer-cli to remove Shellcheck errors and improve the security of sudo calls. Also changed helper-script's root_cmd.sh to accept environment variables for customizing the sudo command. This is currently untested, as I didn't have the time to do testing today.
=== Study and discuss DNS-related security hardening ===
Date: 2025-01-10
Read a bunch of material on DNS security shared with me by Patrick, and attempted to come up with a solution to the problems that were encountered when attempting to enable DNSSEC by default last time. Also argued against using DoH or a third-party DNS server.
=== Document networking-related changes ===
Date: 2025-01-10
Documented the new privacy- and security-enhancing PRs that were merged, enabling ARP filtering, selective ignoring of ARP requests, ignoring gratuitous ARP packets, and disabling shared media redirects. Documentation includes rationale for setting each option each one and instructions for undoing them.
== 2025-01-09 ==
=== Fix UEFI bootloader updates in grml-debootstrap-built VMs ===
Date: 2025-01-09
Debugged issues related to UEFI bootloader installation in a VM built with grml-debootstrap, and implemented a fix for them. This will require some additional code in derivative-maker for everything to work completely, but at least things will work right upstream now.
=== Add Wayland and SDDM support to user-sysmaint-split ===
Date: 2025-01-09
Added a Wayland session and SDDM support to user-sysmaint-split. The wayland session isn't actually usable as it relies on labwc, which is only available in Debian Trixie and higher, but it should theoretically work. SDDM support is working and tested.
== 2025-01-08 ==
=== Study and document Wayland behaviors wrt. virtual terminals and IPC ===
Date: 2025-01-08
Did research and read through some SwayWM and wlroots source code to learn how Wayland compositors handle TTY switching and inter-process communication, for the purpose of adding documentation to the Strong User Account Isolation wiki page.
=== Fix repository-dist run failure in Kicksecure and Whonix Qubes templates ===
Date: 2025-01-08
Determined why repository-dist wasn't being run during or after Kicksecure and Whonix Qubes template builds, after much debugging. Fixed issues in qubes-builderv2 and in both templates.
== 2025-01-07 ==
=== Study more SUID executables in Kicksecure ===
Date: 2025-01-07
Studied a list of SUID executables Patrick built. Determined which ones were important and needed to remain SUID, which ones may be worth further review, and which ones we can safely disable.
=== Polish dist-installer-cli cross-user installation support ===
Date: 2025-01-07
Fixed many bugs in the previous work on dist-installer-cli, which work was intended to allow the installer to run in Kicksecure's sysmaint mode. Got VirtualBox-based VM installation working well on Debian and Kicksecure. Installation on Fedora seems to be broken for reasons unrelated to the modified code, as does support for downloading KVM virtual machines.
=== Report research results to Purism ===
Date: 2025-01-07
As discussed.
=== Research and describe reason for pam_wheel fix working ===
Date: 2025-01-07
Wrote a detailed description of why a bug with sudo automatically failing authentication was solved by making pam_wheel only run when su is being called.
=== Adjust permission-hardener to assume a merged /usr directory ===
Date: 2025-01-07
Researched and found out Bookworm always uses a merged /usr directory (/bin, /sbin, /lib, etc. are no longer used and are now symlinks to the corresponding directories under /usr). Adjusted permission-hardener to assume /usr is always merged, for simplicity's sake.
=== Attempt to reproduce permission revert bug with refactored permission-hardener ===
Date: 2025-01-07
Patrick was running into a bug I had noticed in an earlier version of the refactored permission-hardener code which resulted in SUID permissions being incorrectly restored to files that were supposed to have those permissions stripped. I attempted to reproduce this with the newest code (which was supposed to have this issue fixed) and was unable to reproduce.
== 2025-01-05 ==
=== Start porting dist-installer-cli to work in sysmaint mode ===
Date: 2025-01-05
Added functionality to dist-installer-cli that should allow it to install Kicksecure or Whonix on a different user account than the one it is running as. This should allow it to continue to function normally on non-Kicksecure systems, but also allow it to function within the sysmaint mode of Kicksecure. This is untested but looks like it should work.
=== Debug usability-misc failure to execute during Kicksecure template build on Qubes OS ===
Date: 2025-01-05
Determined that the most likely reason the derivative.list file isn't being created is because an environment variable is either being ignored or not being properly passed through. Have not yet determined how to get that environment variable to pass through. Debugging is taking long due to the long build times.
=== Attempt to fix sysmaint-panel support on Qubes OS ===
Date: 2025-01-05
Used diversion to reconfigure su's PAM configuration so that pam_wheel could be used only for su calls rather than for all system authorization calls. Ultimately this solution didn't end up being considered sufficient, but it did work.
=== Test permission-hardener PR on Qubes Whonix ===
Date: 2025-01-05
Tested the new permission-hardener on a whonix-workstation-17-dvm qube. Could not reproduce the issue Ben Grande noticed with write and wall.
== 2025-01-04 ==
=== Test and fix documentation for building the Kicksecure template ===
Date: 2025-01-04
Replaced my Qubes R4.3 installation with a Qubes R4.2 installation, then worked through the instructions for building the Kicksecure template from scratch. Fixed some problems, added some more known issues, and verified that the instructions worked.
=== Create prototype implementation of BIOS+UEFI boot support for Calamares ===
Date: 2025-01-04
Got Calamares to install both BIOS and UEFI bootloaders during OS installatino. Submitted the prototype implementation as a draft PR.
=== Upload Calamares 3.3.12 backport to Debian Mentors ===
Date: 2025-01-04
Created and tested a simple backport of Calamares 3.3.12 to Bookworm. Notified the maintainer of this backport's existence once done.
== 2025-01-02 ==
=== Find root cause of ARM64 ISO build failure on Qubes OS ===
Date: 2025-01-02
Traced the build failure to a bug in QEMU when running under Qubes, resulting in an intermittent python3 segfault. Bug doesn't exist in the version of QEMU in bookworm-backports, using that version of QEMU on the build host VM allows the build to succeed.
=== Debug sudo failures when using sysmaint-panel on Qubes OS ===
Date: 2025-01-02
Determined why privileged sysmaint-panel operations were failing with a threefold authentication failure with no password prompts. Documented the reason for the problem and started discussing with Patrick how to resolve the issue.
== 2025-01-01 ==
=== Reproduce ARM64 ISO build failure on Qubes OS ===
Date: 2025-01-01
Found three bugs when doing ARM64 builds of Kicksecure in a Kicksecure qube under Qubes OS. All of them are very strange, one of them might be the result of umask changes but I'm not entirely sure.
=== Test permission-hardener refactored code on Whonix ===
Date: 2025-01-01
Attempted to reproduce a bug noted by Ben Grande by testing the new permission-hardener on Whonix. Could not reproduce bug. Also fixed a merge conflict.
== 2024-12-31 ==
=== Polish Kicksecure Qubes template build ===
Date: 2024-12-31
Fixed up the Kicksecure Qubes template configuration, tested it, and submitted a PR to Qubes.
== 2024-12-30 ==
=== Get qubes-builderv2 to build the Kicksecure template ===
Date: 2024-12-30
Fought with qubes-builderv2, creating a patch that allowed building the Kicksecure template. This patch isn't suitable for upstreaming, I need to work on it more first.
=== More fixes for sysmaint mode ===
Date: 2024-12-30
Fixed more issues with sysmaint mode and sysmaint-related code, tested and pushed. This included fixing issues with "classic" builds that don't have sysmaint mode present.
== 2024-12-29 ==
=== Fix GRUB boot menu organization ===
Date: 2024-12-29
Spent a long time figuring out how to get the advanced boot options in the GRUB menu to either go away entirely or move somewhere less obtrusive (they were appearing interleaved throughout the boot menu previously). After much discussion and experimentation, I finally got a solution both me and Patrick were happy with. Pushed to Git and ready for review.
=== Attempt to reproduce German keyboard layout issue with Calamares ===
Date: 2024-12-29
Did a German installation of Kicksecure in a VM, could not reproduce installation failure. Asked for more info from the user experiencing the problem.
=== Finish initial draft of verified boot firmware and device requirements ===
Date: 2024-12-29
Finished putting together the requirements needed to allow Kicksecure to implement a hopefully robust verified boot system. Did lots of research and brainstorming with Patrick. Needs some more review, but it should be close to done.
== 2024-12-28 ==
=== More firmware authentication relay attack research ===
Date: 2024-12-28
Fleshed out potential problems with the original threat model in the relay attack writeup, changed some of the hardware design concepts to allow specifying a different and easier-to-defend-against threat model, and laid out how firmware authentication with such a threat model would work. Also researched existing solutions in this area.
== 2024-12-27 ==
=== Investigate firmware authentication relay attack avoidance ===
Date: 2024-12-27
Made a detailed writeup about firmware authentication techniques and relay attacks. Didn't quite finish it, there's still some loose ends to tie up and more things to figure out.
== 2024-12-26 ==
=== Brainstorm firmware requirements for verified boot ===
Date: 2024-12-26
Discussed with Patrick what a firmware implementation needed to provide to allow us to provide a robust verified boot implementation without creating hardware that was incompatible with other major Linux distributions. Came up with a good set of ideas that are mostly complete. Needs a bit more polish.
=== ISO sysmaint mode fixes and improvements ===
Date: 2024-12-26
Made more patches for making sysmaint mode work properly both on the ISO and on installed systems.
=== Review shadow and ssh wiki content ===
Date: 2024-12-26
Reviewed, tested, and augmented the new shadow and ssh documentation on the User and SSH pages.
== 2024-12-25 ==
=== More polishing of ISO sysmaint mode ===
Date: 2024-12-25
Fixed a bunch of bugs in ISO sysmaint mode. After discussion with Patrick, it turns out some (thankfully not most) of these bugfixes ended up being problematic themselves, so I'm going to be fixing those very soon.
=== Finish permission-hardener refactor ===
Date: 2024-12-25
Finished refactoring the permission-hardener code. Tested it, created test code for it, and opened a PR so it can be reviewed.
== 2024-12-24 ==
=== Continue refactoring permission-hardener ===
Date: 2024-12-24
Got most of the code for the permission-hardener refactor written. Still need to write the code for applying a calculated state to the filesystem, and then I need to test the code.
=== Redo PBKDF merge request for kpmcore ===
Date: 2024-12-24
Took the code from an earlier merge request to kpmcore, and polished it up so it was ready to merge. This will allow applications like Calamares to configure the PBKDF to use in the future at some point.
=== Polish ISO sysmaint mode ===
Date: 2024-12-24
Fixed several issues in the ISO sysmaint mode, changing six repos in the process. Also made it so that if a password is set on the sysmaint account, it doesn't autologin when booting in PERSISTENT mode SYSMAINT.
== 2024-12-23 ==
=== Start refactoring permission-hardener ===
Date: 2024-12-23
Read through permission-hardener, identified some weaknesses in it, created an algorithm that should hopefully make a refactor perform better, and started initial refactoring work.
=== Preliminary ISO sysmaint support ===
Date: 2024-12-23
Develop and augment needed componenets to make sysmaint mode work on the ISO. Needs further polish.
== 2024-12-22 ==
=== Fix Secure Boot issues, file bug reports, discuss sysmaint and other development with Patrick ===
Date: 2024-12-22
Filed bug reports against Calamares and grml-debootstrap related to their handling of the fallback bootloader. To avoid needing to wait to fix the bug until we get responses, I created a quick fix for the Secure Boot issues that got the ISO working correctly. Also discussed further development of user-sysmaint-split and other possible new features with Patrick.
=== More drk development ===
Date: 2024-12-22
Fixed several bugs in the Debian Rolling Kit project, and implemented the remove-package command for managing the rolling archive.
=== Debug and fix chsh failure during build ===
Date: 2024-12-22
Somehow changing the user's shell to zsh was requesting authentication during build, resulting in the shell change failing. After debugging, it turned out that the /etc/shells file wasn't updated to include zsh in the list of valid login shells by the time dist-base-files' postinst script was trying to set the user shell. To fix this, I configured live-build to explicitly install zsh before installing a package that pulled in dist-base-files.
=== Make Kicksecure ISO builds use user-configured initramfs ===
Date: 2024-12-22
Previously derivative-maker was hardcoded to always use dracut-live as the initramfs. Now the correct initramfs to use is autodetected based on the user's choice. I did not actually test an initramfs-tools build of Kicksecure, I did ensure that dracut builds continued to work though.
=== Reviewed boot modes wiki page ===
Date: 2024-12-22
Read through the wiki page, added some ideas to it.
=== Debug Secure Boot fallback bootloader problems ===
Date: 2024-12-22
Finally figured out why Secure Boot and the fallback bootloader were interacting with each other poorly - GRUB was not being installed to the removable media path correctly. This was not the result of removing debian-installer, Debian Trixie behaves the same way. This also explains why the last Secure Boot fix worked on my VMs but not for some other people.
=== Verify dracut-config-generic is getting installed onto the Kicksecure ISO ===
Date: 2024-12-22
Mounted a Kicksecure ISO squashfs, chrooted in and verified dracut-config-generic was installed.
== 2024-12-21 ==
=== Review new documentation on Verified Boot page ===
Date: 2024-12-21
Reviewed three new documentation segments on the Verified Boot page, fixing issues and noting down a thing I was confused about.
=== Review USBGuard PR ===
Date: 2024-12-21
Reviewed USBGuard pull request on security-misc for maliciousness, functionality, and correctness. Also did basic testing. Requested that some changes be made.
== 2024-12-20 ==
=== Review ARP-related PRs ===
Date: 2024-12-20
Reviewed and commented on all ARP-related PRs. We should probably document how to disable most if not all of these settings.
=== Attempt to test IPv6 pull requests on Qubes OS ===
Date: 2024-12-20
Tried (and failed) to get a cloned Whonix-Gateway / Whonix-Workstation VM pair running on Qubes with the IPv6 PRs installed. Could not get Qubes OS to behave properly when configuring a VM to provide networking to other VMs.
=== Improve sysmaint documentation ===
Date: 2024-12-20
Added documentation on using sysmaint mode, including documenting the warning it displays when logging into a console session, and documenting the restrictions it has on when certain accounts can be logged into.
=== Bug fixes and improvements to user-sysmaint-split and sysmaint-panel ===
Date: 2024-12-20
Made a bunch of fixes to various aspects of the user-sysmaint-split system, making all changes Patrick requested and also fixing things such as multi-monitor support. The system is potentially pretty close to ready for beta-testing at this point.
== 2024-12-19 ==
=== Test IPv6 pull requests on libvirt ===
Date: 2024-12-19
Attempted to make DanWin's IPv6 PRs work on libvirt. Could not get it working despite configuring IPv6 NAT as best as I could. Reported issues on one of the PRs.
== 2024-12-18 ==
=== More development on sysmaint mode ===
Date: 2024-12-18
Made changes to user-sysmaint-split, sysmaint-panel, security-misc, and helper-scripts to prepare sysmaint mode for release and general use. Needs more testing before it's ready for release, but it's very close to ready.
=== Test IPv6 support for Whonix ===
Date: 2024-12-18
Reviewed new changes in DanWin's IPv6 support code, built and tested it. Could not get it to work, I think DanWin explained why but I'm not sure what's needed to make it work.
=== Prepare NMU for Calamares 3.3.12 fix ===
Date: 2024-12-18
Created a simple NMU to fix the bug keeping Calamares 3.3.12 from migrating. Asked for help with sponsorship, but no one in #debian-devel volunteered so I'll probably have to ask someone I know for help there (thankfully that's easy).
== 2024-12-17 ==
=== Further improvements to sysmaint mode graphical session ===
Date: 2024-12-17
Determined how to make a boot mode that would boot into a graphical system maintenance mode session, and in general improved the sysmaint panel app so it would be nice to use. Also did a lot of discussion with Patrick about how to best implement the user-sysmaint split.
== 2024-12-16 ==
=== Work on admin mode graphical session ===
Date: 2024-12-16
Attempted to determine what is needed to create a simple, auto-login graphical session for Kicksecure's admin mode. Ran into trouble with display manager and login-related issues, but made good progress on overcoming those. Also wrote a simple admin control panel app.
== 2024-12-15 ==
=== Study Verified Boot ===
Date: 2024-12-15
Did a very large amount of study on Verified Boot and technologies that could be used to implement it, discussing concepts and design ideas with Patrick and documenting a potential design idea. The design needs more polishing and might not be practical yet, but it looks potentially hopeful.
=== Prevent VirtualBox from attempting to auto-install Kicksecure ===
Date: 2024-12-15
VirtualBox's automatic installation feature is incompatible with Kicksecure, but because Kicksecure's ISO was identifying itself as a Debian ISO in /.disk/info, VirtualBox was treating it as Debian and attempting to autoinstall it. This would result in failure to boot. To resolve this, I changed our fork of live-build to identify the ISO as being a Kicksecure ISO instead, which resolved the issue - VirtualBox no longer attempts to autoinstall from Kicksecure ISOs.
== 2024-12-14 ==
=== Add config file purge feature to dummy-dependency ===
Date: 2024-12-14
Added --remove and --purge switches to dummy-dependency, which can be used to explicitly choose whether or not to remove conffiles when replacing a package with a dummy package. By default, --remove is used, which keeps the conffiles.
=== Implement ISO integrity self-check ===
Date: 2024-12-14
Added easy ISO self-verification support to live-build, submitted it as an upstream MR, and merged it into our custom fork of live-build, enabling it in derivative-maker.
== 2024-12-12 ==
=== Investigate dracut-config-rescue ===
Date: 2024-12-12
Investigated whether it would harm anything to remove dracut-config-rescue, or if it would improve things if it were removed. The package is supposed to include various useful utilities that users might want in the event they get dropped to a Dracut rescue shell. Based on my research (done by rebuilding and unpacking initramfs files on a live ISO), it seems to not be being used at all, so it should be fine to remove. (We don't even want the rescue shell to be enabled by default anyway, so any harm that could be caused by removing this is likely to be minimal.)
=== Investigate memtest86+ signing ===
Date: 2024-12-12
Memtest86+ is not signed, so it doesn't work on systems with Secure Boot enabled. Sent an email asking what can be done to help move things forward so Memtest86+ can be signed.
=== Integrity check and DRK development ===
Date: 2024-12-12
After debugging an issue that Patrick and I originally thought was the result of a corrupted ISO, Patrick had the idea of adding integrity checking to the ISO. This can be done with Dracut using the isomd5sum package. Got support for it working in live-build, however it currently only works on Trixie for reasons unknown to me (it always fails on Bookworm). Needs more development before it's ready for merge and release.
While waiting for very long builds (partially caused by accidentally building for arm64 rather than amd64 a couple of times), I worked on the Debian Rolling Kit some more. So far I have a working dependency resolver that can take a source package name as input, and spit out all binary packages in its dependency tree that have newer versions in Unstable than in Testing.
== 2024-12-11 ==
=== Start writing Debian Rolling Kit (drk) ===
Date: 2024-12-11
Finally managed to get the Debian Archive Kit (dak) working. There's quite a bit of tooling that appears to be missing before maintaining a rolling archive will be practical, so I started writing it in Python. Since it complements the Debian Archive Kit, I called it the Debian Rolling Kit.
=== Test PR for optional squashfses in Calamares ===
Date: 2024-12-11
One of the Lubuntu devs heard that I wanted to add support for optional squashfses to Calamares, and decided to implement it and make a PR for it. Tested it, it appears to work well. (Thanks to Simon Quigley for writing the code for this!)
=== Fix Secure Boot and multiarch support ===
Date: 2024-12-11
Polished bootloader installation code to ensure that Secure Boot and non-amd64 systems were properly supported.
== 2024-12-10 ==
=== Experiment with creating Debian Rolling ===
Date: 2024-12-10
Set up a Debian Bookworm server VM, installed the Debian Archive Kit (dak), and began investigating how to set up a rolling archive on my local machine. This was tricky since dak's installer was broken, and the documentation was bad, so I haven't made a whole lot of progress, but I have a good foundation laid out.
=== Test Secure Access Key with LXQt Wayland, report bug ===
Date: 2024-12-10
Discovered that Alt+SysRq+R + Alt+SysRq+K did not work as expected under QEMU with virtio graphics and no 3d acceleration. This might be specific to my setup, but parts of it might not be, so I reported it upstream.
=== More Kicksecure live-build ISO enhancements ===
Date: 2024-12-10
* Reverted to old GRUB config for graphics handling, since it worked better
* Changed the data reported on the ISO boot menu so that full version information was included and superfluous data was removed
* Added memtest86+
* Added a 30-second timeout before automatically booting the live session
== 2024-12-09 ==
=== Send bug reports for the ISO changed files issues ===
Date: 2024-12-09
Thoroughly studied each of the changed files, writing bug reports as appropriate and testing things as needed.
=== Review boot modes wiki page ===
Date: 2024-12-09
Looked at the boot modes page, made notes about things that may need to change.
=== Brainstorm and experiment with sudoless implementations ===
Date: 2024-12-09
Experimented with ways to implement sudoless support in Kicksecure, and brainstormed ideas with Patrick. Ultimately sudo and pkexec will retain their SUID bits but not be executable by anyone but the admin user. We may also want to allow switching between the admin and primary users without requiring a reboot. The admin account ''may'' be ephemeral (although we haven't entirely decided on whether this is a good idea or not yet), and Wayland will be used to improve security by avoiding potential vulnerabilities in X that could be exploited via the world-accessible UNIX sockets X make available under /tmp/.X11-unix.
== 2024-12-08 ==
=== Research and start developing sudoless support ===
Date: 2024-12-08
Did a lot of research to determine what needed to change in Kicksecure and Whonix to make it sudoless (i.e., sudo or similar tools cannot be used when booted in 'user mode', and can only be used if booted into 'admin mode'). Also reimplemented livecheck's functionality in a sudoless manner, it was one of the few spots where it was practical to just remove the need for sudo entirely.
=== Document comparing git tags in derivative-maker ===
Date: 2024-12-08
Did a lot of study and experimentation on how to compare git tags to each other in derivative-maker, without ignoring changes in submodules. Found a solution involving using git diff --submodule=diff and a PatchViewer web application. Attempts to make a difftool-like utility for this were unsuccessful.
=== Determine if run0 is suitable for Kicksecure ===
Date: 2024-12-08
Studied run0 (a sudo alternative), determined it was not suitable for use in Kicksecure and Whonix, and wrote a reply to Patrick about why.
=== Propose a solution to shipping machine-ids ===
Date: 2024-12-08
Currently we're shipping hardcoded machine ID files for Kicksecure and Whonix, intentionally. The problem with this is that Debian does not expect these files to be package-controlled, but expects them to be dynamically generated. Thus there is some code in tools like live-build that wipe ephemeral machine IDs, and other code elsewhere in Debian that generates new ones It would therefore be a good idea to switch to dynamically generating machine IDs, even if it's just to put a static ID on the disk. The machine ID files should NOT be shipped by a package. We can leverage Calamares for this, it's designed for it.
=== Disable both recovery modes ===
Date: 2024-12-08
Added code to disable both the single-user mode boot options, and the ability to drop to Dracut's recovery shell. Both of these will be easily bypassable until such a time as a bootloader password is implemented, but they may provide a minor amount of protection for now, and potentially a substantial amount in the future.
=== Added fwupd to Kicksecure ISO, experiment with live-build dm-verify ===
Date: 2024-12-08
Added fwupd and fwupd-signed to Kicksecure's live-build ISO, taking into account architecture-specific concerns with fwupd-signed. Tested amd64 builds and ensured they still worked. While waiting for this build, I also experimented with the --dm-verity option in live-build, which proved to be not supported at all when Dracut is used as an initramfs. Development work will be needed to get that working.
== 2024-12-07 ==
=== Research derivative-maker git tag comparison ===
Date: 2024-12-07
Tested Patrick's script for reviewing code changes between git tags in derivative-maker, including changes in submodules. This script had some issues, many of which were caused by the behavior of git diff, so I wrote a script that mimicked git difftool --tool=meld --dir-diff's behavior but including submodules in the picture. Also sent a feature request / offer to contribute a feature to Git to see if we can solve the problem upstream.
== 2024-12-05 ==
=== Researched implementing safe_echo with formatting support ===
Date: 2024-12-05
Looked at issues that were being experienced with safe_echo and formatting, and came up with a potential solution for resolving them after researching ANSI escape codes.
=== Researched previous Debian rolling release attempts ===
Date: 2024-12-05
Looked into DEP-10 (https://dep-team.pages.debian.net/deps/dep10/) and a practical proposal for implementing a Debian rolling release (https://lists.debian.org/debian-devel/2011/05/msg00275.html). There appears to be a potential way forward here, there's just some serious hurdles and no one's had the time or motivation to implement the proposals.
=== Enhance live-build ===
Date: 2024-12-05
Fixed several bugs and added enhancements to live-build.
== 2024-12-04 ==
=== Investigate live-build downloads ===
Date: 2024-12-04
Reviewed live-build file download code.
=== Investigate strange vm-config-dist reinstallation bug ===
Date: 2024-12-04
Determined that vm-config-dist's Installed-Size somehow differed between the local build of Kicksecure and the remote repo. This is not a change in the deb file, but rather a difference in the metadata provided as part of an apt repo.
== 2024-12-03 ==
=== Improve swap-file-creator heuristics ===
Date: 2024-12-03
Added logic to swap-file-creator and helper-scripts' calculate-swap-size script to cap the swap file size at 10% of the total size of the disk. Tested, the new code appears to work right and passes Shellcheck. calculate-swap-size's regression tests pass and also now include a test for small disks.
=== Review potential package additions for the ISO ===
Date: 2024-12-03
Looked at three packages Patrick suggested potentially adding to the ISO, to see if they needed to be added or not. (The packages were specifically mokutil, keyutils, and efibootmgr.) All three are being installed on our ISOs by default, and I don't think it's a good idea to explicitly add any of them. Documented this in dev/todo.
=== Investigate debsums warnings ===
Date: 2024-12-03
Discovered that all warnings about changed files shown by debsums were the result of live-build. Documented why each file is changed, and what might be able to be done to avoid needing to change those files, or mitigate undesirable effects of having to change them.
=== Finish debugging SDDM lockup issues ===
Date: 2024-12-03
Found the root cause of the SDDM lockup issues, created a patch that resolves them, and sent a bug report to Debian with the results. (Two different bugs were at work, one being an incomplete socket read issue, and another being a regex match issue.)
== 2024-12-02 ==
=== Add generic multi-arch support to derivative-maker's live-build code ===
Date: 2024-12-02
Added the ability to (in theory) build Kicksecure for any officially supported Debian architecture. amd64 builds and arm64 cross-builds on an amd64 system are both tested, other architectures have not been tested.
=== Work on debugging SDDM lockup issues ===
Date: 2024-12-02
Debian systems that use SDDM can be rendered difficult to log into after distro-morphing to Kicksecure. Typing a wrong password at the SDDM screen results in all further login attempts causing SDDM to hang, until the user logs in successfully some other way. Logging in some other way (for instance, at a TTY) results in being able to log in via SDDM again. I attempted to determine what was going wrong, but failed to find the root cause. More debugging is needed.
=== Research Calamares' use of Argon2id for LUKS2 ===
Date: 2024-12-02
Determined that Calamares was using Argon2id for LUKS2 on Kicksecure, but only because of cryptsetup defaults. Followed up on an MR for libkpmcore that could be used to fix this.
== 2024-12-01 ==
=== Debug and fix arm64 build failure ===
Date: 2024-12-01
Figured out why tirdad was failing to build on arm64 (turns out it doesn't support Livepatch). Resolved with changes to derivative-maker to install dummy-dependency-tirdad instead on arm64.
Also did review work and wrote an (as of yet untested) script for building doas config snippets into a config file while waiting for builds to complete.
== 2024-11-29 ==
=== Polish Calamares filesystem restriction PR ===
Date: 2024-11-29
Ran a bunch of tests on the Calamares filesystem restrictions PR, fixing several bugs in the process. There's one stubborn bug remaining that I'll need to work out before this is mergeable, but it's very close, and the Calamares devs appear to be ready to merge when it's ready for merging.
=== doas feature requests ===
Date: 2024-11-29
Discussed doas feature requests on the OpenBSD tech mailing list. All feature requests appear to have been rejected, so we'll have to use wrapper scripts to implement the needed functionality. I originally thought wrapper scripts was a bad idea, but the lead OpenBSD dev seems to be in favor of that solution, so it should be OK.
== 2024-11-28 ==
=== arm64 builds, umask, doas, immutable root testing ===
Date: 2024-11-28
Ended up lumping all of these topics into one because most of the things I worked on were done while waiting for very slow arm64 cross builds of Kicksecure to finish or fail.
Got arm64 builds of Kicksecure's ISO working with live-build. Ended up finding a bug in one of our live-build patches and a bug in live-build upstream in the process, also found several spots in the configuration and ISO build script that needed fixed in order for the ISO to build. I managed to get a working ISO that was bootable using a UEFI-enabled arm64 emulator. amd64 builds still work and appear to be good. So far only cross-building arm64 on amd64 has been tested, I have not yet tested native arm64 builds.
Finished researching umask hardening, and made a pull request that enables it. Turns out a mixture of PAM and sudoers settings should work for this.
Sent an email to the OpenBSD development mailing list to see if they're willing to accept doas patches for adding the functionality we want.
Tested both Debian and Kicksecure installations with a fully read-only root partition. Sadly this did not end up working, making the root partition read-only makes it impossible to get a graphical user environment, and with Kicksecure it makes it impossible to even get a console login.
=== Finalized and pushed pkexec fixes ===
Date: 2024-11-28
Worked out the remaining issues with the pkexec fixes and pushed them.
== 2024-11-27 ==
=== Investigate how OpenSSH handles umask ===
Date: 2024-11-27
Researched how OpenSSH launches programs and shells, and how it handles umask. Much of this involved reading through part of the (thankfully very well-commented) source code of OpenSSH itself. Documented how umask is handled and relevant info about how shells are launched in dev/todo.
=== Polish physical attack protection docs ===
Date: 2024-11-27
Fixed some minor issues with the original docs, and filled out the section about hardware tampering detection with more detailed info. In the future we may also want to document writing one's own grub.cfg files for fine-grained control over bootloader password settings.
=== Fix pkexec policykit config ===
Date: 2024-11-27
Mostly fixed issues found previously, need input from Patrick on how to finish fixing this.
=== Fix network configuration settings for live-build ISO builds ===
Date: 2024-11-27
grml-debootstrap was previously being used to write /etc/hosts and /etc/hostname for ISO builds. The new live-build method of building ISOs didn't do this, resulting in these files not being properly configured. Code has now been added to properly configure them.
=== Try to reproduce lightdm and sleep issues on physical hardware ===
Date: 2024-11-27
After I failed to reproduce the bug mentioned by sam on the Kicksecure Forums in a virtual machine, I installed Debian 12  Cinnamon onto a USB drive using my primary laptop, booted from it, and distro-morphed to Kicksecure, using the kicksecure-xfce-host package to see if that would cause the problem. I still could not reproduce either the SDDM freezes or the sleep issues. Left a comment on the forums with some ideas about why this might be happening.
== 2024-11-26 ==
=== Review pkexec policies and privileged scripts connected to them ===
Date: 2024-11-26
Did a security review on the two pkexec action policies we ship, along with the privileged scripts they point to. Shared results of the review with Patrick.
=== Research using capabilities in place of root access ===
Date: 2024-11-26
Did more research on how capabilities work under Linux, and whether they can be used to replace root access in Kicksecure. Unfortunately I do not believe this to be practical, due to the fact that the capabilities system would likely require extensive permissions modifications and changes to systemd units in order to make it work. Debian is not designed to work this way. The security benefits of mixing traditional privilege control with capabilities aren't all that powerful, and even a total port to the capabilities system wouldn't confer good security advantages without careful planning.
== 2024-11-25 ==
=== Review rads code ===
Date: 2024-11-25
Reviewed the source code of RAM Adjusted Desktop Starter to see if it looked like the source of the distro morphing glitch bug. Found a couple of minor issues, but it did not appear to be the source of the issue.
=== Determine difficulty of replacing sudo with doas in Kicksecure and Whonix codebases ===
Date: 2024-11-25
Used grep to scan through all of our code and determine how difficult it will likely be to port from sudo to doas. Some areas look potentially tricky, but it appears doable. Posted the results of the audit as a Github Gist and saved a link to it it in dev/todo.
=== Do initial research on replacing root access with capabilities ===
Date: 2024-11-25
Researched Linux capabilities, how to use them, and if they could potentially be used to restrict privileges on all set-UID root applications (and potentially even remove the need for an accessible root account). Noted down some of the more useful things found during the research, going to work on this more tomorrow by doing hands-on testing.
=== Attempt to reproduce distro morphing glitches ===
Date: 2024-11-25
Did a distro morphing install on Debian KDE to see if I could get the login manager or sleep to break. Failed to reproduce the bug. Need to try again with a slightly different method of distro morphing.
== 2024-11-24 ==
=== Rewrite str_replace and str_match in Python ===
Date: 2024-11-24
After Qualsys found the needrestarts vulnerabilities, we decided to double-check those parts of our codebase that used Perl and harden them if necessary. Most of our uses of Perl only process trusted input, or only process input in a way that is likely to be safe. However, str_replace and str_match seem like they could reasonably be used to handle untrusted data and might not be called in a definitely safe fashion, and so just in case, I rewrote them in simple, straightforward Python, linting it with PyCharm and testing str_replace with dm-packaging-helper-script's pkg_descr_creator and pkg_descr_merge_all functions, ensuring that the new versions generated identical output to the old versions.
=== Overhaul Calamares filesystem restrictions pull request ===
Date: 2024-11-24:
Made all changes requested by the Calamares devs. This ended up being a large job, as one of the requested changes was an additional validation layer that proved to be very difficult to implement well. It was able to be implemented however, and it seems to be working properly.
== 2024-11-23 ==
=== Test, bugfix, and discuss the Calamares filesystem restrictions pull request ===
Date: 2024-11-23
Tested the code currently used to implement the Calamares filesystem restrictions feature. It passed a thorough test plan, but ultimately was not usable as-is - a Calamares developer discussed it with me, pointed out several flaws that needed resolved, and helped me figure out how to best resolve them.
=== Research Python and Perl security pitfalls ===
Date: 2024-11-23
Carefully read the Qualsys needrestart vulnerability report, along with the link to the Phrack article by rain.forest.puppy and two documentation pages from the SEI CERT Perl Coding Standard. Did further research to understand better the risks of the vulnerabilities and weaknesses listed. Also found a link to a number of common Python pitfalls and how to avoid them.
=== Push fixes for sudoers.d issues ===
Date: 2024-11-23
Pushed all fixes for the sudoers.d to GitHub, they are now ready for merging.
== 2024-11-21 ==
=== File Qubes doas support ticket ===
Date: 2024-11-21
Filed an enhancement request in qubes-issues for adding support for Qubes that use doas rather than sudo, explaining how this would potentially benefit Whonix and Qubes OS users.
=== Test permission hardening on home directories ===
Date: 2024-11-21
Discovered that home directory permission hardening does not behave as expected on Kicksecure, regardless of whether I use pre-live-build installation media or post-live-build installation media.
=== Work on sudoers.d related issues ===
Date: 2024-11-21
As discussed.
=== Research default umask settings ===
Date: 2024-11-21
Researched what would be necessary to set a restrictive umask for user accounts, while setting a more relaxed umask for root so as to avoid bugs. Ended up being more complex than expected, it's unclear whether the additional complexity is worth it or not. I documented both my findings and some implementation ideas.
=== Polish restricted filesystems implementation for Calamares ===
Date: 2024-11-21
Debugged issues in my draft implementation from yesterday, implemented changes suggested by a Calamares dev, and did some basic testing on the code to ensure it wasn't badly broken.
== 2024-11-20 ==
=== Create draft implementation of restricted filesystems for Calamares ===
Date: 2024-11-20
Created a work-in-progress implementation of the "let me restrict what filesystems the user can use" feature request for Calamares. This hasn't been tested yet, and it may need substantial changes before it can be merged, but an initial attempt at implementing it is now public and available for discussion.
=== Debug why Calamares 3.3.11 isn't migrating to Trixie ===
Date: 2024-11-20
Found out why Calamares 3.3.11 has been stuck in Sid. Turns out there's a project, calamares-extensions, which the Calamares devs also control, and that they had taken a module from and put it into Calamares itself. This resulted in a file conflict between an old version of calamares-extensions and the newer version of Calamares. Asked the Calamares devs to finalize the release of calamares-extensions so this can be resolved.
=== Attempt to create MRE for live-build apt-cacher-ng conflict ===
Date: 2024-11-20
Wrote and tested a detailed minimal reproducible example for the live-build apt-cacher-ng conflict we ran into with repository-dist. Sadly, while the example I built seems like it ''should'' reproduce the issue, I somehow misconfigured apt-cacher-ng on my test VM and wasn't able to reproduce the issue as a result. Need to come back to this.
=== Remove GRUB boot menu distro icons ===
Date: 2024-11-20
Removed the weird-looking distro icons for Kicksecure and Whonix from the corresponding GRUB menus. These looked out-of-place, and would have probably continued to look out of place even if they weren't static.
== 2024-11-19 ==
=== Audit sudoers configuration files ===
Date: 2024-11-19
Audited Kicksecure and Whonix's sudoers configuration files. Shared results of the audit with Patrick.
=== live-build, use security.debian.org when bootstrapping ===
Date: 2024-11-19
Added the ability for live-build to use a security mirror of the user's choice when bootstrapping an ISO build with mmdebstrap. Added changes to the mmdebstrap upstream merge request, merged them into my main live-build fork branch, and added code to derivative-maker that uses the new feature.
== 2024-11-18 ==
=== Research ArchiveBox ===
Date: 2024-11-18
Found answers for each of the questions we had about ArchiveBox's functionality and installation sources, and recorded them under the ArchiveBox task in dev/todo.
=== More live-build work ===
Date: 2024-11-18
Fixed an issue where the kernel packages were hardcoded to the amd64 architecture in derivative-maker's live-build configuration.
Also attempted to add security mirror support to our version of live-build's mmdebstrap mode. This ended up failing because of multiple hurdles that were hit - one has to pass entire source lines to mmdebstrap in order for it to work in this kind of multi-mirror setup, but at the same time passing entire source lines to live-build as bootstrap mirrors causes it to misbehave badly when writing the chroot's sources.list file. This will require further development to make work right.
=== Debug and fix ISO build failure on Qubes OS ===
Date: 2024-11-18
Reproduced, debugged, fixed, and tested the fix for an issue that would result in ISO build failures on Qubes OS. (/home was being mounted with nodev, causing live-build to break.)
== 2024-11-17 ==
=== Review and clean up sdwdate's url_to_unixtime component ===
Date: 2024-11-17
Did a security review on url_to_unixtime. Found a few minor issues, documented them, also documented things that looked good. Forked sdwdate and pushed fixes for all fixable issues to my fork for review.
=== Test hardened JSON parsing in Tor Browser version detection ===
Date: 2024-11-17
Created and executed a full test plan for the Tor Browser version detection code. It is now ready for review.
Test plan: * [x] Install updated packages * [x] Ensure Tor Browser is not installed * [x] Run AnonDist. Finds correct version of Tor Browser and offers to install it? * [x] Installation succeeds? * [x] Update derivative-maker * [x] Sync tb-updater and developer-meta-files with updated versions * [x] Run `dm-packaging-helper-script pkg_tor_browser_version_update`. Correctly updated normal, alpha, and arm64 browser versions? * [x] Run tb-updater unit test with `bash -x unit_test`. Passes?=== Harden JSON parsing in Tor Browser version detection (wip) === Date: 2024-11-17 Wrote code that made parsing JSON for Tor Browser version detection significantly safer. This still needs to be thoroughly tested and peer-reviewed, but it's working pretty decently so far. Implementation is documented on the dev/todo page. === Polish archiver script, begin mass link archival === Date: 2024-11-17 Added the last bit of needed polish to the archiver script (skipping archive.org Wayback Machine links), then started the script running. It may take a very long time to finish archiving everything, but it runs unattended and rate-limits itself, so it should work. == 2024-11-16 == === Write mass link archiver script === Date: 2024-11-16 Mostly finished a script that extracts all links from the Kicksecure and Whonix wikis, and archives them using archive.today if necessary. Uses mediawiki-shell's existing features to do link extraction. The script still needs to omit archive.org links and onion links, but that's about the only feature it's missing. The script intentionally operates very slowly, in order to avoid overloading the archive.today service. === Enhance mediawiki-link-to-archive with archive.today support === Date: 2024-11-16 Wrote the code needed for adding archive.today links to the Wiki, documented the intended behavior of the code, and documented followup steps that need to be done in order to deploy it. === Review kloak makefile enhancements === Date: 2024-11-16 Reviewed contributed enhancements to kloak's makefile, suggesting several changes and commenting on follow-up changes that would be required. == 2024-11-15 == === Research archive.today link protection operation === Date: 2024-11-15 Researched what steps would be needed to archive all pages linked to on the Kicksecure and Whonix wikis, and studied how to best add those links to the wikis. Added all researched info to dev/todo page, including adding a task for making the archive.today frontend capable of extracting the date and time of the last snapshot. === Redo Tor Browser version detection logic in dm-packaging-helper-script === Date: 2024-11-15 The logic for detecting Tor Browser versions that I originally wrote worked, but used a non-ideal method of version detection that was different than code already present in tb-updater. To resolve this,
pkg_tor_browser_version_update now actually uses tb-updater's Tor Browser version detection code, giving us a single source of truth for both tools. Also fixed an easy-to-resolve Shellcheck issue while I was there.
=== Polish archive.today frontend, add to helper-scripts ===
Date: 2024-11-15
Finished the Python-based archive.today frontend. Both Tor and clearnet access work. Added to helper-scripts, deleted the now-obsolete repo used to share the WIP version with Patrick
.
== 2024-11-14 ==
=== Finish most of py-archive-today's features and publish on Github ===
Date: 2024-11-14
The tool is now capable of both archiving new URLs and searching for already archived ones. Unlike the Go frontend it draws inspiration from, it is able to detect when the page that is being archived is still being saved but isn't fully saved, and can wait until the page is fully saved, then spit out the final URL. This should make it significantly more useful.
=== Fix live-build crash due to apt-cacher-ng ===
Date: 2024-11-14
Finished creating a working fix for live-build crashing due to apt-cacher-ng HTTPS tunneling not being enabled. Required changes to repository-dist and derivative-maker. Fixes are published in my forks of both repos.
== 2024-11-13 ==
=== Start developing archive.today CLI frontend ===
Date: 2024-11-13
Began working on an archive.today CLI frontend written in Python. Python was chosen primarily due to its memory safety, the very low number of third-party dependencies needed to handle web requests and parsing, and the trustworthiness of the one third-party dependency that I did want to use (namely Requests). So far the documentation/specification for the tool is written, the CLI parser is done, and finding archived pages works. Tor support and the ability to archive new pages are next on the todo list.
=== Debug live-build crash due to apt-cacher-ng ===
Date: 2024-11-13
ISO builds are crashing due to a poor interaction between apt-cacher-ng and the sources.list files we ship in anon-apt-sources-list and repository-dist. I did quite a bit of research into how to resolve this, but was only able to determine three less-than-ideal solutions, which are documented on the dev/todo page at https://www.kicksecure.com/wiki/Dev/todo#live-build_-_build_broken_-_kicksecure_repository_apt-cacher-ng_configuration. Ultimately it looks like we'll probably end up having to work around this using live-build scripts, calamares, and debian-installer.
== 2024-11-12 ==
=== Test and review archive.today CLI frontend ===
Date: 2024-11-12
Tested the archive.today frontend, documented how to make it work and what it does so far. Also filed a feature request, and reviewed the code. So far it looks usable and appears to be safe, although the safety review is not complete yet.
=== Work on graphical-session.target bug in Qubes OS ===
Date: 2024-11-12
Attempted a fix, and researched possible solutions, including discussion with Marek.
== 2024-11-11 ==
=== Implemented Tor Browser version detection in dm-packaging-helper-script ===
Date: 2024-11-11
Reads from Tor's website and from Sourceforge to determine the latest versions of Tor Browser, Tor Browser Alpha, and Tor Browser ARM64. Automatically updates the tbb_hardcoded_version files from tb-updater with the retrieved info.
=== Research doas suitability for Kicksecure and Whonix ===
Date: 2024-11-11
Investigated whether doas was usable in Kicksecure, whether it would work around the sudo faillock bugs we were encountering, if it was possible to port our sudoers config to doas, and if possible, how much work it would be. Posted all results on the Whonix forums at https://forums.whonix.org/t/replace-sudo-with-doas/17482/18.
=== Start testing archive.is utility ===
Date: 2024-11-11
Successfully built the archive.is utility using Go 1.22 from bookworm-backports. Unfortunately I wasn't able to finish testing the utility for functionality as archive.today's archiver seems to not be working, even in a Firefox browser window. Will try again tomorrow most likely.
=== Make dm-check-unicode look nicer ===
Date: 2024-11-11
Split up the whitelisting pattern so that each file went on its own line, by converting the whitelist pattern string into an array and then assembling it into a pattern string using sed.
=== Fix debian.list file installation in derivative-maker live-build support ===
Date: 2024-11-11
Tested a fix for the installation of /etc/apt/sources.list.d/debian.list that did not require renaming the file. Fix worked, pushed.
== 2024-11-10 ==
=== Prepare to split security-misc into shared, desktop, and server packages ===
Date: 2024-11-10
As discussed at {{Github_link|repo=security-misc|path=/issues/187}}. Looked at all files in security-misc, and categorized them into shared, desktop, and server categories, with rationale for each choice. Currently available for discussion at https://forums.kicksecure.com/t/splitting-security-misc-into-shared-desktop-and-server-packages/674, will implement once consensus is reached.
=== File Calamares feature request for specifying filesystem restrictions ===
Date: 2024-11-10
Filed a feature request to Calamares, requesting that distros be given the ability to restrict what filesystems are used at what mountpoints. This could be used to avoid the root-on-fat32 issue the user at https://forums.kicksecure.com/t/kicksecure-installation-cannot-set-timezone-link-creation-failed-target-usr-share-timezone-link-name-etc-localtime/652 ran into.
=== Make derivative-maker install live-build during build process ===
Date: 2024-11-10
Kicksecure now has a live-build fork and submodule in derivative-maker, but was not installing live-build automatically. The code for this has now been written and tested.
=== Refactor GRUB themes ===
Date: 2024-11-10
The GRUB themes we're using as a base had some font files shipped alongside that were difficult to audit. Some of them were also derived from the Ubuntu font family, who's license is considered non-free in Debian. There was also lots of duplicate code between the three GRUB themes for Kicksecure, Whonix-Gateway, and Whonix-Workstation. To resolve this, the GRUB themes were refactored, the Ubuntu font was replaced with Inter, and the custom GRUB fonts are generated at package build time from the originals already present in the Debian archive.
== 2024-11-09 ==
=== Finish testing refactored dm-packaging-helper-script ===
Date: 2024-11-09
Tested almost all features of dm-packaging-helper-script, with the exception of those that write to Git repositories. Fixed lots of bugs in the process. Ready for final review.
== 2024-11-08 ==
=== Finish refactoring dm-packaging-helper-script, start testing ===
Date: 2024-11-08
All functions of the original dm-packaging-helper-script are now implemented, with the exception of those that are outdated and did not need to be reimplemented. Currently testing all of the functions one by one, fixing bugs as I go. I've currently managed to at least somewhat test (and if necessary, repair) everything up to and including pkg_git_commit_readme. The current state of the refactor is now public as well.
=== Finish initial review of IPv6 support PRs ===
Date: 2024-11-08
Finished reviewing the changes in the IPv6 support PRs. Still need to test them and see how they work.
== 2024-11-07 ==
=== Begin reviewing IPv6 support PRs ===
Date: 2024-11-07
Reviewed some of the PRs mentioned in https://forums.whonix.org/t/add-ipv6-support/19893 for correctness and potential malicious behavior. Left several comments where things looked incorrect. So far I've reviewed the whonix-gw-network-conf, whonix-ws-network-conf, anon-gw-anonymizer-config, and whonix-firewall PRs. The only really strange commit I've seen so far is https://github.com/Whonix/whonix-firewall/pull/10/commits/4e202b11e84168d3415a4637768df6a692de6841, which references some IPv6 addresses that don't seem to be specified anywhere else.
=== Remove superfluous icons from GRUB themes ===
Date: 2024-11-07
In the interest of keeping a smaller attack surface and using less disk space, Patrick requested that I remove icons for other operating systems from the Kicksecure and Whonix GRUB themes. This is now done and tested.
=== Polish dummy-dependency script ===
Date: 2024-11-07
Discussed needed improvements with Patrick, implemented and tested them.
== 2024-11-06 ==
=== Further progress refactoring dm-packaging-helper-script ===
Date: 2024-11-06
Currently finished with all commands up to and including pkg_need_version_bump_do.
=== Write dummy-dependency script ===
Date: 2024-11-06
Wrote a script that dynamically generates, and optionally installs, dummy packages that can be used to work around dependency bugs in other packages. The script works in my tests. Also added the needed dependency on equivs to helper-scripts, and ensured helper-scripts built properly after my changes.
=== Implement and publish minor fixes for metapackages ===
Date: 2024-11-06
Published updates to kicksecure-meta-packages and anon-meta-packages, following all feedback from https://forums.kicksecure.com/t/metapackages-tweak-suggestions/663/2.
== 2024-11-05 ==
=== Debug apt solver problems with Recommends and Suggests ===
Date: 2024-11-05
Discussed issues with the behavior of apt recommends with Patrick. After much testing, a possible bug was discovered in which a suggests link could result in a package being incorrectly retained on the system. It remains to be seen whether this is reasonably possible to solve or not.
=== More dm-packaging-helper-script refactoring ===
Date: 2024-11-05
Currently have completed everything up to and including the pkg_git_reset function.
=== Suggest addition of a Weak-Depends field to debian/control ===
Date: 2024-11-05
Sent a detailed email to the debian-devel mailing list describing the issue of recommended packages pulling in too much (what I called "Recommended bloat") and how to solve it using Patrick's "Weak-Depends" suggestion.
=== Fix Kloak default values ===
Date: 2024-11-05
Fixed inconsistent info about default timeout and delay values in kloak. Also commented on the rationale for the exact manner in which the fix was done.
== 2024-11-04 ==
=== Continue refactoring dm-packaging-helper-script ===
Date: 2024-11-04
Finished framework code, began implementing the actual commands supported by the script. In particular, the pkg_descr_creator, pkg_descr_merger, pkg_descr_merge_all, and internal_descr_writer functions got a major overhaul, adding support for discrete Kicksecure and Whonix projects to the code (this functionality didn't exist before and was marked as "TODO" in the original implementation). All command functions from the top of the original script down to pkg_compat_delete are currently implemented. Still need to test everything, and there are lots more functions to copy over and adjust, but it's coming along nicely.
== 2024-11-03 ==
=== Review Whonix metapackages, post Kicksecure metapackage review on forums ===
Date: 2024-11-03
Posted the Kicksecure metapackage review for discussion. Also reviewed Whonix's metapackages briefly, only saw one potentially mis-located package, that being hunspell, which was already mentioned in the Kicksecure metapackage review and which is now documented in the review Github gist.
=== Finish Whonix and Kicksecure GRUB themes ===
Date: 2024-11-03
Finally have all of the details of the GRUB themes for Whonix and Kicksecure worked out. Branches of each repo that needed modifications are present in the dev/todo list and moved to the review queue.
== 2024-11-02 ==
=== Begin refactoring dm-packaging-helper-script ===
Date: 2024-11-02
Started the work of refactoring dm-packaging-helper-script. The end-goal is to make it easy to understand, more maintainable, and to remove the use of environment variables as a primary method of passing data to the script. Currently have most of the initialization and framework code laid down, and have gotten an understanding of how the existing script works in general. This is in preparation for adding tb-updater version update functionality to the script.
== 2024-11-01 ==
=== Polish Whonix GRUB themes ===
Date: 2024-11-01
Got both Whonix and Kicksecure GRUB themes looking and working properly. Had one final question for Patrick (do we want to support people switching between BIOS and UEFI modes), once that's answered I'll be able to make any final changes, then push to Git.
=== Document Super Grub2 Disk usage ===
Date: 2024-11-01
Documented how to install and use Super Grub2 Disk in the [[Broken Boot]] Wiki page. Documentation includes a description of how each boot mode works and when it should be used.
== 2024-10-31 ==
=== Review Kicksecure metapackages ===
Date: 2024-10-31
Reviewed the Kicksecure metapackages, noting down potential ways to improve on the existing structure. Also wrote a small script for visualizing dependency interactions, which may be handy for future review. I did not manage to review the Whonix metapackages yet, though I did mention some things related to Whonix in the review. The review itself can be seen here: https://gist.github.com/ArrayBolt3/1312aa401d0b7ade970210b3f526f9e8
=== Polish GRUB theme for Kicksecure ===
Date: 2024-10-31
Made the GRUB theme for Kicksecure look nice and work well. Most issues with the previous theming have been solved, with the only remaining issue being one that we may not care about.
=== Review Super Grub2 Disk functionality ===
Date: 2024-10-31
Tested Super Grub2 Disk's ability to boot installed Kicksecure systems. It works really well, for both encrypted and unencrypted installations. Did not test LVM. Might be a good idea to add info about this to the broken boot recovery page.
=== Research TCG DRTM ===
Date: 2024-10-31
Researched what a Dynamic Root of Trust for Measurement is, how it is useful, and what implementations exist for x86 systems. Added relevant documentation and explanations to the confidential computing page.
== 2024-10-30 ==
=== Fix live-build dracut loopback boot bug ===
Date: 2024-10-30
Dracut requires the use of a different kernel parameter for loopback ISO booting than live-boot requires. Added support to live-build to set the parameter properly depending on the initramfs image type in use.
=== Investigate loopback.cfg boot support ===
Date: 2024-10-30
Investigated the feasibility of booting Kicksecure as a loopback ISO using SuperGrub2Disk. Ultimately, it looks like it can be made to work, but there are two hurdles that need to be resolved first, both of which are now documented in dev/todo. Next steps are to see if the dracut bug is still an issue in Trixie, and to make another live-build merge request.
=== Fix append-once and livecheck bugs ===
Date: 2024-10-30
Fixed a bug in append-once where multi-line string appends could fail if one of the lines in the multi-line chunk being appended already existed in the target. Also fixed a bug in livecheck where lsblk ran too early, resulting in the system erroneously reporting it was running in read-only mode on some boots.
== 2024-10-29 ==
=== Create prototype of GRUB theme for Whonix ===
Date: 2024-10-29
Tried porting the Kicksecure GRUB theme to Whonix. Ran into some issues, mainly with screen resolution on BIOS-based VirtualBox VMs. Also need to explore the creation of separate thems for Whonix Gateway and Whonix Workstation - I had initially not done this since I wasn't sure how to fit the extra info into the design of the GRUB theme. Prototype screenshots shared with Patrick.
=== Test live-build suitability for generating non-live images ===
Date: 2024-10-29
Experimented with using live-build with --system normal --binary-image hdd options for generating preinstalled, non-live systems. It's not as smooth of an experience as generating live images, but it is usable and potentially suitable for replacing grml-debootstrap. Recorded findings in the dev/todo page.
=== Create GRUB theme for Kicksecure ===
Date: 2024-10-29
After a conversation with Patrick, we decided to not use desktop-base as part of the implementation of the GRUB theme. Instead I took one of the GRUB themes linked in the Kicksecure GRUB theme task, modified it to work correctly with Kicksecure, and tested it. It may need another iteration of work since the theme will probably have distorted aspect ratio in some scenarios. (Edit: actually, this will definitely take another iteration of work because the BIOS GRUB theme will NOT work in VirtualBox. I set the resolution to 1280x960, which VirtualBox's graphics does not support as a "standard" resolution. 1024x768 works however.)
=== Report ISN security issue to IETF ===
Date: 2024-10-29
Wrote a vulnerability report and sent it. Report is at https://mailarchive.ietf.org/arch/msg/tcpm/_T3Itdx06xzAgwcfe90KP_vTCq8/. This is intentionally public, as the IETF apparently handles their vulnerability reports publicly, as confirmed by the fact that someone with access to the non-public mailing list I CC'd on the message forwarded it to the mailing list after the email system apparently failed to deliver the message to the right mailing list.
== 2024-10-28 ==
=== Make livecheck only run detection once ===
Date: 2024-10-28
Added code to livecheck so that it would only run live mode detection once, and thereafter would use cached data about the system state. Also made the check interval way longer to reduce resource consumption.
=== Start generating desktop-base compliant branding ===
Date: 2024-10-28
This started as a mission to create a GRUB theme or GRUB background image for Kicksecure. Doing this revealed that the GRUB background image mechanism in Debian depended on a package called desktop-base, which turns out to be a theming/branding package that affects many different parts of Debian. It uses the Debian alternatives system to allow derivatives or vendors to override the branding as desired. It is undesirable to entirely supplant this package with Conflicts/Replaces, since that could theoretically cause breakage. However, pulling it in requires making a lot of Kicksecure-specific branding to override the Debian-specific bits. So far I have prepared GRUB background images, Kicksecure emblems, and multiple different variants of the logo, using Inkscape and GIMP. I stopped here however, as I realized I didn't know where some of the data I needed was (in particular I don't know where the default wallpaper in Kicksecure is stored), and I wasn't sure if desktop-config-dist was the right package to do it in.
=== Research proving issues with TCP ISNs ===
Date: 2024-10-28
Did research to determine how to prove that ISNs that integrate time values are dangerous. Shared with Patrick.
=== More improvements to Qubes event buffering support ===
Date: 2024-10-28
Implemented all requested changes from another reviewer. Ensured that the code still built properly, smoke-tested on Qubes OS R4.3, and submitted for another review.
=== Review kloak spec file for Fedora ===
Date: 2024-10-28
Ensured that a contributed spec file for Fedora was non-malicious. Also verified that the file successfully build a kloak RPM.
=== Fix remaining derivative-maker live-build patch issues, submit for review ===
Date: 2024-10-28
All known issues with derivative-maker live-build support have now been worked out. PR is marked as ready for review.
== 2024-10-27 ==
=== Test derivative-maker with live-build patch, add debian-installer support ===
Date: 2024-10-27
Tested a few other build modes of derivative-maker and ensured they worked properly even with the new code changes. After that, I worked on getting debian-installer rebranded and working properly, which proved to be a larger job than expected. In the end, things seem to be working very well, with only a few rough edges that need fixed up.
== 2024-10-26 ==
=== Fix bugs in derivative-maker live-build support ===
Date: 2024-10-26
Identified several issues with the new live-build support by comparing the list of all files on a VMs installed using old and new ISOs. All of these issues ended up having relatively simple fixes, which I have (mostly) verified work properly. At this point I just need to test things thoroughly, then live-build support should be ready for review
== 2024-10-25 ==
=== Add BTRFS support to live-config-dist ===
Date: 2024-10-25
Added BTRFS as an option on the Partitions screen, using Calamares configuration options in live-config-dist. Tested by installing a BTRFS-based installation of Kicksecure, worked for me. Added btrfs-progs as a dependency to kicksecure-recommended-cli since it's necessary for a BTRFS installation to work.
=== Release second prototype of derivative-maker live-build support ===
Date: 2024-10-25
The ISO build is now working without errors on my end, and after an audit of packages and files on old and new ISOs it looks like most major issues have been resolved. Forks of derivative-maker, live-build, dist-base-files, live-config-dist, and anon-apt-sources-list have been updated with most recent iteration of code.
=== Prepare VirtualBox link update script for review ===
Date: 2024-10-25
Replaced custom Python script with str_replace, added wiki editing capabilities, placed in developer-meta-files. Tested live by using https://www.kicksecure.com/w/index.php?title=Testpage&stable=0, code seemed to work as intended. Code has been given to Patrick to review, it should be tested more thoroughly before being deployed in production.
=== More polishing of derivative-maker live-build builds ===
Date: 2024-10-25
Finally got the ISO to build again. Detection of kernel parameters is done using grub-mkconfig rather than direct configuration file parsing, user creation is done by dist-base-files as previously, apt list files are correct and are handled by anon-apt-sources-list and repository-dist. Some changes were needed to individual packages, and there are still some issues (notably the user is created without sudo privileges due to a mistaken rm I added that was cleaning up a file too early). However, this is much closer, and I expect to be able to publish the code I have locally relatively soon.
== 2024-10-23 ==
=== Continue polishing derivative-maker live-build support ===
Date: 2024-10-23
Attempted to fix up kernel parameter autodetection at ISO build time, user account creation method, and apt configuration files. Also switched to multi-stage live-build rather than using lb build directly. I did not manage to get a working ISO before the day was over, however I made significant progress on it and believe that the revamped code should be able to produce working ISOs soon. Updated code will be published once it can successfully build an ISO.
=== Prototype automatic URL updating code for VBox links ===
Date: 2024-10-23
Wrote a prototype implementation for https://www.kicksecure.com/wiki/Dev/todo#automate_VirtualBox_version_update_in_the_wiki that can read from VirtualBox's download page, read from the Wiki, determine if the Wiki's VBox URL is up-to-date, and update it if not. Currently it does not update the Wiki itself, but instead prints out the text it would write. Needs some internal polish (specifically it should use Kicksecure's str_replace) and needs the actual Wiki write functionality implemented, then it should be ready to use.
== 2024-10-22 ==
=== Polish derivative-maker live-build support ===
Date: 2024-10-22
Attempted to fix several issues with the live-build ISO prototype. This led to discovering a major bug in live-build that made it very difficult to set environment variables properly. Bug report at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085869. Also discussed future live-build tasks and design with Patrick.
== 2024-10-21 ==
=== Finish derivative-maker live-build support prototype ===
Date: 2024-10-21
Got the live-build code to build an ISO without errors. Also fixed ISO GRUB screen branding. Remaining TODOs are noted down in https://www.kicksecure.com/wiki/Dev/todo#ISO_-_port_to_live-build and related tasks. derivative-maker prototype code is located at https://github.com/ArrayBolt3/derivative-maker/tree/arraybolt3/live-build. live-build fork needed for build is located at https://salsa.debian.org/ArrayBolt3/live-build/-/tree/arraybolt3/lb-dracut?ref_type=heads. live-config-dist fork needed for installability is located at https://github.com/ArrayBolt3/live-config-dist/tree/arraybolt3/live-build.
Also tested building Kicksecure on Kicksecure using live-build. This worked perfectly - no changes needed to be made to the prototype code to allow the build system to function properly.
== 2024-10-20 ==
=== Integrate live-build into derivative-maker ===
Date: 2024-10-20
Added the ability for derivative-maker to run live-build to generate an ISO rather than using the usual ISO generation steps. I did not manage to push the derivative-maker changes to Git yet because I ran into a large number of bugs in the process (remote and local repo conflicts, random SIGPIPE errors making true exit non-zero, incompatibilities between my live-build local repo implementation and reprepro, etc). Most of these issues are now resolved. I fixed the local repo handler in live-build to work with reprepro repositories. Fix in commit https://salsa.debian.org/live-team/live-build/-/merge_requests/369/diffs?commit_id=eb1813e7bd211373060152a8bde140301576756c.
=== Polish configuration interface for Qubes OS event buffering ===
Date: 2024-10-20
At Marek's suggestion (https://github.com/QubesOS/qubes-gui-daemon/pull/149#issuecomment-2421005914), I renamed ebuf_max_delay to events_max_delay in the configuration for qubes-gui-daemon. I also had to rebase my changes to qubes-gui-daemon to the tip of main since other code had been changed since I opened the PR. The code change was tested and verified to work.
This took significantly longer than expected because I had to fix updates on Qubes R4.3 (turns out they don't work right out of the box), then was unceremoniously dropped to a Dracut emergency shell upon reboot because apparently my Qubes installation's root filesystem decided to become slightly corrupted and needed a manual fsck to fix. I did manage to get the system back up-and-running thankfully, and did the work mentioned above once my system was back to functional.
== 2024-10-19 ==
=== Fix pam_faillock unlock on reboot or timeout ===
Date: 2024-10-19
Determined why pam_faillock was automatically resetting the tally on reboot and fixed it. Also kept it from resetting due to a timeout to the best of my ability (although due to limitations in pam_faillock this could not be done perfectly). Commit: https://github.com/ArrayBolt3/security-misc/commit/690e8dd826d1cb39c0c12c03792781862cc2dd23
Note that this does NOT fix the issue where the use of passwordless sudo resets the tally. This may require assistance from upstream, and investigation into that is still ongoing.
== 2024-10-18 ==
=== Debug pam_faillock ===
Date: 2024-10-18
Kicksecure uses pam_faillock to provide bruteforcing protection for user account passwords. Unfortunately the existing PAM configuration allowed the tally and lock to get reset in multiple unintended ways. The root cause of this was determined and a proof-of-concept fix developed, however a deployable fix has not yet been determined. One of the problematic scenarios has a bug filed in linux-pam for it: https://github.com/linux-pam/linux-pam/issues/842
== 2024-10-17 ==
=== Further improvements to Kicksecure live-build ===
Date: 2024-10-17
Wrote another patch for live-build and attempted to upstream it, this allows us to set --error-on=any on apt update calls within live-build. https://salsa.debian.org/live-team/live-build/-/merge_requests/371 Tested it and it appears to work. Also tested a bunch of additional options Patrick suggested using, which removed more unnecessary packages and improved the build process. Also documented that the custom fork of live-config-dist is no longer necessary.
== 2024-10-16 ==
=== Fix up package installation on Kicksecure live-build ===
Date: 2024-10-16
Fixed a couple of very annoying bugs in the live-build code for Kicksecure. There were a bunch of weird firmware files and display drivers getting installed incorrectly, which now no longer get installed, and the user had to explicitly confirm that they wanted to remove a bootloader package at one point during the build, which they now no longer get prompted for. I also got a merge request made for mmdebstrap support in live-build, which is visible here: https://salsa.debian.org/live-team/live-build/-/merge_requests/370
Additionally, I dug up the old live-build code from derivative-maker and extracted the core lb config command from that. This may be useful for future work on live-build.
At this point the ISOs being produced using live-build are of a reasonably high quality, and I believe it is time to get the live-build fork I've been using integrated into Kicksecure's Git repos and start using it as the default framework for ISO file generation in derivative-maker.
=== Rework Qubes OS event buffering pull request ===
Date: 2024-10-16
See https://github.com/QubesOS/qubes-gui-daemon/pull/149. Implemented all requested changes from all reviewers, rebuilt qubes-gui-daemon and qubes-core-admin-client with changes, and tested on Qubes OS R4.3. Another round of review has been requested.
== 2024-10-15 ==
=== Implement mmdebstrap support in live-build ===
Date: 2024-10-15
Implemented and tested live-build mmdebstrap support. Code is visible at https://salsa.debian.org/ArrayBolt3/live-build/-/commit/0a8559b9d456a93284e726521a33f342ab469f8b. MR has not yet been opened against live-build upstream because of Debian infrastructure issues.
=== Create live-build local apt repo MR, more live-build debugging ===
Date: 2024-10-15
MR for local apt repo support in live-build: https://salsa.debian.org/live-team/live-build/-/merge_requests/369
The reason for strange firmware files becoming installed appears to be because of a firmware installation routine in live-build operating as intended (though since I'm building with contrib and non-free repos it seems to be pulling in a bit more than ''expected''). Need some input on how to best handle that. I also diagnosed the reason for a "persistent mode" icon in the panel getting shifted over to the left, and created a patch here: https://github.com/ArrayBolt3/desktop-config-dist/commit/6b0ec41a2ec75b11dbe1b50d9040fb56761bc583
=== Prepare X event buffering Qubes OS pull request for re-review ===
Date: 2024-10-15
Added a signed integer overflow check to a potentially vulnerable area of the PR's code, and gave the code a short stress-test and functionality test using vmonaco's device fingerprinting test, Reddit, and YouTube. Resolved all conversations from Marek's review of the X event buffering PR, and requested a re-review.
== 2024-10-14 ==
=== Debug Kicksecure live-build, implement local apt repo support ===
Date: 2024-10-14
Implemented local apt repo support in live-build and pushed to Git on Debian Salsa (their GitLab instance). Sadly due to a glitch in Salsa, I was unable to open a merge request, and am awaiting a reply from the Salsa administrators. Also debugged issues with installed and omitted packages in the Kicksecure live-build project. Ultimately I wrote an email to the debian-live mailing list because of particular extra packages getting installed for no apparent reason: https://lists.debian.org/debian-live/2024/10/msg00007.html
== 2024-10-13 ==
=== Continue effort to pork Kicksecure to live-build ===
Date: 2024-10-13
Got significantly further than on 2024-10-10. The ISO now boots "out of the box", installs "out of the box", and for the most part looks and works like a standard Kicksecure ISO. Further development tasks are listed in the Github repo for the project at https://github.com/ArrayBolt3/kicksecure-live-build.
== 2024-10-11 ==
=== Rework Qubes OS kloak patch ===
Date: 2024-10-11
The Qubes OS "X event buffering" patch at https://github.com/QubesOS/qubes-gui-daemon/pull/149 was reviewed by a Qubes OS developer and several changes were requested. I got Qubes OS R4.3 installed on my primary development system, prepped it to build Qubes OS packages, and then did development and testing of the patch there. All requested changes were implemented, many of the comments were resolved (though I left some open for further discussion and review). The patch was also tested for functionality and appears to work well so far.
== 2024-10-10 ==
=== Begin effort to port Kicksecure to live-build ===
Date: 2024-10-10
I downloaded the latest live-build from https://salsa.debian.org/live-team/live-build (using the tip of the master branch), and merged in https://salsa.debian.org/live-team/live-build/-/merge_requests/353 so as to enable use of dracut. I then created a Debian Sid chroot within my Kicksecure development virtual machine, and built and installed live-build within it. (live-build works surprisingly well inside a chroot environment.) I then researched live-build's features, as well as how to use it properly, and then worked on getting a basic Kicksecure-like ISO built using it.
Due to some oddities surrounding package installation, dracut repeatedly got uninstalled at some point during the build process, resulting in the build crashing later on. To fix this, I modified the code of live-build to avoid installing packages that were the source of the issue (namely live-config and live-boot). Additionally, the security-misc package was crashing the build because it was intentionally failing to install itself when it detected there were no users with sudo rights on the system. This ended up requiring a live-build hook to work around, which is not a desirable solution long-term. Quite a few very long builds had to be done before I finally got a working ISO, and I had to tweak the source code of live-build slightly, but I was successful at getting the ISO to both build and boot to a Kicksecure desktop. The source code of my live-build fork is at https://salsa.debian.org/ArrayBolt3/live-build/-/tree/arraybolt3/lb-dracut?ref_type=heads. The live-build configuration that finally worked somewhat for me is at https://github.com/ArrayBolt3/kicksecure-live-build.
The finished ISO had quite a few problems:
* A generic-looking Debian live GRUB theme is shown on bootup.
* Due to a dracut bug in bookworm, the ISO will drop you to a dracut emergency shell if you attempt to boot it by just pressing "Enter" when prompted. You must press e to edit the boot options, and add rd.live.overlay.overlayfs=1 to the end of the kernel command line to get the ISO to boot.
* When it does boot, you will be shown a very strange "Welcome to LXQt" window with no window decorations or anything. No window manager will be loaded.
* To get past this state, you have to press Ctrl+Alt+F2 to get to a TTY, then go to /etc/lightdm delete the lightdm.conf.d directory recursively, and edit lightdm.conf so it contains no uncommented autologin configuration. Then you have to run sudo systemctl restart lightdm and you are presented with a login greeter. At the greeter screen, click on the wrench logo in the panel at the top of the screen, and select an XFCE session to log into. Then log in with username "user" and password "live", and ''now'' you will see a Kicksecure desktop.
* The user is shown as being "Debian live user" in the application menu, with a prominent Debian logo applied. This is wrong.
* More software than expected ends up preinstalled, such as "Zutty" (Zero-cost Unicode Teletype, which somehow ends up becoming the default terminal), Tor Browser Donwloader, and lximage-qt for instance.
* Installation fails with a bootloader-related error, likely because we have a tweaked version of a bootloader install script that no longer applies, and my configuration doesn't preload the various GRUB versions into the on-ISO repository.
* The notifier in the upper-right corner of the screen showing which mode is active shows "Live" with a green light, rather than "ISO" with a disc icon.
Additionally, my test build used only remote packages, not locally built ones.
Next steps:
* Figure out a more elegant way of excluding bad packages other than modifying the source code of live-build. If modifications are absolutely necessary, add a blacklist feature and then use it.
* Determine why additional software is getting installed such as Zutty and bits of LXQt, and make it stop happening. (This is probably caused by package dependencies somehow.)
* Fix all the bugs.
* Add the ability to install packages from a local repo and test it.
* See if live-build can be used for building more than just live images. Some of the docs made it sound like it could be used for making preinstalled images, which could potentially be used for building VirtualBox and other hypervisor iamges using live-build too.
* Integrate live-build into derivative-maker (or the other way around?) so that source code cloning, package building, and ISO assembly can be done in one command like what is currently possible with derivative-maker.
== 2024-10-09 ==
=== KeePassXC secret service feature request ===
Date: 2024-10-09
Attempted to identify what would need to change in KeePassXC to allow it to act as a distro's default secret service, and posted a feature request for it here: https://github.com/keepassxreboot/keepassxc/issues/11342
=== Research Edgeless Systems' confidential computing ===
Date: 2024-10-09
Looked into several confidential computing solutions offered by Edgeless Systems, namely Constellation, Contrast, and Continuum. Added notes about them to the confidential computing Wiki page.
=== Research Enclaive ===
Date: 2024-10-09
Looked into Enclaive and noted them in the list of cloud providers. Also discovered Gramine for protecting individual apps and containers with Intel SGX, added them to the resources list and also moved Intel SGX out of the "not useful technologies" list.
=== Research Intel TDX ===
Date: 2024-10-09
Read through https://cdrdv2.intel.com/v1/dl/getContent/690419 and did further research to determine how suitable Intel TDX looked for true confidential computing. Many of the features looked quite useful, but some of them were rather disappointing and I do not believe Intel TDX actually provides strong security guarantees against a determined cloud-provider-level adversary.
=== Debug Calamares issues ===
Date: 2024-10-09
Researched, fixed, or followed up on all outstanding Calamares issues:
* https://www.kicksecure.com/wiki/Dev/todo#ISO_-_wrong_bootloader_entry
** https://forums.kicksecure.com/t/boot-issue-after-installking-kicksecure/602/20
* https://www.kicksecure.com/wiki/Dev/todo#ISO_-_fallback_boot_loader_broken
** Results inline
* https://www.kicksecure.com/wiki/Dev/todo#ISO_-_calamares_-_logo_size_reduction
** https://github.com/ArrayBolt3/live-config-dist/commit/15eb4be99fd5d933c3067c982a9a6ad3f4d06d23
* https://www.kicksecure.com/wiki/Dev/todo#ISO_-_calamares_-_encrypt_button_bug
** Followed up in the Calamares Matrix room
* https://www.kicksecure.com/wiki/Dev/todo#ISO_-_live-config_-_dist_shellprocess_fixconkeys_part
** https://github.com/calamares/calamares/issues/2383
Not all of these were immediately fixable, but as much as can be done with them has been. Notably the issue with the fallback bootloader cannot be easily fixed until the migration to live-build.
== 2024-10-08 ==
=== Research Secure Cloud hardware ===
Date: 2024-10-08
Researched all items in the list, categorized as appropriate and made useful summaries for studying technologies. Raptor Engineering's POWER9 machines looked particularly promising.
=== Rewrite Broken Boot page ===
Date: 2024-10-08
Rewrote https://www.kicksecure.com/wiki/Broken_Boot to provide training and debugging assistance to users. Ultimately boot-info-script was NOT recommended as it could print sensitive LUKS data.
== 2024-10-07 ==
=== Upstream tirdad functionality into Linux ===
Date: 2024-10-07
Created a kernel patch that adds a new parameter, tcp_rand_isn, to the Linux kernel. Testing was done with Debian Trixie. The effort to upstream the patch can be seen here: https://lore.kernel.org/netdev/20241007212735.460dc0eb@kf-ir16/T/#u
=== tirdad security improvements ===
Date: 2024-10-07
Wrote three pull requests against tirdad, each one independent of the others and applicable without needing to apply the others. One of them uses kernel live patching in lieu of page table modifications, one of them makes all generated ISNs purely random, and one of them fixes some security concerns in a string printing helper. PRs listed at https://www.kicksecure.com/wiki/Dev/todo#tirdad_-_fix_code_issues
=== tirdad functionality review ===
Date: 2024-10-07
Spent a good amount of time reviewing how tirdad worked, what its end-goal was, whether it succeeded in that end-goal or not, and also experimenting with various code changes such as simplified ISN generation, use of the kernel live patching API. Ultimately:
* It works. I was able to verify that its function hooks are called when a new TCP connection is made, and that the numbers it genrates are (pseudo)random.
* The internal functionality is very complex, seemingly needlessly so.
** The entire hotpatching mechanism is able to be swapped out with live patching quite easily, making the code dramatically simpler.
** The ISN generator is still integrating into its calculations connection info, similar to the original ISN generation code in the Linux kernel. But this is pointless - all that info is being integrated into a hash that is (by design) changed entirely every time a new connection is made, even if the source and destination ports are identical to what they were before. It's simpler, probably more secure, and potentially faster to just generate a random 32-bit number every time an ISN is generated.
** It should be relatively simple to implement a kernel command line option that simply makes all ISNs random 32-bit numbers. Such a patch has a pretty good likelihood of being accepted upstream due to its simplicity, though it may have to wait until the next kernel merge window opens.
== 2024-10-06 ==
=== Fix keyboard layout-related Calamares installation failure ===
Date: 2024-10-06
Determine root cause of https://forums.kicksecure.com/t/locale-layout-installation-error/611 and pushed a fix at https://github.com/ArrayBolt3/live-config-dist/commit/fe3eb5da1a8a2c464026941c572e61de90d3e6e6. Tested to work with encrypted installations both in Russian (the language which was causing installation failures) and with German (the language which had been used most often to test the offending section of code previously).
=== Security review of tirdad kernel module ===
Date: 2024-10-06
Carefully studied the code of tirdad, a kernel module that hardens TCP initial sequence number generation. Results of the review were shared with the module author at https://github.com/0xsirus/tirdad/issues/23.
=== Review Intel SGX's suitability for confidential VMs ===
Date: 2024-10-06
Researched Intel SGX's use, functions, and vulnerabilities. Ultimately it appears security issues have been dealt with, but it does not appear useful for running private VMs. Added info to https://www.kicksecure.com/wiki/Dev/confidential_computing#Technologies_investigated_but_not_useful recording this.
== 2024-10-05 ==
=== Fix triggering of touchscreen features with kloak ===
Date: 2024-10-05
Tracked down root cause of https://forums.whonix.org/t/weird-magnifier-feature/20502, creating a kloak commit (https://github.com/ArrayBolt3/kloak/commit/d4e7b4c0428527ea002e1ea61839effc0cb5e88e), forum response (https://forums.whonix.org/t/weird-magnifier-feature/20502/12) and upstream bug report (https://gitlab.gnome.org/GNOME/gtk/-/issues/7060) based on my findings.
== 2024-10-04 ==
=== Finish preparation of Qubes OS X event buffering PR ===
Date: 2024-10-04
Fixed the remainder of the TODOs for the X event buffering PR for Qubes OS. Also tested user-configurable buffer timing and confirmed that it worked as expected. The PR still needs tested on Qubes R4.3, but after that (and assuming there are no further modifications requeted by the developers), it's ready to go. Possibly-final code visible at https://github.com/QubesOS/qubes-gui-daemon/pull/149/files.
=== Research CPU-assisted memory encryption ===
Date: 2024-10-04
Mainly researched AMD SEV, study of Intel TME-MK had been done earlier. Recorded findings in Whonix's Dev/cloud page. Intel TME-MK is likely superior to AMD SEV for our threat model due to the fact that the hypervisor is allowed to provide its own encryption keys rather than relying on CPU-generated keys.
=== Study attestation features in pKVM ===
Date: 2024-10-04
Researched and discovered that pKVM does provide local attestation features, and that remote attestation against a pKVM host can be done via Verified Boot. Recorded findings in Whonix's Dev/cloud page at https://www.whonix.org/wiki/Dev/cloud#Confidential_VMs
=== Dracut follow-up for systemd-cryptsetup bug ===
Date: 2024-10-04
Verified that https://github.com/dracut-ng/dracut-ng/issues/684 was indeed solved and reported back.
=== Research secure cloud technologies ===
Date: 2024-10-04
Did a bunch of research on technologies like TPM, Intel TXT, Intel TME-MK, Xen, etc. Revamped secure cloud notes at https://www.whonix.org/w/index.php?title=Dev/cloud&stable=0 with new info and attempted to put together a rough idea of what things would look like when properly implemented.
== 2024-10-03 ==
=== Debug root cause of Dracut automount problems ===
Date: 2024-10-03
Found the root cause of boot issues when doing dracut automount, and reported it as a bug to the dracut developers. Bug report: https://github.com/dracut-ng/dracut-ng/issues/696
== 2024-10-02 ==
=== Work on Dracut automount code ===
Date: 2024-10-02
Sadly this turned out to be broken on Debian. It looks like it's because an initqueue hook is insisting on finding a non-existent device and ignoring the fact that there's a usable root filesystem mounted to /sysroot. Further work is needed to get this to function properly.
=== Draft email to linux-mm mailing list for RamCrypt investigation ===
Date: 2024-10-02
Wrote a draft email as requested and shared it with Patrick over Matrix. Also did lots of study into no-fill cache mode to see if it is potentially usable for our desired purpose.
[https://lore.kernel.org/lkml/20241003194147.2566a393@kf-ir16/T/ Investigating practicality of process memory encryption techniques using frozen cache and TRESOR/RamCrypt]
=== Leave notes on libkpmcore pull request ===
Date: 2024-10-02
Posted more detailed rationale for hardening libkpmcore settings at https://invent.kde.org/system/kpmcore/-/merge_requests/54#note_1044980
=== Fix encryption checkbox bugs in Calamares ===
Date: 2024-10-02
Did necessary research, coding, and testing to fix UI bugs related to the "Encrypt system" checkbox in Calamares:
* https://github.com/calamares/calamares/issues/2375 (user can check "Encrypt system", then process without entering a passphrase), fixed by https://github.com/ArrayBolt3/calamares/commit/cc96e65787a12cd2e93b69646aaf6b89c7d0ed52 This one was fixed last week, I tested the fix more thoroughly today.
* https://github.com/calamares/calamares/issues/2379 (user cannot decline encryption if preCheckEncryption is enabled), fixed by https://github.com/ArrayBolt3/calamares/commit/fe124b0e1e80e6e1ccbfa5b5d1679a5e169e1860 This one was debugged, fixed, and tested today.
* PR: https://github.com/calamares/calamares/pull/2376
== 2024-10-01 ==
=== Implement root fs automount for dracut ===
Date: 2024-10-01
Researched, designed, and implemented a prototype solution. Should be relatively easy to get into a mergeable state. PR: https://github.com/dracut-ng/dracut-ng/pull/694
=== Investigate using KeePassXC as a default secret service ===
Date: 2024-10-01
Researched possible solutions for using KeePassXC as the default secret service for Kicksecure. This may require upstream code contribution to be realizable, but it's pretty close to doable. Forum comment with findings: https://forums.kicksecure.com/t/error-storing-passphrase-in-keyring-the-name-org-freedesktop-secrets-was-not-provided-by-any-service-files/582/2
=== Polish kloak implementation for Qubes OS ===
Date: 2024-10-01
Fixed a bug in X event buffering code that resulted in GUI freezes. Also added preliminary configuration support, got rid of the ISAAC random number generator in favor of getrandom(), refactored the code to be more intuitive, and avoided buffering events that could potentially cause problems if buffered. PR comment: https://github.com/QubesOS/qubes-gui-daemon/pull/149#issuecomment-2387143732
=== Harden libkpmcore LUKS2 settings ===
Date: 2024-10-01
My original post asking for advise on how to proceed received no responses. and I only received one response on Matrix from someone who did not appear to be a KDE developer. To hopefully spark some further discussion, I filed an MR: https://invent.kde.org/system/kpmcore/-/merge_requests/54
Backporting just this change to Debian may be tricky as even if KDE is willing to go with this approach as-is, Debian might not be. We may still want to keep in mind the possibility of maintaining a fork of libkpmcore with our own secure defaults.
=== Debug Pipewire audio failure with Intel audio ===
Date: 2024-10-01
Hoping to get some hint as to what was going wrong, I ran pipewire, wireplumber, and pipewire-pulse in a terminal with verbose log output. The first run was done before switching to Pulseaudio, then a second run was done after switching to Pulseaudio and then back to Pipewire (which as discussed previously somehow "fixes" the audio device). No meaningful differences were visible in the logs when comparing them with Meld.
Since AC97 is Virtualbox's default audio device for Linux, it's probably in our best interest to just stick with it. If we have to get emulated Intel audio to work, the next step is probably to add additional debugging code to Pipewire to see where things go wrong. It may also be worthwhile to try some non-Pulseaudio-based audio applications (i.e. something that uses JACK or ALSA directly) to see what happens. Sadly I corrupted my Whonix VM pretty badly messing with Pipewire packages, and the Whonix server is only letting me download the latest release of Whonix very slowly, so I wasn't able to get further than this.
== 2024-09-30 ==
=== Implement kloak insite qubes-gui-daemon ===
Date: 2024-09-30
Created a prototype proof-of-concept of qubes-gui-daemon with kloak functionality embedded into it. Also set up a Qubes OS build environment and tested the proof-of-concept implementation (which mostly works). Qubes OS pull request: https://github.com/QubesOS/qubes-gui-daemon/pull/149
=== Investigate disk and RAM encryption ===
Date: 2024-09-30
Researched TRESOR and RamCrypt. Task and finished research recorded here: https://www.kicksecure.com/wiki/Dev/todo#Cloud_virtualization_-_research_RAM-less_encryption_techniques_for_disk_and_RAM_encryption
== 2024-09-27 ==
=== Debug audio failure with >2 GB RAM ===
Date: 2024-09-27
Verified bug under Debian, Ubuntu, and Whonix.
Discovered while testing with Ubuntu that I could switch to pulseaudio, play audio briefly, then switch back to pipewire and everything would work. Somehow pulseaudio "initialized" the audio device and then pipewire was able to keep using it, I guess?
Tried Pipewire from bookworm-backports, issue did not resolve.
Initially I thought that Arch Linux did not have this issue because of https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081965#5. With that in mind I looked at a diff between Arch Linux's Pipewire source code and Debian's Pipewire source code from backports. They were nearly identical with only a few non-suspicous-looking changes.
I then attempted to build Debian's Pipewire using build settings from Arch. This eventually worked, however installing the modded version of Pipewire did not resolve the problem.
As a sanity check, I then installed Arch Linux to see if the problem was reproducible there. It turned out it was reproducible, and the "initialize with pulseaudio first" hack also resolved the issue there.
Reported some of my findings at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081965#10 and https://forums.whonix.org/t/virtualbox-intel-hd-audio-and-pipewire-incompatibility-audio-broken-after-increasing-ram-to-5-gb-no-sound-after-latest-updates-pipewire-bug/18211/27. I'm pretty sure this is an upstream bug at this point and will be hunting for it when I resume work on this.
=== Debug sysroot mount failure with dracut ===
Date: 2024-09-27
Tested use of live-build to make dracut-based live Debian images (building Trixie, Bookworm, and Bullseye images for testing). Things mostly worked, however the Bookworm image failed to boot with the same sysroot mount failure that Kicksecure is experiencing.
I then debugged the mount failure, and traced it to a difference between thw 90overlayfs module in Trixie and Bookworm combined with a missing feature in Bookworm. The full report is visible at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1082891.
== 2024-09-26 ==
=== Submit dracut-related encrypted Debian boot failure fix ===
Date: 2024-09-26
Submitted fix discovered earlier at https://salsa.debian.org/debian/dracut/-/merge_requests/37
=== Investigate using dracut's upstream overlayfs feature ===
Date: 2024-09-26
Kicksecure currently uses a Debian-specific filesystem overlay module for "live mode". dracut has the same feature already existing upstream, so we would like to switch to it.
Tested switching to it on Kicksecure, for some reason the dracut-native overlayfs module was silently skipped over despite being set up properly. Tested again on Trixie, everything just worked. Upstream bug comment: https://github.com/dracutdevs/dracut/issues/1565#issuecomment-2378133277
=== Investigate Pipewire audio issues ===
Date: 2024-09-26
Successfully reproduced Pipewire audio bug and device-level workaround (switching to AC97 audio) using Debian 13 (Testing). I didn't think it would be reproducible on Debian 13, but it was. Still need to investigate if Ubuntu has this problem. Left a comment at https://forums.whonix.org/t/port-from-pulseaudio-to-pipewire-for-audio-support/16879/49.
=== Resolve inability to boot encrypted Debian with dracut ===
Date: 2024-09-26
Bug link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078792 If you install dracut on a Debian 13 (Testing) machine with unencrypted /boot and encrypted root, the system will fail to boot successfully upon next reboot.
The root cause of this turned out to be a missing runtime dependency in dracut. When using systemd within dracut (as Debian does by default), systemd-cryptsetup is necessary to unlock the disk. The dracut package does not depend on systemd-cryptsetup, and so the initrd is left with no way to decrypt the root partition. Adding systemd-cryptsetup to the dependencies of dracut before installation is enough to resolve the problem. (The result doesn't look very good, the user is left with a gray rectangle that doesn't even necessarily look like a text box, and there's no indication that they're supposed to type their passphrase, but at least the disk can be decrypted.)
Dracut gives no warnings when it generates an unusable initrd in this way, so I filed a bug report about it: https://github.com/dracut-ng/dracut-ng/issues/684 I also commented on the existing Debian bug report with my findings: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078792#15 The fix for the packaging bug was submitted at https://salsa.debian.org/debian/dracut/-/merge_requests/37.
=== Switch to systemd-less dracut ===
Date: 2024-09-26
Dracut with systemd enabled has a module conflict leading to a scary error message about being unable to mount sysroot. This error message ultimately is harmless, but disturbing. See https://forums.kicksecure.com/t/iso-error-message-during-boot-mount-sysroot-special-device-liveos-rootfs-does-not-exist/418/4.
When researching how to resolve this, I found https://github.com/dracutdevs/dracut/issues/1820#issuecomment-1133439023 which suggested omitting systemd from the dracut initramfs. After a couple of builds, I was able to do this and get a working Kicksecure ISO, however it now showed a (less scary) error message stating switch_root: failed to unlink mnt: Directory not empty. This turned out to be because Dracut mounts /dev/cdrom0 to /mnt/cdrom0 and then later tries to delete the directory without clearing it. After some more research, I wrote a dracut module that unmounted /mnt/cdrom0 and then rmdir'd /mnt/cdrom0, resolving the issue. This was tested and confirmed working. Code changes: https://github.com/ArrayBolt3/derivative-maker/commit/894d0657b7cd69370d67759709fff166d469cc37
Ultimately it looks like we won't go with this approach as systemdless dracut has issues with encrypted systems on Trixie at least. Testing to see if this even happens on Trixie is planned, and if so we'll fix the root cause there.
=== Test for memory leaks in kloak ===
Date: 2024-09-26
ChatGPT pointed out some potential memory leak areas in kloak's source code. I looked at them and didn't see any particular issues. After checking the allocation and free behavior, I additionally compiled and ran kloak, then did typing tests and lots of mouse movements in order to stress test kloak. No significant memory usage was noticed indicative of a leak.
=== Investigate dom0 implementation of kloak in Qubes OS ===
Date: 2024-09-26
Read through https://github.com/QubesOS/qubes-issues/issues/8541, investigated qubes-gui-daemon's source code to determine how to implement kloak most effectively there and suggested a potential way forward (writing kloak's functionality into the GUI daemon). Comment at https://github.com/QubesOS/qubes-issues/issues/8541#issuecomment-2377325699 Implementing kloak within individual VMs does not seem practical in the long run since kloak can't run above the X server or compositor without special support from that server or compositor, and Qubes OS's Wayland compositor is intended to be implemented without support for kernel input devices. This means that kloak has to be placed at the GUI daemon layer, in which case it's most likely easiest to just make it part of the GUI daemon.
== 2024-09-25 ==
=== Harden Calamares encryption settings ===
Date: 2024-09-25
Discovered that encryption code is located in libkpmcore, which is a component of KDE and not something that can be easily changed in Calamares yet. Discussed obstacles and potential implementation strategies with Patrick, decided to try just getting more secure settings upstream first. KDE development discussion post: https://discuss.kde.org/t/making-libkpmcores-luks2-settings-more-secure/21764
=== Require user to make encryption choice explicit ===
Date: 2024-09-25
I originally started by trying to implement this from scratch to offer it as a feature request to upstream Calamares. As it turned out however, the feature already existed, and was able to be switched on by enabling a preCheckEncryption variable. Code change: https://github.com/ArrayBolt3/live-config-dist/commit/410c62e664e7d1387e7c013867242838ff2cb912
While initially trying to implement this, I discovered a bug in Calamares where the user could check the "Encrypt system" checkbox and then proceed past the partitioning screen without entering a passphrase. I reported the issue upstream at https://github.com/calamares/calamares/issues/2375 (along with a PR that should resolve it).
=== Update kloak readme ===
Date: 2024-09-25
Updated README.md to reflect current state of kloak. Code changes: https://github.com/ArrayBolt3/kloak/commit/4bbdf38cc6c6f9162348d9b23deef3169f8465b8
=== Add Qubes OS support to kloak ===
Date: 2024-09-25
Determined how to manually enable kloak on Qubes OS, documenting findings at https://forums.whonix.org/t/current-state-of-kloak/5605/111.
Getting this working by default needs orchestration, asked for advice from Qubes OS developers on how to proceed at https://github.com/QubesOS/qubes-issues/issues/1850#issuecomment-2374908358.
Disabled AddressSanitizer in kloak, it was unfortunately incompatible with Whonix's ASLR settings. See https://stackoverflow.com/questions/77672217/gcc-fsanitize-address-results-in-an-endless-loop-on-program-that-does-nothing. Code change: https://github.com/ArrayBolt3/kloak/commit/c3500fc38cea3d69c96765f6691688e4079ecd67
During work, discovered that Qubes OS and VirtualBox users may be distinguishable from other users based on typing and mouse movement patterns, potentially due to VM clock resolution. Recorded findings at https://forums.whonix.org/t/device-fingerprinting-of-vm-users-virtualbox-qubes-xen/20460.
== 2024-09-24 ==
=== Automatically maximize Calamares window ===
Date: 2024-09-24
Ensured that a fullscreen window was acceptable, tested and implemented. Code change: https://github.com/ArrayBolt3/live-config-dist/commit/ab8a7e1829f7050882385488a67e9a316a9270fd
=== Investigate use of systemd-oomd ===
Date: 2024-09-24
Left a note at https://forums.kicksecure.com/t/consider-installing-systemd-oomd-by-default/223/4 with some thoughts. systemd-oomd has caused trouble before and is likely best to avoid.
=== Check haveged test suite ===
Date: 2024-09-24
The blog article at https://jakob.engbloms.se/archives/1374 made it look like haveged's test suite was passing even if the generator only ever output 1s. Using the latest version of haveged, I patched it to only ever output 1s, then ran the test suite. The suite failed under these conditions. Documented findings at https://github.com/jirka-h/haveged/issues/81#issuecomment-2372664967.
=== add configuration option to disable rescue key ===
Date: 2024-09-24
Kloak development. Added -p (persistent) option for disabling rescue key sequence. Ensured -k (for setting a custom rescue key sequence) and -p could not be used simultaneously, and documented -p in the help output. Code changes: https://github.com/ArrayBolt3/kloak/commit/ac9d1fc2712966a5ae834a690a885db9f10b2b0b
=== Document rescue key ===
Date: 2024-09-24
Kloak development. Added documentation for using the rescue key, customizing it, and disabling it. https://www.whonix.org/wiki/Keystroke_Deanonymization?shownotice=1#Rescue_Keys
=== makefile fix ===
Date: 2024-09-24
Kloak development. Added check for pkg-config to kloak's makefile, fixing a minor indentation-related bug in the makefile in the process. Code changes: https://github.com/ArrayBolt3/kloak/commit/a290f5f0fd864ea459e1c3e75a424fe7dd33cca8
=== Test mouse click obfuscation ===
Date: 2024-09-24
Kloak development. Tested on both my physical machine (Kubuntu 24.04) and on a Whonix Workstation VM. Mouse click events were seen in the log output of kloak when running in verbose mode, and noticeable randomization was being applied even when kloak ran as a systemd service. Reported findings at https://github.com/vmonaco/kloak/issues/51#issuecomment-2371866583 and https://github.com/vmonaco/kloak/issues/51#issuecomment-2372382050.
=== Investigate xrdp support ===
Date: 2024-09-24
Kloak development. https://www.whonix.org/wiki/Keystroke_Deanonymization#xrdp
=== Document kloak testing procedure ===
Date: 2024-09-24
Kloak development. Looked into potential applications that could be used to test kloak's effectiveness. Two hopeful-looking solutions were found on GitHub (https://github.com/johwconst/keystrokeDynamics2FA and https://github.com/goncalopp/keystroke_dynamics), however both of them proved to be prohibitively difficult to set up due to badly outdated Python code. TypingDNA appeared to be too privacy-invasive to recommend to other users. Settled on vmonaco's device fingerprinting test, and documented how to use it. Results can be seen at https://www.whonix.org/wiki/Keystroke_Deanonymization#Defense_Testing.
=== Document how to clear apt-cacher-ng's cache ===
Date: 2024-09-24
Kloak development. Kicksecure's build process uses apt-cacher-ng. If a corrupted package is downloaded from Debian's mirrors, it will crash the current build due to a hash sum mismatch, then crash every subsequent build because the corrupted package will be stuck in the cache. After a couple hours of debugging what was happening, I traced it back to the cache, cleared it, got a successful ISO build after a little bit more fiddling, then documented my findings at https://www.kicksecure.com/wiki/Dev/Build_Documentation/images#Build_repeatedly_errors_out_with_hash_sum_mismatch.
=== seccomp debugging documentation ===
Date: 2024-09-24
Kloak development. Documented how to find a specific system's syscall table at https://www.kicksecure.com/wiki/Seccomp.
=== autostart systemd user unit xdg-desktop-portal ===
Date: 2024-09-24
Got an ISO to build properly after some fiddling, then tested xdg-desktop-portal autostart by:
* Installing xdg-desktop-portal
* Installing xdg-desktop-portal-gtk
* Running systemctl --user status xdg-desktop-portal and systemctl --user status xdg-desktop-portal-gtk - this showed that the portal was NOT running yet
* Opening Firefox
* Clicking Menu > Settings > scroll to Files and Applications > click "Browse..." next to Downloads
* Running systemctl --user status xdg-desktop-portal and systemctl --user status xdg-desktop-portal-gtk while the portal window was shown - this showed that the portal WAS running
Added needed packages (along with an ISO build failure fix) to kicksecure-meta-packages. PR: {{Github_link|repo=kicksecure-meta-packages|path=/pull/1}}
== 2024-09-23 ==
=== bugfix for time issues ===
Date: 2024-09-23
Kloak development. Debugged root cause of time-related keyboard lockup bug reported at https://forums.whonix.org/t/sdwdate-can-cause-system-time-to-jump-backwards-causing-issue-with-kloak/20433, recorded findings and created bugfix. Findings report at https://github.com/vmonaco/kloak/issues/31#issuecomment-2368666686 and https://forums.whonix.org/t/sdwdate-can-cause-system-time-to-jump-backwards-causing-issue-with-kloak/20433/4, bugfix at https://github.com/ArrayBolt3/kloak/commit/36385d7b0050601e6f255b168c297dab8d8fb027
=== Investigate stronger compile-time hardening flags for Kloak ===
Date: 2024-09-23
Found and implemented suggestions at https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html, fixing all code issues found in the process. Code changes: https://github.com/ArrayBolt3/kloak/commit/c9c5a9876bd7fba17ec638efd065cc0836329766
=== Avoid use of strncpy ===
Date: 2024-09-23
https://github.com/vmonaco/kloak/issues/66 mentioned wanting strncpy replaced with strlcpy for better security. However Linux's manpages warned about potential security issues with strlcpy (potential for DoS attacks if an attacker could control an input string) and performance issues, and recommended the use of a custom "strtcpy" function instead. This recommendation seemed reasonable, so I implemented it. Code changes: https://github.com/ArrayBolt3/kloak/commit/0c66a7b2da09cbabc5c4368a532ab43a0f34fbb8
=== Integrate "Add a header file to make future development easier" pull request ===
Date: 2024-09-23
Kloak development. Pull request: https://github.com/vmonaco/kloak/pull/61 Adapted and integrated into Whonix's fork of kloak. Code changes: https://github.com/ArrayBolt3/kloak/commit/b0f0c926d84a6d60363c89c11b8f36cc55b57459
=== Integrate "ChatGPT3" pull request ===
Date: 2024-09-23
Kloak development. Pull request: https://github.com/vmonaco/kloak/pull/65 Some of the code (most notably the strncpy bits) were implemented differently in my adaption of it, using strtcpy instead. Code changes: https://github.com/ArrayBolt3/kloak/commit/7f9bc1bcfd08e8b3554e135a4c4d59a0a09b26d8 and https://github.com/ArrayBolt3/kloak/commit/bb4a7143877eb12904e797224c2b0afc05463713
=== Integrate "Add support for new devices attached after kloak starts" pull request ===
Date: 2024-09-23
Kloak development. Pull request: https://github.com/vmonaco/kloak/pull/67 The implementation of this PR had some issues, mainly with the use of a separate kloak process for every input device. I mentioned this at https://github.com/vmonaco/kloak/pull/67#issuecomment-2369121000, then adapted the code using a method that used only a single kloak process for all devices. Code changes: https://github.com/ArrayBolt3/kloak/commit/0d91a09a76ffa21b2782d673fcb91b16574b58d6
=== Add ASan and UBSan integration ===
Date: 2024-09-23
Kloak development. Investigated ASan and UBSan, determined how to add them to kloak, ensure nothing broke horribly when done. Ultimately ended up being quite easy. Code changes: https://github.com/ArrayBolt3/kloak/commit/5beda6da49cf1ef9ef09767e35a5660015160ee8
=== Fix ARM support ===
Date: 2024-09-23
Kloak development. ARM support bug: https://github.com/vmonaco/kloak/issues/25 ARM support seemed to mostly "just work" on the Raspberry Pi 4B when compiling and running kloak directly, unsandboxed. However sandboxing revealed that the syscall filtering rules set in kloak's systemd unit were not correct and thus kloak was crashing. Determining the right syscalls for aarch64 (and then also for x86_64 on top of that) took a while, as did setting up the RPi as a development board, but it was doable. Code changes: https://github.com/ArrayBolt3/kloak/commit/d7f386dcdd25263eb9e7a7031b171fdec3d0d4d3 and https://github.com/ArrayBolt3/kloak/commit/7fa9500c32f6560bf6ee7fe55438e27869601a0e
=== Code review with ChatGPT ===
Date: 2024-09-23
Kloak development. At Patrick's suggestion, I ran kloak's main.c file through ChatGPT to see if there were obvious issues. Based on its advice, I broke out post-execution cleanup code into its own function and ensured that the cleanup code was called on both normal and abnormal shutdowns. No AI-written code was integrated into kloak in the process, nor were any suggestions blindly implemented. Code changes: https://github.com/ArrayBolt3/kloak/commit/ba5df2543f247ed5592690d97019e0444e79b749
=== Create pull request against Whonix's kloak fork ===
Date: 2024-09-23
Kloak development. Reported changes and suggested merging them into Whonix's kloak fork. Pull request: https://github.com/Whonix/kloak/pull/1
= Hans =
== Current sprint ==
=== Sprint 2025-08-05 to 2025-08-22 ===
* 2025-08-22
** Homepages
*** card spaces bugfix
*** Enable link previews on the homepages
*** homepage cards same in all sections + bugfixes
*** Whonix press links new html structure and CSS
**** change for all articles
**** check all links make suggestions
*** Kicksecure HP integrate USBGuard as upcoming card
** preview extension code analysis and no bug report suggestion
** Improve template keypress + use on SysRq Page
* 2025-08-21
** Kicksecure HP ram-wipe image fix
** Homepages
*** New homepage js transforming paragraphs into modals
*** change, shorten and simplify card html structures to use it and move it to any section and make it easier for editors
*** Prevent h3 and modal in section upcoming (but it's there in html to guarantee movability)
*** multiple p.section allowed in modal (needed for Whonix HP)
*** complete rework of Kicksecure and Whonix homepages cards
*** fixing of some old bugs by editors
* 2025-08-20
** Homepage move features analysis
** Discussion Kicksecure Tagline and Slogan + integration in homepage
** Kicksecure HP add Ramwipe as upcoming feature and Signature Policy as existing
** Whonix Qubes page improvement
** new template keypress
*** documentation + wikitests
*** improvement of template iconset
* 2025-08-19
** Content improve introlike on privacy policy page
** Table Margin Whitespace discussion + analysis + adjustment
** Table caption redesign
** About page spaces optimization
** mininav
*** preventing visited color on links
*** external link marker
*** internal marker feature
*** documentation + wikitests
*** convert to tab controller link symbols
** Kicksecure Tagline Discussion and Analysis
* 2025-08-18
** SVG Template Research image not loading bug + analysis + suggestions
** table expand modal
*** whitespace bugfix
*** mobile scroll up reload bugfix
** table expand button buttony style and hover effect style
** wikitable caption styling analysis + vertical margin improvements
** About wiki page bugfix headline margin
** upgrade template anchor with visible version and alt-text
*** documentation + wikitests
*** replace all anchor_link uses in Whonix and Kicksecure + remove anchor_link
** Generalize sharetooltip initialization and add anchor template
* 2025-08-14
** New mininav info feature
*** dark theme adaption
*** documentation + wikitests
** wikitable
*** Removed all scroll-table mentions
*** remove all style attributes
*** replace informal with formal caption
*** remove Table prefix
*** Manual fixing of Table for not caught tables
*** All changes manually reaffirmed
*** regepx for admin for invalid tables
*** new Styling of table caption was done
** tableExpand
*** New examples created in wikitext
*** re-positioning of expand-table-button
*** re-styling to fit into new wikitable caption
* 2025-08-13
** Table Modal
*** improvements discussion
*** table word breaks
*** Mobile Design improvement
*** Button horizontal positioning bugfix
*** Button vertical table overwidth reposition feature
*** Prevent double ids in modal
*** enable link and footnote preview popups in modal
*** Center tables in modal
** MiniModal experiment add horizontal scrollbar was tried but base library has no feature
** Discussion new content and wikitable replacements
* 2025-08-12
** Discussion ToDO
** New feature TableExpandModal
*** bugfixing
*** finetuning
*** documentation
*** wikitests
*** docu on Wiki_enhancements
** HP section headline spacing bugfix
* 2025-08-11
** Remove dev zone heading notice and keep middle area icon free
** Whonix usb page thumb fixed
** Non-clickable footnotes tested not reproducable
** Discussion other Linux distros
** info-box new class ib-dark + documentation + wiki tests
** new template styledText + documentation + wiki tests
** prettified template upstream wiki
** icon bullet list improved shadow
** homepage dark sections margin fix for wiki new headline html structure
** SVG template upgrade anonymous width parameter
* 2025-08-08
** Fixed Kicksecure Homepage tab controller broken
** Fix all mw-headline documentation
** Whonix USB illustrative image
** Dev zone styling according to new specs + revisions + suggestions
** Template stylistic upgrades
*** freedom software
*** flatpak
*** flatpak_add_repository_short
* 2025-08-07
** GitHub Link update
*** add new path feature
*** documentation update
*** wikitext upate
** extlink update
*** extlink documentation update
*** extlink wikitest update
** github link replacement use case analysis + partial replacements (very complex, process stopped)
** fixed EditorAutoBackup.js for new headline syntax
* 2025-08-06
** Tab controller repair to work with new html headline structure + Testing
** Widget Headline repair new headline structure
** Fix share tooltip selector bug due to newly unescaped IDs in new Mediawiki
** Controller vs image review + explanation and suggestions
** DiscoverHiddenElements new selector for headlines
** AddMessageToCopiedText Repair protection for headlines with new selector + testing
** SaneCase Extension activation + functional Evaluation + test cases
** Developer zone styling
*** background image
*** specific css
*** warning label
** Improve headline spacing
* 2025-08-05
** Discussion Todo
** git token error analysis
** link-to-archive
*** check upstream + check all pull requests + analysis for admin
*** update to new syntax
*** testing
** SaneCase Extension Review and Recommendations
** Share toolkit add to new wiki html structure
*** fix id and content references
*** fix headline edit buttons to old position
*** prevent content shift
== Sprints Archive ==
{{Collapsible
|title=Archive
|content=
=== Sprint 2025-03 to 2025-06 ===
* 2025-05-20
** Review wiki editor buttons bug - not reproducable
** Deactivate breadcrumbs + breadcrumb design ideas
** use-2/3-columns improve documentation and tests
*** add strict list feature to 2 columns
*** new feature force break
** Created SVG Template and Widget
*** documentation + tests
*** use on requested tab controller
** mobile screen refinement
*** Smaller display font sizes on mobile devices for all headlines
*** wikibook navi better positioning
*** header menu button repositioning
* 2025-05-19
** Fix: Whonix hp double first Headline bug by wikibook-generate and accept in flagged revisions
** Fix: Link preview on navigation bug.
*** Research on source code (Perplexity and chatgpt not helpful)
*** Found excluding keywords, "internal" chosen and added to all links in navigation
** wikibook generate
*** Duplicates loop bug fixed. Prevent duplicates in nextpage
*** Decouple navi filtering from prev/next, so duplicates do not interfere with next item
*** Outsource prev mechanic into its own loop too
*** Fix: Index page previous loop bug (Advanced documentation links with itself as previous) and index page format bug (using underscores "_").
*** Documentation for WikiBookIndex Template and Widget
*** Documentation for WikiBookGeneration
*** Move widget parameter {{{for}}}→{{{1}}} + documentation
*** Re-checked old tasks. Already solved by admin (1) copyright move and mass replace links (2) Template:q_project_name_short replaced
** Dev/mediawiki split up into (1) keep main (2) Archive
** Bugfix: Dev/mediawiki research on wrong Category multiwiki classification
*** Correction of Template:Flatpak install
* 2025-05-16
** Discussion Todo Template Newlines Duplicates Bugs
** Wikibookindex
*** Create super robust page reference comparison for wikibook generation and in-wiki (new: compare keys vs old: compare titles which have more variation options)
*** Improved duplicate check with counter (not only where but how many) and better presentation. Fixed "Download Security" bug
*** footer variant styling
*** integrated into template:footer
** firstHeading and page beginning style improvements
** template title
*** upgrade: anonymous parameter as fallback
*** documentation
* 2025-05-15
** wikibookindex
*** discussion todo navigation positions
*** restyling first heading
*** firstheading new html construction
*** add default case to template switch for use in firstheading for non-indexed pages
*** Introduce parameter for=firstheading/footer
*** seo reserach about hidden elements and seo cloaking
*** upgrade Title template
* 2025-05-14
** wikibookindex-generate-indexes.php
*** Improve duplicates message
*** Generate widget call with url and titles (Send full url to the widget)
*** Restructure and use switch wrapper to just select single page and send to widget
*** Introduce test dummy for Testpage
*** index as first page in navigation for that index
*** multi-index chaining after last page (next page is first page of last index)
*** check for, warn and prevent indexes inside other indexes
*** Remove fullurl use for empty entries
*** styling for wikibook index navigation prototype
** deploy script improved closing (no time wasted, copied from another project)
* 2025-05-13
** discussion todo navigation
** wikibookindex-generate-indexes.php
*** Debugging for links, manual link analysis and discussion
*** Remove page anchors, Improve separator, design added to indexes
*** Advanced documentation added to doc in wiki
*** Warning method about duplicate links introduced
**** Solved array-bug = in page in multiple indexes problem
*** Remove duplicates from final output
*** Solved false-positive-bug for empty string
*** Solved false-negative bug e. g. for "forcing onion"
*** New uility class for admin scripts
**** out function improvements: new markers, new output, quality of life etc
**** exec function
**** Was a mess before. New syntax not applied to other files yet (recommended)
* 2025-05-12
** wikiBookIndex
*** wikibookindex-generate-indexes.php to create template
**** Generate Index
**** Generate Navigation
**** Save to wiki page
**** Output for user
*** create template (autogen)
*** create widget
* 2025-05-09
** tab controller Improve choose tab position + margin and symbol
** search engines
*** create dedicated page
*** evaluation improved criteria
*** Bug reports Search Engine Reevaluation Request chapter
*** Please use search engines search engines chapter
*** Transparency page voluntary listings chapter rewrite + added mojeek
*** Kicksecure welcome page add startpage + optimize styling
*** Whonix welcome page add startpage + onion research + new general search logo
** bugfix editor + AddMessageToCopiedText.js + testing
* 2025-05-08
** Research Search Engines
** Discussion Todo Search Engines + Virtualbox parameter task + book like task discussion
** Virtual Box simplify task
*** absorbing templates
*** renaming pages
*** testing
*** new analysis of parameter structure and deep parameter optimization suggestions + implementation
*** documentation of new DownloadTableUnified
*** update download button documentation
* 2025-05-07
** Browser choice mockup further discussion
** Implementation of transparency tooltip for search engines on Kicksecure then Whonix local page (onion used) + style improvements
** Virtualbox template tree cleanup deep analysis of template tree structure and reduction suggestions + download VirtualBox locally for comparison
* 2025-05-06
** Analysis and Discussion of local Kicksecure page regarding Startpage, Disroot, SearXNG and searchengine party
*** Dark Mode suggestion analysis
*** re-visit after more forum posts
** Browser choice mockup review
** upgrade editoraddneweditbuttons position cursor right before closing tag
** book index style navigation deep analysis and implementation suggestion
** Add new transparency task
** formalize search engine criteria
* 2025-05-05
** Discussion Todo
** Tab Content controller tab duplication bugfix
** solution ideas for tab controller navi top margin issue
** search engine searxng research and summary
** VirtualBox wiki page analysis and suggestions
** download button os=iso new image
*** implementation
*** wikitests + documentation
** Kicksecure local welcome page darker style better readability for navigation
** user-sysmaint image task - new thumbnail
* 2025-05-01
** Kicksecure HP 4 new features + Whonix 1 features mouse fingerprinting
** video link google preview bug analysis + bugfix
** GitHub link template + wikitests + documentation
* 2025-04-30
** Analysis and new task created for small image resistant cache problem
** Discussion ToDo - browser choice
** browser choice page review and suggestions
** sdebian template redesign
*** optimization + testing
*** new logo
*** new class img-height-50 + documentation
** Kicksecure HP 5 new feature boxes and modals with texts and new original images
* 2025-04-29
** table scrolling bugfix
** tab controller tab style improvements
** analysis / discussion images refs in whonix and kicksecure forums
** homepages 4 cards and modals distinctive texts
** splide-setup to start with item 2 on homepage so 1/2/3 are seen first not -1/1/2
** image upgrade tasks
* 2025-04-25
** macOS split for Kicksecure + install page improvements
** Discussion ToDo
** New template Grub BootEntries + documentation
** Improved suggestions for new boot menu
** Revision of 3 pages related to user-sysmaint-split
* 2025-04-24
** Discussion ToDo
** Kicksecure new boot loader text suggestions
** Kicksecure HP manual tab controller for download options + scrolling bug fix
** About page remove download options + use introLike für text above TOC
** ISO page info-box about download options
** Download pages re-ordering
** riscv64 make logo and preview image + on both wikis
*** new page
*** add architecture mininav
*** add to download and download special info table and architecture support and HP
*** added architecture mininav on all whonix pages
** new architectures-combi-logo
** Kicksecure homepage unified height adjustment for download cards
** Security settings done to hide backtraces and exception details in general
* 2025-04-23
** New Downloads big task
*** logos created (processors, mac etc)
*** new downoad stub wiki pages + applied on Kicksecure Download and HP + applied on Whonix Download and About
*** more stub pages like Architecture_Support
*** download more info table on both wikis updated + new logos for table
** comingsoon template created
*** style
*** documentation
* 2025-04-22
** New switcher theme as default for tab controller mininav
*** remove dark style option
*** new none active indicator
*** documentation
** Kicksecure forum header missing items bugfix
** Homepages remove duplicate features
** New Download options 3 logos (arm, raspberry, ppc64)
* 2025-04-21
** Archived Bug no edit not reproducible
** Discussion ToDo + new Download options
** wikieditor custom buttons remove newlines in selected text
*** improve code readability
*** new editor detection method
*** upgrade editorAutobackup
** scrollbar overlapping share widget bug fixed
** Mediawiki style bugfix for editor (background missing due to bug in MediaWiki update)
** PHP warnings fixed with variable checks
** Replace Unicode chars with ascii encoding + testing + documentation
** TOC hide TOC content completely by hide content checkbox
* 2025-04-09
** Hero image HTML harmonization between Kicksecure and Whonix + Lighthouse tests
** all multiwiki pages reviewed for to be protected + list created
** widget:non-freedom optimized for page performance
** Kicksecure hero image jpg to jpeg
* 2025-04-08
** Ai improvements
*** PayViaPaypal: replace comma with dot, use const, hide debug output, remove duplicate sandbox indicators, improve sandbox logic, bugfixes
*** ScrollAutoWrapper.js
*** suggestions for admin
** new primitive based hero images fo Whonix and Kicksecure
*** experimentation to find optimal quality vs size
*** reduce blur on hp
*** documentation
** homepages feature presentation splitting suggestions
* 2025-04-07
** Discussion Todo
** Study and analyse AI improve suggestions
*** aria improvements on 10+ files or widgets
*** security improvements
*** implementation of good ai suggestions
*** testing + documentation
* 2025-04-01
** Cite note and cite ref style improvements plus animation
** deploy to servers change indication improvement
** AI review for all widgets php js and our own extensions
** stub domains documentation
** image Library primitive review and testing and documentation
* 2025-03-31
** Discussion ToDo
** dev.pre styling (and html) problem
*** research
*** new template prebox
*** documentation template and pre chapter
*** new wikiests
*** replace old syntaxes
*** Also on Whonix
** new template newline + documentation
** CodeSelect inline bugfix/ upgrade + documentation
** footnote highlighting analysis
* 2025-03-28
** EditorSaveAndContinue
*** Bug analysis
*** Fix: modified minimodal
** Archive_Link / ExtLink
*** Move Archive_link functionality to ExtLink
*** documentation update
*** wiki editor documentation update and new policy for local direct links
*** update in all files
*** remove old template and widget
*** all also on whonix
** bugfix download/donate modal crypto icons broken
** bugfix broken brand header on Kicksecure forums
* 2025-03-27
** Archive_link new revised version implemented in textwidget
*** implementation discussion + transfer to live widget and template
*** new wikitests
*** replace all instances of old syntax with new syntax or with ExtLink Syntax
*** documentation
*** documentation for wiki editors
*** anonymous parameter template widget problem research + documentation
** new template ExtLink + Widget
*** documentation
*** wiki editor documentation
*** wikitests
* 2025-03-26
** Archive Link Template implementation of new link-to-archive features
*** documentation update
*** wikitest update
*** adjust linkToArchive icon sizes for coherent look
*** multiwiki to Whonix and tested
*** revision discussion
*** new logo for general archives
** Donate Legal Disclaimer own Template
*** integrated in Donate page
*** integrated in download/donate modal via ajax
*** removed superfluous legacy code in download/donate modal
* 2025-03-25
** Task housekeeping
** new sitenotice solution : thorough testing and docu review
** desgin new legal text for supporting Kicksecure
** Header menu - forum best practices added for Kicksecure and Whonix
** link to archive extension
*** Archive Today pull request analysis
*** feature discussion
*** git synchronization
*** implementation of new features
*** wikitests chapter for extension
*** made compatible with archive_link template (styles)
*** new logo design
*** documentation
* 2025-03-24
** Short Discussion
** Pay What you want text improvement and brand suggestions
** sitenotice banner
*** not dismissable on onion analysis
*** improved documentation
*** Extension analysis
*** bugfix for Tor browser (samesite issue)
*** bug analysis: user error
*** research suggestions for new solution
*** implementation of new solution
*** update styles
*** update documentation
*** Testing
*** multiwiki to whonix
=== Sprint 2024-08 to 2024-10 ===
* 2024-10-13
** Template Quotation upgraded to work in lists + documentation
** 4 pages review and beautify, thumb image
*** root
*** pw defaults
*** boot modes
*** account isolation
* 2024-10-12
** kicksecure wiki link template logo created and integrated
** self help pages merge and unmerge
** navi template documentation updated and integrated in new member pages
** navi template self-help created and integrated in the pages
** 10 various web dev topics researched and analysed as requested
** Troubleshooting page complete revision
* 2024-10-11
** Server forcing browser cache clear methods research and suggestions
** Kicksecure About page promo beauty content
** Self support first page new chapter + new image
** VPN port shadow attacks content
** help youself mininav template suggestions
** Documentation links added
** template kicksecure_wiki archive none + target_blank + improve image suggestion
* 2024-10-10
** Download Button Modal
*** small headline padding stylefix
*** bottom button hidden on mobile fix
** cache reliable solution research and suggestions + discussion
** instant page download preload bugfix
** mw-headscript move cache busting to server replacements
** mobile browser cache busting research + recommendation
** cache documentation complete revision and update to newest techniques
** css extension fork reevaluation
** documentation of vanishing scrollbars
* 2024-10-09
** miniModal
*** if active stop body scrolling + remove content shift
*** custom scrollbars for all modals + auto-updating on resizing
*** recheck all modals and make compatible with new method
** remove legacy js code from footer
** download button modal
*** remove file-url from file-info
*** bugfix modal multi init (multiple ids bug)
*** remove leading string "download\s*" from file info
* 2024-10-08
** Discussion Todo
** Download Button Modal
*** optimize donation panel widget and payment page
*** load payments via ajax into modal (new technique)
*** load css file via ajax
*** new crypto icons and more tag
*** fine tuning + update download button documentation
** documentation for new ajax method [[Dev/mediawiki#Javascript:_Ajax_Loading_for_special_cases|Javascript: Ajax Loading for special cases]]
** new coming soon icon
** Tronix payment added to payments page
* 2024-10-07
** EmbedVideo remove Footer
*** improve play button
*** mobile width style
** PayViaPaypal small bugfixes
** Download button new modal feature
*** styling + tests
*** icon revision
** documentation
** instant page download button bug analysis
** Install_Software page review + revision suggestions
* 2024-10-04
** IconSet
*** style improvements
*** replace icon with iconset in most instances
*** also replace virtualbox "number" style with iconset
*** new iconset style keyboard
*** documentation
** pageloading report console styling improved
** "Install Additional Software Safely" page introduction improved
** performance tests page: new test executed and documented
** new color schemes for fonts
** Whonix Windows Installer page revision
** iso page
*** step images chapters
*** well done banners
*** trouble shooting chapter
*** video player poster and fullscreen research
** Pay as you go modal solution suggestion
* 2024-10-03
** Number icon task analysis + suggestion
** icon template
*** new parameter shadow
*** parameter border fat, thin values
*** documentation
** new template iconSet with presets
*** tests + documentation
** editorAutobackup some bugfixes
*** database consistency check cleanup
** codeselect php warnings existence checks
** js pageloading time testing
*** new method to capture asynchronous loading
*** improved reporting
*** documentation
** iso page embedvideo integration for boot menu explainer video + fullscreen research
* 2024-10-02
** Hashcontroller Upgrade + documentation
** async JS loading for codeSelect + sharetooltip + scrollAutoWrapper
** wiki load cascade documentation
** Detailed report ISO documentation - compare with Tails
** Total revision of virtualbox and all its sub templates
* 2024-10-01
** EditorAutoBackup saving bug research
** Dev/mediawiki loading delay bug analysis
*** DebugViaUrlModal upgrade all scripts loaded
*** MwCombineJsWrapper bugfix hashcontrol conditional
*** slow page individual script analysis report
*** web worker research
*** setTimeout Method applied to MwCombineJsWrapper
* 2024-09-30
** Boot Help Video
*** Direction discussion
*** Animation Revision
*** new step (beginning, research notice)
*** audio track created
*** speaker text draft
*** exiftest and upload
*** video embed extension research for MediaWiki
** debug helper old file url bug analysis + fix
** new script CollapsibleGlobalMods.js to globally apply “learn more” label + also “Show Less” label
*** removed all data-expandtext and data-collapsetext
* 2024-09-27
** WhonixOnMac Tabcontroller vs thumbnail analysis + clearfix implementation + documentation
** Discussion ToDo Boot menu + twitter image bug
** Icon Template two new parameters border text
*** style param 1 new option
*** tests + documentation
** ISO page “Boot the ISO” chapter revision rewrites
*** reorder + illustration
** ISO page boot menu explainer video created
* 2024-09-26
** USB_installation discussion and small improvements
** ISO page
*** number icon color language changed
*** number and alphabet icons for Linux Ubuntu and Debian
*** beautify iso_writer_installation_linux more and sub templates
*** ISO page 7 new images for TOC (steps)
** gallery tag new white style created
*** documentation + tests
** codemirror large file problem research + summary
* 2024-09-25
** Art Gallery image fix
** revision of USB-Installation
*** texts + icons
*** restructure + styling
** Super large file problems codemirror research
** EditorAutoBackup byte oversize management feature
*** general exception handling
*** icon color change + notification
*** documentation + cleanup
* 2024-09-24
** Template:Collapsible feature addToClass added + documentation
** EditorAutoBackup bugfix limit case
*** quota exceeded improvement suggestion
** New template Icon + tests + documentation [[Dev/mediawiki#Icon_.28Template.29|Icon (Template)]]
** [[Template:Iso_writer_installation_linux]] improved
** [[ISO]] page completely revised 100%
*** image overwidth fix (globally)
** improved {{CustomRepo|_Template_VirtualBox_CSS.css}}
** [[Progress_Reports]] page intro + image + Hans data + styling
* 2024-09-23
** request-servers-to-fetch-and-deploy.sh created
*** secrets outsources
*** references updated
*** documentation
** EditorAutoBackup features discussion
** ISO thorough testing
*** Discussion ISO
*** heavy editing of page ISO 60%
** new gray and white color schemes added + documentation
* 2024-09-19
** CodeSelect white space bug analysis
** Editor-Autobackup new 100% implemented
*** documentation
*** added to wiki enhancements
** deploy to servers prompt improvement
* 2024-09-18
** CodeSelect new technique textarea global helper
*** table with codeselect overheight bugfix (automatically because it was caused in Firefox by old technique)
*** codeselect cleanup and logical restructure
** gallery tag documentation and wikitest test
** Editor-Autobackup new 50% ready
* 2024-09-17
** CodeSelect
*** execCommand replacement research + implementation of new syntax + permissions research
*** white space bug solution (new implementation via textarea)
** Discussion ToDo
** CodeEditor pre and underline
*** images created
*** buttons added
* 2024-09-16
** CodeSelect research leading space bug + found newline collapse bug
** add reporting bugs to support header whonix kicksecure
** gallery tag mobile and minerva skin research + minerva like implementation
** Extension HeadScript documentation update
** Discussion competitor page style Research
** Wiki Enhancements Extensions search + texts + remove standard extensions
** EditorAutoBackup version 2.0 specifications
* 2024-09-13
** Whonix and Kicksecure local pages move local info
*** remove metager + add perplexity (kick)
*** legacy code cleanup
** Gallery usage discussion
*** new gallery template tried but not working with Template
*** Research about [[Mediawiki:files]] 
|onion={{QubesOS_onion}} |onion=http://{{QubesOS_onion}} - essential for usage in Widgets * 2021-12-29: Footer subdomain fixes by protocol and apex domain for forums subdomain (whonix.org and .onion) * 2021-12-28: Footer redesigned * 2021-12-24: Template [[Template:Subdomain_link]] and [[Widget:Subdomain_link]] created (ability to link without knowing the website context) * 2021-12-23: CodeSelect further improved: less white space, more compact, better nojs-version, better js-animation * 2021-12-23: Combi task: External Links / Template + Widget Archive-Link ** Improved Mediawiki Extension "Link to archive" *** differentiate automatically between normal link, onion-link and link to web.archive.org *** Show logos instead of long "[archive]" text *** logo / title attribute / logo link href according to linked url: normal → archive symbol + archive link / onion → onion logo and onion link / archive link → archive logo and same link ** Templatecode
[[Template:Archive_link]] and [[Widget:Archive_link]]