{{Header}}
{{title|title=
Progress Reports 2
}}
{{#seo:
|description=Overview on the continuous progress for Kicksecure (and Whonix) with individual specific contributions for content, research, implementation etc
|image=Page-progress-reports-thumb.jpg
}}
{{devwiki}}
{{about_mininav}}
<div class="mininav">
* [[#arraybolt3|arraybolt3]]
* [[#Hans|Hans]]
* [[#nurmagoz|nurmagoz]]
</div>
[[File:Page-progress-reports-thumb.jpg|thumb|200px]]
{{intro|
On this page we give an overview on the continuous progress for Kicksecure (and Whonix) on the most active contributors.
}}

= arraybolt3 =
== 2025-11-04 ==
=== Investigate disabling Hyper-V under Windows ===
Date: 2025-11-04

Worked with Patrick to discover the steps needed to disable Hyper-V on Windows 11. This should allow VirtualBox to run at full speed.

=== Make it more obvious when a Qubes HVM doesn't have enough RAM to work with the Kicksecure ISO ===
Date: 2025-11-04

Bumped up the RAM limited in rads and adjusted how the low RAM message from rads is displayed so that users are more likely to notice it.

=== Test Kicksecure ISO for live mode issues ===
Date: 2025-11-04

Attempted to reproduce problems with live mode under Kicksecure on VirtualBox. Was not able to reproduce the problems, even when working with Patrick to figure out the root cause.

=== Test Whonix 18 for disk corruption on Manjaro ===
Date: 2025-11-04

Installed a pair of Whonix VMs in Manjaro using KVM. Was not able to reproduce the disk corruption issue with them. Documented a possible workaround for the issue on Whonix 17, considering the issue solved enough.

== 2025-11-03 ==
=== Debug Whonix disk corruption bug under Fedora and Manjaro, investigate Windows privilege elevation ===
Date: 2025-11-03

Was not able to reproduce the disk corruption issue on Fedora 42 KDE. Was able to reproduce the issue once on Manjaro KDE, but could not reliably reproduce it thereafter. Took some notes about the issue and left a suggestion for how to possibly work around it. Also researched how to handle user account control and privilege elevation under Windows so that Whonix-Installer can disable Hyper-V automatically during the installation.

=== More systemcheck gripe fixing under Qubes OS ===
Date: 2025-11-03

Discovered the root cause of one one of the systemcheck gripes (specifically the oen related to systemctl and D-Bus user bus access). Filed a bug report against Qubes OS for the issue.

== 2025-11-02 ==
=== policyrcd-script-zg2 feature request for drop-in config directory ===
Date: 2025-11-02

Asked the upstream developers of policyrcd-script-zg2 if they'd accept a drop-in config directory feature contribution.

=== Fix some systemcheck gripes under Qubes OS ===
Date: 2025-11-02

Patrick and Marek both were seeing some systemcheck messages that should not have been appearing. Fixed the root cause of several of them, silenced other false-positives. Haven't finished debugging all of them yet, but most of them are fixed.

=== Implement better power management defaults ===
Date: 2025-11-02

Added improved power management configuration to desktop-config-dist. The new configuration should be reasonably usable while providing better security than LXQt's default configuration (by virtue of locking the screen rather than suspending to avoid a race condition that could leave the screen unlocked).

=== Make Livecheck only show one information window at once ===
Date: 2025-11-02

A user could open a theoretically unlimited number of Livecheck windows at the same time previously. Added some code so that the user could not open a new Livecheck window until they closed the old one.

=== Reload labwc keyboard layout when using set-system-keymap ===
Date: 2025-11-02

Added code to the <code>set-keyboard-layout.sh</code> library that reloads labwc configuration after setting the system-wide keyboard layout.

=== Fix text encoding issue caused by improper locale setup on Kicksecure VM images ===
Date: 2025-11-02

Flatpak was outputting question marks in place of Unicode in some instances. Discovered this was because of improper locale configuration, determined why the locale was not being configured properly, and created a fix.

=== Fix sdwdate-gui issues when sys-whonix is booted in sysmaint mode ===
Date: 2025-11-02

We were hardcoding a UID in the sdwdate-gui proxy helper script. Fixed this so that it determines the correct UID based on the value of the <code>/default-user</code> key in qubesdb. Also fixed an issue where the sdwdate-gui icon would get stuck on the wrong icon in some instances.

=== Reproduce, file bug report for LXQt sleep + screen locking issue ===
Date: 2025-11-02

Successfully reproduced the screen lock timing issue on Arch Linux, and filed a bug report about it. Turns out to be a race condition between putting the system to sleep and locking the screen.

=== Test new disallowed-test in systemcheck on a newly build Kicksecure KVM image ===
Date: 2025-11-02

Previously the AppArmor "disallowed-test" failed for me in a KVM virtual machine. Built a new VM from scratch, discovered that the issue does not occur there.

== 2025-11-01 ==
=== Try to reproduce LXQt sleep + screen locking issue on Arch ===
Date: 2025-11-01

On Kicksecure, LXQt would sometimes put the system into sleep before locking the screen all the way. Attempted but failed to reproduce the issue on Arch Linux, made some notes for future debugging.

=== Investigate user-sysmaint-split vs policyrcd-script-zg2 ===
Date: 2025-11-01

Looked at how policyrcd-script-zg2 works and how it interacts with user-sysmaint-split. Suggested that we remove it from our dependencies.

=== Document flatpak authorization hardening in security-misc ===
Date: 2025-11-01

Added documentation to the README about the Flatpak authorization hardening added to security-misc.

=== Make vm-config-dist installable on all platforms ===
Date: 2025-11-01

Removed some deprecated code from vm-config-dist, and added needed checks to make sure it could be installed on physical systems and virtual systems other than VBox and KVM. This should make it easier to move Kicksecure images between hypervisors, and allow us to ship vm-config-dist on the Kicksecure ISO to improve the experience for users who use the ISO in a virtual machine.

== 2025-10-31 ==
=== Research, start discussion on power management config for physical Kicksecure systems ===
Date: 2025-10-31

Went through all of the settings supported by LXQt for power management, documented advantages and disadvantages of each one from a security and usability perspective, and created a recommendation for settings we should use by default. Awaiting feedback from forums.

=== Investigate, harden Flatpak security rules for app installation and management ===
Date: 2025-10-31

Patrick discovered that one could install a Flatpak system-wide even when running in a user session and logged into account <code>user</code>. Discovered why this was the case, and implemented changes to Flatpak's configuration to prevent this and require authentication for most Flatpak-related operations.

=== Fix fakeroot-caused systemctl errors in dnf-3 uwt wrapper, silence unnecessary warnings ===
Date: 2025-10-31

alimj pointed out that the issue with Qubes updates showing "Operation not permitted" errors was because of fakeroot. Determined that it was possible to use <code>privleap</code> to work around the issue. Implemented the fix, and also silenced some warnings that weren't important for the user to see.

== 2025-10-30 ==
=== Start preparing vm-config-dist to be suitable for installation on all platforms ===
Date: 2025-10-30

vm-config-dist has some things that are useful for Qubes, and we want it installed on the Kicksecure ISO so that if people boot the ISO in a virtual machine, they get the benefits it provides in that VM. Started work to make vm-config-dist able to be installed without issues on all supported platforms.

=== Diagnose, mask cast-qual compilation warning in kloak ===
Date: 2025-10-30

The way in which libwayland-client works ends up with a "const" qualifier being discarded when attaching a listener to an interface. This issue is present in the library itself and also in code automatically generated by wayland-scanner. Determined why it was happening, decided it was likely benign, and added some GCC pragmas to kloak to silence cast-qual warnings from two autogenerated header files.

=== Enable systemd-journald audit transport to fix apparmor-info ===
Date: 2025-10-30

apparmor-info wasn't working because the systemd-journald audit transport was not enabled and apparmor-info attempts to scan messages from that transport. Determined how to enable it, and did so. Needs an image rebuild to test and make sure it fully works, which has not been done yet.

=== Review, adjust backlight tool changes ===
Date: 2025-10-30

Reviewed some changes to backlight-tool-dist that Patrick made, made some changes to strings displayed in the UI.

=== Fix graphical relog in sysmaint sessions ===
Date: 2025-10-30

We weren't taking into account the possibility that someone might log out of a graphical sysmaint session without rebooting. However, one can cause what looks like a relog by running <code>sudo systemctl restart greetd</code>. Upon logging back in, a black screen would be displayed. Determined why the issue was occurring and fixed it.

=== Finish screen locking enhancements ===
Date: 2025-10-30

Added the needed code to disable screen locking under VMs via vm-config-dist. Tested it, appears to work.

== 2025-10-29 ==
=== Improve screen locking experience ===
Date: 2025-10-29

Unified all screen locking controls in helper-scripts' <code>lock-screen</code> script. Added better notifications, LXQt integration, and a much better screen lock notification image.

=== Try to debug dnf-3 issues in Qubes-Whonix-Gateway ===
Date: 2025-10-29

Marek saw an OpenQA failure with the new dnf-3 wrapper. Could not determine what was wrong with it in debugging, may have been a transient issue or related to the fact that we had two different argument injection mechanisms working at the same time. Did some research, shared results in chat, and left things unchanged in this area for now.

== 2025-10-28 ==
=== Add missing systemd units to sysmaint-boot.target ===
Date: 2025-10-28

Found several units we weren't starting in sysmaint mode that we were supposed to be, and added them to the "Wants" of sysmaint-boot.target.

=== Write dnf-3 wrapper for dom0 updates over Whonix-Gateway ===
Date: 2025-10-28

Created a proxy argument injection wrapper for dnf-3 to replace the qubes-specific proxy argument injection solution. Mostly works, but Marek spotted issues with it in OpenQA, which I'll need to work on.

=== Review suggested changes tor-control-panel for separating it from anon-connection-wizard ===
Date: 2025-10-28

Looked at and commented on some code changes submtited by troubador. Also mentioned an issue with the "new identity" button.

=== mediawiki-shell static analysis ===
Date: 2025-10-28

Used static analysis tools on mediawiki-shell (BashSupport Pro and Shellcheck) to find and fix a few more issues.

== 2025-10-27 ==
=== Continued review of mediawiki-shell refactoring ===
Date: 2025-10-27

Finished reading through and polishing the mediawiki-shell refactoring work from Ben. Need to still run some analysis tools on it, but it's close to done.

=== Comment on qca-addon-whonix PR from Ben (default dvm set issue) ===
Date: 2025-10-27

Continuing discussion on how to best set the default DispVM for Whonix templates.

== 2025-10-26 ==
=== Finish initial port of sdwdate-gui-client to asyncio and pyinotify ===
Date: 2025-10-26

Originally we were using Qt for sdwdate-gui-client, since it allowed convenient handling of both network and file change notifications. This required more memory than using lower-level frameworks however. Rewrote sdwdate-gui-client to use asyncio and pyinotify instead. The initial port seems to work but needs more review and testing.

=== Begin review of mediawiki-shell refactoring ===
Date: 2025-10-26

Got through a significant portion of the review work, still more than half left to do. Made adjustments as I went.

=== Set resolution of all virtual displays to 1920x1080 if dynamic resize helpers are not available ===
Date: 2025-10-26

If spice-vdagentd is not present and running under KVM, or if VBoxDRMClient is not present and running under VirtualBox, wl_resize_watcher will set the size of all displays on the system to 1920x1080 to avoid issues with the screens being too small.

=== Split set-system-keymap and set-console-keymap ===
Date: 2025-10-26

Created a new wrapper "set-console-keymap" for just setting the console keyboard layout separately from the labwc layout, and made "set-system-keymap" a wrapper around both set-console-keymap and set-labwc-keymap.

=== Fix policy-rc.d deletion issue in qubes-builder-debian ===
Date: 2025-10-26

qubes-builder-debian was not using update-alternatives when installing a policy-rc.d file to prevent service startup during package installation. As a result, our policy-rc.d shipped in user-sysmaint-split was being clobbered. Created a PR to Qubes to fix this, which was merged.

=== Document dnf workaround for libcurl dom0 updates over onion repos on Qubes ===
Date :2025-10-26

Documented the new workaround added to Qubes for allowing DNF to fetch dom0 updates from an onion repo via Whonix-Gateway, and why it was necessary.

== 2025-10-25 ==
=== Reduce Qubes-Whonix memory requirements ===
Date: 2025-10-25

Identified a number of areas where memory usage could be reduced, some that were Qubes-specific and some which weren't, and implemented many of them. (A rewrite of sdwdate_gui_server.py to use asyncio and pyinotify is still in progress.)

=== Add set-system-keymap button to sysmaint-panel ===
Date: 2025-10-25

There is now a button in sysmaint-panel that will launch the system-wide keyboard configuration application.

== 2025-10-24 ==
=== Port live-config-dist to the new set-system-keymap mechanism ===
Date: 2025-10-24

The default keyboard layouts set by Calamares are now set via set-system-keymap rather than a custom, Calamares-specific mechanism.

=== Downgrade hard failures to warnings in most places in wlr_resize_watcher ===
Date: 2025-10-24

Made it so that if an error occurs that will probably render wlr_resize_watcher useless but won't completely break it, it will remain running just in case it can be useful.

=== Test dom0 updates over Whonix-Gateway ===
Date: 2025-10-24

Verified that dom0 is able to use Whonix-Gateway as an update proxy successfully.

=== Actually remove incorrect volume widget from Whonix-Gateway sysmaint waybar ===
Date: 2025-10-24

The initial removal attempt didn't quite work because the pulseaudio widget was still being added, it just wasn't being configured specially in Whonix-Gateway anymore. Fully removed the widget from the panel.

== 2025-10-23 ==
=== File Debian systemd package bug report for enabling X11 keyboard layout changes via systemd-localed ===
Date: 2025-10-23

Filed a bug asking for the X11 keymap setting functionality disabled by systemd-localed-read-only.conf to be enabled somehow. Offered to work on fixing it if possible.

=== Stop installing unnecessary firmware in Qubes OS Kicksecure template ===
Date: 2025-10-23

We were installing GPU and audio card firmware in Kicksecure 18, which is unnecessary (only network and ''maybe'' USB firmware is needed there for use as sys-net and sys-usb). Split out network firmware into a separate metapackage for Kicksecure on Qubes OS to use.

=== Rename sdwdate.Connect(Check) to sdwdate-gui.Connect(Check) ===
Date: 2025-10-23

The old naming was annoying and the Qubes team was fine with me renaming this. Applied the name change to qubes-core-admin-addon-whonix and sdwdate-gui.

=== Review whether anything is left to do on fixing sdwdate-gui qrexec denied messages ===
Date: 2025-10-23

Didn't see anything left to do here, the bug appears to be fixed.

=== Remove incorrect volume widget from Whonix-Gateway sysmaint waybar ===
Date: 2025-10-23

Whonix-Gateway doesn't have an audio device, so the volume widget was useless and just appeared as a random yellow bar in the middle of Waybar. Removed it by splitting the Waybar configuration out of desktop-config-dist and putting it in kicksecure, anon-gw, and anon-ws base files packages, then removing the volume widget config from anon-gw-base-files.

=== Fix systemcheck error trap to return non-zero if a non-zero return code was trapped ===
Date: 2025-10-23

Sourcing systemcheck configuration that was invalid was properly resulting in systemcheck aborting, but was not resulting in systemcheck exiting with a non-zero exit code. Found and implemented a solution.

=== Add hypervisor helper checks to wlr_resize_watcher ===
Date: 2025-10-23

Made it so that wlr_resize_watcher will print an error message and exit if VBoxDRMClient (on VirtualBox) or spice-vdagentd (on KVM) is missing or not running.

=== Debug sdwdate permissions problems on upgraded sys-whonix AppVM ===
Date: 2025-10-23

When switching sys-whonix from a Whonix-Gateway 17 template to a Whonix-Gateway 18 one, the UID/GID on /var/lib/sdwdate was incorrect, since the UID/GID for <code>sdwdate:sdwdate</code> in the Whonix-Gateway 17 template were different than the UID/GID for the Whonix-Gateway 18 template. A tmpfiles.d configuration file should have been fixing this, but it was failing to do so because systemd-tmpfiles-setup.service was starting before qubes-bind-dirs.service. Added an ordering dependency to qubes-bind-dirs.service to fix this and submitted the change as a PR to Qubes.

=== Fix "ignoring exit-on-service-eof=true" warning in Whonix-Gateway 18 on Qubes ===
Date: 2025-10-23

There was a config file we were supposed to override when we fixed the updates proxy startup timing issue. Added an override for that file.

== 2025-10-22 ==
=== Fix up browser-choice Tor Browser plugin, install button availability ===
Date: 2025-10-22

The Tor Browser plugin for browser-choice now simply installs the Tor Browser package and then instructs the user on how to download Tor Browser separately. If a browser is already considered to be installed by browser-choice, the "install" option is grayed out.

=== Remove xscreensaver from release-upgraded systems ===
Date: 2025-10-22

Now that we've ported to Wayland, we don't support xscreensaver anymore, and Qubes doesn't need it even though it uses X still. It causes the screen to go black without warning under Wayland, removing it should prevent that going forward.

=== Remove hardcoded "sleep 10" from Tor startup, replace with IPv6 address listener ===
Date: 2025-10-22

Created a script that listens for the appearance of a hardcoded internal IPv6 address, and allows Tor to start once that address appears (or 10 seconds passes, whichever comes first).

=== Finish changing anon-connection-wizard, tor-control-panel to using privleap for privileged operations ===
Date: 2025-10-22

Code is untested but should work to make these tools functional on Whonix-Gateway with user-sysmaint-split installed.

=== Testing, further polish on keyboard layout code ===
Date: 2025-10-22

Ran through a detailed test plan for the keyboard layout code to ensure it functioned properly in a wide range of situations. Created some bugfixes and merged in a bugfix from Codex.

== 2025-10-21 ==
=== Mostly finish keyboard layout code ===
Date: 2025-10-21

Finished the interactive UI for the keyboard layout customizer, added support for changing the system-wide keyboard layout (including the console layout), and created a thorough test plan for the code (yet to be ran through).

== 2025-10-20 ==
=== Work on polishing keyboard layout change code ===
Date: 2025-10-20

Started creating an interactive UI for changing the keyboard layout under labwc. Also did research into how to configure the system-wide keyboard layout for both Wayland and the console.

=== Fix greetd login failure hang ===
Date: 2025-10-20

greetd would hang on a black screen if the user failed to authenticate properly the first time. Figured out why this was happening and fixed it.

=== Fix several post-upgrade desktop environment issues ===
Date: 2025-10-20

Fixed greetd failing to be enabled, fixed an autologinchange bug that was corrupting a greetd configuration file, and reviewed a change make to sysmaint-boot to ensure that Wayland was the default for the sysmaint session.

== 2025-10-19 ==
=== Research, create qubes-devel thread for avoiding AppVM and NetVM/DispVM mismatches ===
Date: 2025-10-19

Posted a mailing list thread with an idea about how to keep a Qubes ApPVM from being set to use a DispVM or NetVM that is unsafe for that specific VM.

=== Create screen brightness tool for Kicksecure 18 ===
Date: 2025-10-19

The tool uses privleap rather than pkexec as the privilege escalation framework. The security-sensitive components of the code are written in Bash and validate their input thoroughly, so this should be secure.

=== Finish dynamic display resize helper for labwc on VirtualBox and KVM ===
Date: 2025-10-19

Runs as a background process, detects changes in display size and reconfigures the compositor as appropriate when those changes are detected. Tested with both single and multiple screens in VirtualBox, and a single screen in KVM.

=== Reply to kernel lockdown mode Github issue, forum posts ===
Date: 2025-10-19

Replied to forum posts and a Github issue related to enabling kernel lockdown mode. Couldn't think of a scenario where kernel lockdown mode would be substantially useful, but left some notes.

== 2025-10-18 ==
=== Start development of dynamic resolution handler for labwc ===
Date: 2025-10-18

Finished doing the research needed to create a background process that will listen for display resolution change events and resize labwc displays accordingly. This will allow dynamic resolution resizing to work in both VirtualBox and KVM.

=== Investigate display brightness concerns for LXQt on Kicksecure 18 ===
Date: 2025-10-18

pkexec is not executable from a user session, which makes it hard for the LXQt backlight helper to be usable. After some discussion, we've decided to create our own backlight tool for this. Because privleap only streams stdio in one direction, this will need to have a dedicated helper created for it; to avoid needing SUID root and to prevent a persistent daemon from having to run in the background, we can probably use systemd socket activation or D-Bus activation here.

=== Fix repository-dist-wizard UI element overlap issue ===
Date: 2025-10-18

Changed repository-dist-wizard to use layouts rather than manual UI element positioning to avoid overlap issues (these previously resulted in inability to click some buttons).

=== Finish adding user-sysmaint-split to Whonix-Gateway ===
Date: 2025-10-18

Tested a freshly built pair of Whonix 18 KVM images, verified that user-sysmaint-split was present in Whonix-Gateway and functional.

== 2025-10-17 ==
=== Look into further work needed for Kicksecure 18 on Qubes OS, enable user-sysmaint-split on Whonix-Gateway ===
Date: 2025-10-17

Determined that we do not need to do anything about qubes-core-admin-addon-kicksecure's installation on Qubes OS R4.3, as Marek is already planning on ensuring it is installed by default. Changed our code to place user-sysmaint-split on Whonix-Gateway by default after some discussion of attack scenarios with Patrick (not all code changes pushed yet, still testing).

=== Further review on ben-grande's qubes-core-admin-addon-whonix refactor ===
Date: 2025-10-17

Continuing to discuss some implementation details. Once this is done, we should backport this to R4.2 to fix the anonymity bypass via DispVMs in standalones and templates bug.

=== Change passwordless-root to be ephemeral by default in Qubes AppVMs ===
Date: 2025-10-17

Patrick brought up the fact that the <code>passwordless-root</code> command is permanent even in Qubes OS AppVMs, so the unrestricted admin mode fix created previously didn't work as expected. Changed <code>passwordless-root</code> to be ephemeral by default on Qubes, and provide a command-line option for enabling persistence.

== 2025-10-16 ==
=== Review, attempt to send stardict removal request ===
Date: 2025-10-16

Attempted to send the Stardict email, however GMail refused to allow me to send it for some reason. Reviewed email content, removed anything that might look suspicious to GMail and decided to leave it alone for a bit so that any anti-spam measures would have time to calm down.

=== Debug miscellaneous Qubes-related Kicksecure and Whonix issues ===
Date: 2025-10-16

Verified that updates, release upgrades, and user-sysmaint-split work as expected. Determined what was wrong with Kicksecure sys-whonix communication and discussed possible fixes with Patrick.

== 2025-10-15 ==
=== Investigate, write draft email requesting the removal of Stardict from Debian's main repo ===
Date: 2025-10-15

Determined that Debian 12 was still vulnerable to a Stardict CVE that leaked arbitrary clipboard contents. Prepared an email detailing Stardict's history and requesting that the package be demoted to contrib, and shared it with Patrick. This has not yet been submitted to Debian upstream.

=== Investigate missing display resize events in VirtualBox ===
Date: 2025-10-15

Discovered that VirtualBox VMs were not reliably receiving signals when the display is resized, even with VirtualBox guest additions installed. Determined this was the result of a missing executable, <code>VBoxDRMClient</code>. Found a fix and emailed it to the Debian VirtualBox maintainers.

=== Miscellaneous review tasks ===
Date: 2025-10-15

Replied to several PRs and issues. Merged some code from raja-grewal.

=== Test, fix USBGuard in Qubes ===
Date: 2025-10-15

Discovered that USBGuard mostly worked in Qubes, but not entirely. Created fixes for the issues discovered.

== 2025-10-14 ==
=== Implement workaround for approx cache outdated repo metadata in derivative-maker ===
Date: 2025-10-14

Created and tested a fix for approx's occasional failure to download updated package metadata in our build system.

=== Find, fix core issue with Qubes environment fix patch ===
Date: 2025-10-14

The issue with the patch to qubes-gui-runuser was finally found; there was a race condition between systemd attempting to terminate qubes-gui-agent.service and qubes-gui-runuser starting the GUI session. Fixed the issue, the PR now works as expected.

== 2025-10-13 ==
=== Debug approx cache issues, comment on security-related kernel parameters issue on Github ===
Date: 2025-10-13

Debugged and reported a bug about approx's caching issues (it looks like there's possibly a timer not being obeyed). Also did some research on kernel command line maximum length and commented to raja-grewal on a Github issue about the use of <code>mitigations=auto,nosmt</code>.

=== Rework Qubes environment fix patch ===
Date: 2025-10-13

Discarded the original C code changes for importing the environment in qubes-gui-runuser, and attempted to do this in /etc/profile.d instead. Unfortunately this seems to have now caused a sys-gui issue that will need further investigation.

== 2025-10-12 ==
=== Research what is needed to get port from gpg to sequoia-pgp ===
Date: 2025-10-12

Wrote down some suggestions, created a file for tracking progress, and discussed next steps with Patrick.

=== Create Tor version check and update script ===
Date: 2025-10-12

Made a Python script that detects if the version of Tor available from torproject.org is newer than the version in the Kicksecure repositories, and downloads the update into the repository if so.

=== More debugging of Qubes VM shutdown issues with environment fix patch ===
Date: 2025-10-12

Found the root cause of the issue, but I'm still not sure why the code in question is causing the issue. Marek suggested some workarounds which I'll be testing soon.

=== Isolate log filtering code in systemcheck from normal users ===
Date: 2025-10-12

Split out most of the log processing into a new script that runs as user <code>systemcheck</code>. That script can be called by standard users via leaprun, and it in turn can read the system logs, but standard users cannot read system logs. This should prevent access to unhashed kernel pointers, at least through the system logs.

=== Fix sysmaint manual login and related greetd issues ===
Date: 2025-10-12

Patrick discovered that one could log into a full desktop session with the sysmaint user by restarting greetd. Determined why this was happening and fixed it. Also fixed greetd startup when sysmaint autologin is disabled.

=== Fix volume indicator in sysmaint session changing color on hover ===
Date: 2025-10-12

The default Waybar configuration on which our config was based had an unnecessary styling rule that made the volume indicator change color on hover. Removed the rule.

== 2025-10-11 ==
=== Rework keyboard layout handling in Calamares ===
Date: 2025-10-11

Adjusted our keyboard layout helper code so that the keyboard layout was properly set in /etc/default/keyboard and in the labwc compositor. The new code should now support locales that use multiple keyboard layouts by default, and should also work with keyboard layout variants.

=== Further discussion of stalled Qubes OS template shutdown issue ===
Date: 2025-10-11

Determined that the environment variables we needed were available over Varlink. Discussed with Marek whether a script-based solution or the use of Varlink would be worthwhile for fixing the issue.

== 2025-10-10 ==
=== Debug locked-up shutdown of Qubes OS VMs after adding the environment import patch ===
Date: 2025-10-10

Marek discovered that the systemd environment import patch to qubes-gui-runuser resulted in shutdown getting stalled for a minute and a half in some instances. Attempted to determine why, and discussed possible solutions.

=== Fix flickering in Qt apps on Qubes OS triggered by event buffering ===
Date: 2025-10-10

Added some code to qubes-gui-daemon to allow instant passthrough of a few X messages to fix the flicker issue.

=== Add back VirtualBox guest utilities to Kicksecure ISO ===
Date: 2025-10-10

Determined why the VirtualBox guest utilities weren't being installed on the Kicksecure ISO in the first place, fixed the issue that kept them from being installable, and added them. Verified they were present on a newly built ISO.

=== Add display settings button to sysmaint-panel ===
Date: 2025-10-10

You can now launch wdisplays by clicking the display settings button in sysmaint-panel.

== 2025-10-09 ==
=== Discuss solutions for Calamares keyboard layout set failure ===
Date: 2025-10-09

Calamares' keyboard layout settings currently do not work under Wayland due to Debian disabling the mechanism Calamres uses to make keyboard layout changes. Described the issue to Patrick and mentioned possible solutions.

=== Ensure Calamares language setup worked as expected ===
Date: 2025-10-09

Both GUI and CLI modes of user and sysmaint sessions obeyed Calamares' language settings.

=== Investigate debian.sources only being readable by root ===
Date: 2025-10-09

Could not reproduce issue.

=== Create setxkbmap alternative for labwc ===
Date: 2025-10-09

Created set-labwc-keymap, for setting the keyboard layout with labwc. Can make both temporary and persistent changes. Supports keymap options and variants.

=== Research making left click bring up sdwdate-gui menu ===
Date: 2025-10-09

Determined that this was not possible at the moment and recorded why in the corresponding task. Changed a UI string so that users know to right-click on the icon.

=== Add LXQt config and on-screen keyboard to sysmaint-panel ===
Date: 2025-10-09

Added buttons to sysmaint-panel for toggling the on-screen keyboard and launching lxqt-config.

== 2025-10-08 ==
=== Fix Qubes Update failure on Whonix templates ===
Date: 2025-10-08

The ten-second wait added to the Tor startup process was causing the updater to regularly fail on Whonix templates. Changed qubes.UpdatesProxy in Whonix from a symlink to a script that would wait to allow updates to begin until Tor was up-and-running in sys-whonix.

=== Add an on-screen keyboard to Kicksecure and Whonix ===
Date: 2025-10-08

After much research, decided to choose wvkbd as the keyboard to ship. Created a script and desktop files for starting and stopping it.

=== Fix bindp compilation warning caused by incorrect postinst compilation method ===
Date: 2025-10-08

We were embedding a gcc command into the postinst script rather than using the compilation procedure in bindp's Makefile. Fixed this.

=== Finish preparing qubes-gui-runuser.c env var code for review ===
Date: 2025-10-08

Did more testing, fixed remaining TODOs. Pushed the latest version of the env var code and marked it as ready for review.

== 2025-10-07 ==
=== Polish qubes-gui-runuser.c env var code, research slab_debug security concerns ===
Date: 2025-10-07

Fixed several bugs in the draft implementation of the environment variable import code from yesterday, and got the new implementation to work in a Debian 13 Xfce template. Also did substantial research into security concerns around the <code>slab_debug</code> kernel parameter, and how to mitigate them best. Requested that the Debian kernel team backport a new pointer hashing boot parameter from kernel 6.17 into the Trixie stable kernel.

== 2025-10-06 ==
=== Create draft implementation for importing env vars from systemd in qubes-gui-runuser.c ===
Date: 2025-10-06

The preliminary fix for the environment variable bug in Qubes was insufficient because it meant now environment variables from systemd were being clobbered with those from /etc/profile.d. The intended behavior was that environment variables from systemd should be imported, then augmented by /etc/profile.d. Marek suggested implementing code to do this in qubes-gui-runuser.c, using D-Bus to communicate with systemd to get the environment variables and export them into the session. I created an initial rough draft of this implementation and posted it for initial review.

=== Attempt to debug kloak-related systemd unit ordering cycle ===
Date: 2025-10-06

Installed an older version of kloak into a Debian 13 GNOME VM. Could not reproduce issue, waiting on more info.

=== Remove sanitizers from compiled code ===
Date: 2025-10-06

We were enabling sanitizers such as AddressSanitizer and UndefinedBehaviorSanitizer as a hardening measure, but it turns out this actually made programs less secure and that these sanitizers are not intended for production code. Disabled C sanitizers on all of our C code.

== 2025-10-05 ==
=== Investigate Qubes input event buffering flicker bug with Qt ===
Date: 2025-10-05

Previously I discovered that Qt apps had some odd flickering behavior with some menus when input event buffering was enabled. Attempted to find the root cause, the cause hasn't been identified for certain but a possible problem has been identified. Discussed it with Marek briefly.

=== Test socat's suitability for use as a DNS proxy in sys-net ===
Date: 2025-10-05

Got socat working so that IPv6 DNS on an IPv6 network worked. Discussed the suitability of this solution with Marek.

=== Debug, create preliminary fix for Qubes-Whonix file manager launch bug ===
Date: 2025-10-05

Marek discovered that the default file manager in Whonix 18 was Catfish, when it should be PCManFM-Qt. After much study it was discovered this was the result of an outdated xdg override combined with an environment variable loading issue in Qubes OS itself. Filed a bug report for the environment variable load issue, discussed possible ways of fixing it with Marek, and submitted a PR. A different approach than the one provided in the PR will need to be used in the long run.

== 2025-10-04 ==
=== Test Qubes OS IPv6 DNS PRs ===
Date: 2025-10-04

Closely read through, polished, and tested the IPv6 DNS PRs from 3nprob. Unfortunately the approach being used by them is insufficient on its own due to some routers exposing a DNS server on a link-local IPv6 address, which cannot be properly targetted by a DNAT rule. Some sort of manual forwarding using a tool such as socat will likely be required.

= Footnotes =
<references />
{{Footer}}