{{Header}}
{{title|title=
ToDo for Developers
}}
{{#seo:
|description=TODO
}}
{{devwiki}}
{{intro|
TODO
}}
= TODO DEV =
== review and test IPv6 support pull requests ==
* https://forums.whonix.org/t/add-ipv6-support/19893
* https://www.whonix.org/wiki/Dev/ipv6
* please review for Non-Qubes-Whonix, Qubes-Whonix
* goal: merge as much as doable/possible without breaking networking
* enabling IPv6 support in Qubes-Whonix might only be possible during release upgrade to trixie based and orchestration with Qubes
* Waiting for planned fixes to land in PRs.
* Update 1:
** Please recheck.
** Notes:
*** square brackets aren't supported in systemd: https://github.com/systemd/systemd/issues/35621
*** quote "The only issue is that VirtualBox only supports IPv6 if we switch to bridged interface, which exposes whonix gateway to the network. libvirt requires adding custom NAT rules for IPv6, which are only automatically managed for IPv4. If we want to add this, we'd need to add a static IP configuration and give the user instructions on how to add NAT rules on the host. So for now only Qubes will have direct support for IPv6 for outgoing transactions, without further instructions a user needs to do on the host."
* Can't get it working in VBox (even with bridged networking), libvirt (even with a custom network interface), or Qubes (apparent bug in Qubes R4.3 prevents me from making a new network-providing qube). See https://forum.qubes-os.org/t/qubes-4-3-cannot-create-a-new-appvm-that-provides-network-to-other-qubes/30906/2.
* Update 2:
** https://github.com/Whonix/whonix-gw-network-conf/pull/1#discussion_r1903385107
** https://github.com/Whonix/whonix-gw-network-conf/pull/1#discussion_r1903385335
** please direct questions, issues to Daniel (such as by adding these to https://www.whonix.org/wiki/Dev/ipv6 or commenting on a pull request)
== user-sysmaint-split - lock screen command broken ==
* to debug, a terminal was started and then sysmaint-panel was started from the terminal emulator
/usr/bin/zsh
[sysmaint ~]% sysmaint-panel
requestActivate() called for QWidgetWindow(0x120a4600, name="BackgroundScreenWindow") which has Qt::WindowDoesNotAcceptFocus set.
xscreensaver-command: no screensaver is running on display :0
== user-sysmaint-split - add terminal background tinting ==
* tint terminals in sysmaint mode slightly red to encourage users to be careful while in sysmaint mode
== user-sysmaint-split - documentation improvements - #2 ==
* document Qubes boot modes on [[Dev/user-sysmaint-split]]
* document difference for user-sysmaint-split installation on Qubes R4.2 versus Qubes R4.3
== lightweight update notifications - #2 ==
* consider custom languages. Needs LC_ALL=C?
* notify leaprun failures
* consider if update_package_count is not a number?
* grep APT output for errors and notify?
if printf '%s' "$update_output" | grep --quiet --ignore-case -- "Error:" ; then
* systemcheck function check_dpkg or equivalent useful? If apt/dpkg is broken due to broken packages, that does not really break apt update?
* use systemcheck function check_package_manager_running or equivalent?
** if running for a "reasonable time", wait
** if running "forever", notify that update check is broken
* consider systems running for 12 or 18 hours etc:
** Do notifications pile up more and more? Avoidable?
** Can we clear prior notifications?
** Can stale notifications be avoided? Can we clear "update check broken" notification once "updates available" notification came in? Can we clear "updates available" once user updated?
* Other error cases to notify?
* In case of errors, suggest to visit [[Operating System Software and Updates]]?
* document on [[Dev/Automatic Updates]]
* document on [[Operating System Software and Updates]]
** non-Qubes vs Qubes
** document disabling
* notify https://forums.kicksecure.com/t/notifications-about-new-updates/774
== live mode detection improvements ==
* https://github.com/Kicksecure/helper-scripts/blob/master/usr/libexec/helper-scripts/live-mode.sh
* Currently only based on grepping kernel command line.
* However, a different or the wrong initramfs generator might be in use. Or some other unexpected use case.
* Ideas on how to make live mode detection more reliable?
== mouse fingerprinting ==
* todo
* https://forums.whonix.org/t/better-mouse-obfuscation/21445
* notify https://github.com/QubesOS/qubes-gui-daemon/pull/149#issuecomment-2477848847 if fixed
* update [[Keystroke_and_Mouse_Deanonymization|Keystroke and Mouse Deanonymization]]
== investigate Debian Rolling ==
* investigate why Debian Rolling initiative failed
** From initial research:
*** Lots of disagreement about how exactly to implement it, although https://lists.debian.org/debian-devel/2011/05/msg00275.html had a very large amount of positive feedback compared to other proposals
**** See also DEP-10 (https://dep-team.pages.debian.net/deps/dep10/) which is somewhat orthogonal but related
*** Limited manpower, no one appears to have tried to actually do it
*** Need to cope with the activity occurring in Debian's unstable and testing repositories, which have some turbulence and can cause issues if one isn't careful
*** Likely worth trying to resurrect
* contact people involved previously, if that makes sense
* suggest prospective developers
* Started to write tooling for this: https://github.com/ArrayBolt3/drk Very incomplete, nowhere near usable. Will keep developing this.
== ISO - btrfs versus grub-live bug - real fix ==
* todo
* report bug upstream
* systemd bug report: https://github.com/systemd/systemd/issues/35540
* fix in dracut
** Cannot be fixed in dracut, dracut doesn't handle mounting /home. Instead opting to fix in grub-live.
** Might use kernel parameters using systemd features that may be available in trixie?
* since no response from systemd, needs to be fixed without systemd upstream support
* in case a reliable, solid implementation is not easy or not possible, this should either not be implemented or needs runtime sanity tests
== permission-hardener - live bug ==
* got a bug report by e-mail
sudo apt install network-manager-openvpn-gnome
security-misc (3:44.4-1) ...
INFO: triggered security-misc: 'security-misc' security-misc DPKG_MAINTSCRIPT_
NAME: 'postinst' $\*: 'triggered /usr' 2: '/usr'
/usr/libexec/security-misc/mmap-rnd-bits: INFO: Successfully written ASLR map
config file:
/etc/sysctl.d/30_security-misc_aslr-mmap.conf
Running SUID Disabler and Permission Hardener... See also:
https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener
/var/lib/dpkg/info/security-misc.postinst: INFO: running: permission-hardener
enable
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root shadow 744 /usr/lib/live/mount/rootfs/filesystem/usr/sbin/unix_chkpwd
dpkg-statoverride: : `/usr/lib/live/mount/rootfs/filesystem/usr/sbin/unix_chkpwd'
permission-hardener: [ERROR]: Command 'dpkg-statoverride --add --update root shadow 744 /usr/lib/live/mount/rootfs/filesystem/usr/sbin/unix_chkpwd' failed with exit code '2'! calling functio
n name: 'commit_policy'
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener-v2/new_mode --add root shadow 744 /usr/lib/live/mount/rootfs/filesystem/usr/sbin/unix_chkp
wd
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/rootfs/filesystem/usr/bin/pkexec
dpkg-statoverride: : `/usr/lib/live/mount/rootfs/filesystem/usr/bin/pkexec'
permission-hardener: [ERROR]: Command 'dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/rootfs/filesystem/usr/bin/pkexec' failed with exit code '2'! calling function name:
'commit_policy'
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener-v2/new_mode --add root root 744 /usr/lib/live/mount/rootfs/filesystem/usr/bin/pkexec
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/rootfs/filesystem/usr/bin/sudo
dpkg-statoverride: : `/usr/lib/live/mount/rootfs/filesystem/usr/bin/sudo'
permission-hardener: [ERROR]: Command 'dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/rootfs/filesystem/usr/bin/sudo' failed with exit code '2'! calling function name: 'c
ommit_policy'
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener-v2/new_mode --add root root 744 /usr/lib/live/mount/rootfs/filesystem/usr/bin/sudo
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root shadow 744 /usr/lib/live/mount/medium/usr/sbin/unix_chkpwd
dpkg-statoverride: : `/usr/lib/live/mount/medium/usr/sbin/unix_chkpwd'
permission-hardener: [ERROR]: Command 'dpkg-statoverride --add --update root shadow 744 /usr/lib/live/mount/medium/usr/sbin/unix_chkpwd' failed with exit code '2'! calling function name: 'co
mmit_policy'
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener-v2/new_mode --add root shadow 744 /usr/lib/live/mount/medium/usr/sbin/unix_chkpwd
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/medium/usr/bin/pkexec
dpkg-statoverride: : `/usr/lib/live/mount/medium/usr/bin/pkexec'
permission-hardener: [ERROR]: Command 'dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/medium/usr/bin/pkexec' failed with exit code '2'! calling function name: 'commit_pol
icy'
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener-v2/new_mode --add root root 744 /usr/lib/live/mount/medium/usr/bin/pkexec
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/medium/usr/bin/sudo
dpkg-statoverride: : `/usr/lib/live/mount/medium/usr/bin/sudo'
permission-hardener: [ERROR]: Command 'dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/medium/usr/bin/sudo' failed with exit code '2'! calling function name: 'commit_polic
y'
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener-v2/new_mode --add root root 744 /usr/lib/live/mount/medium/usr/bin/sudo
permission-hardener: [NOTICE]: To compare the current and previous permission modes, install 'meld' (or preferred diff tool) for comparison of file mode changes:
sudo apt install --no-install-recommends meld
meld /var/lib/permission-hardener-v2/existing_mode/statoverride /var/lib/permission-hardener-v2/new_mode/statoverride
permission-hardener: [ERROR]: Exiting with non-zero exit code: '203'
/var/lib/dpkg/info/security-misc.postinst: ERROR: Permission hardening failed.
* random guess: Could there be issues with non-latin language settings?
* Why is it /usr/lib/live/mount/rootfs/filesystem?
* Could it be that the user booted into live mode?
* Maybe a case of low RAM where no further writes to RAM were possible?
* Booting into live mode and using APT should be supported as much as feasible.
* In case of insufficient information, could you please add debug code to provide more information in the future?
* Unsure if further information can be requested form the reporter, but I could try.
* Useful to add:
test -w "${file_name_from_stat}"
* permission hardener might not be the cause of this issue. However, ideally it would show a better error message pointing out the issue.
* Aaron: Cannot reproduce on ISO or in LIVE mode USER.
** The /usr/lib/live/mount path suggests that the issue is the result of attempting to distribution-morph a vanilla Debian Live session. This, IMO, is not something we should support, because:
*** All changes will be lost on reboot, meaning someone who uses this in production will be downloading a lot of Kicksecure packages from our infra every time they start the system.
*** We already offer a live Kicksecure ISO.
*** None of the kernel hardening options will be enabled, and they can't be enabled, because that would require a reboot which will discard everything.
*** And of course, permission-hardener doesn't expect anything under /usr to be read-only.
** Would suggest adding a warning to the distribution morphing documentation that a live Debian ISO session can't be morphed, and that one should download a live Kicksecure ISO if they need a Kicksecure-enhanced live system.
* Patrick: Done. Documented.
* Could you please add better error handling in this case?
== audio ==
=== audio generally ===
* https://forums.whonix.org/t/port-from-pulseaudio-to-pipewire-for-audio-support/16879/40
* please read, comment if something useful to share
=== VirtualBox Intel HD Audio and PipeWire Incompatibility / Audio broken after increasing ram to 5 GB / No sound after latest updates - PipeWire Bug? ===
* https://forums.whonix.org/t/virtualbox-intel-hd-audio-and-pipewire-incompatibility-audio-broken-after-increasing-ram-to-5-gb-no-sound-after-latest-updates-pipewire-bug/18211
* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081965
* please investigate if doable with reasonable effort
* Tried switching between Pulseaudio and Pipewire on a booted VM, discovered I could "initialize" the speakers with Pulseaudio and then Pipewire would work thereafter
* Virtually certain this is an upstream bug, was able to reproduce with both Ubuntu 24.04 and Arch Linux.
* Suggest switching to AC97 audio (even Arch Linux defaults to this under Virtualbox).
* Need to investigate upstream code
* Could not get any meaningful hints from pipewire, wireplumber, and pipewire-pulse logs. Pulseaudio shows an "alsa woke us up to write new data to the device but there was actually nothing to write" error in its logs. At this point this is likely to be a bug in VirtualBox or the snd-hda-intel kernel driver.
== live-build - test lb config --dm-verity ==
* Does the ISO still function if build with lb config --dm-verity?
* Does it break apt-get install pkg-name? It might not break it due to overlayfs.
* Lacks live-build support when used with dracut:
** lb config won't even run if you try to enable verity and dracut at the same time, unless you override live-build by commenting that sanity check out
** The ISO won't build initially because the dm-verity building code is trying to find the live filesystem in the wrong location
** dracut isn't configured to include systemd-veritysetup-generator, needed for verifying the root FS in the first place
** No kernel command line options are added to the ISO for verity setup
== package refactoring - kicksecure-meta-packages vs qubes-whonix - #2 ==
* TODO: Reduce packages in https://github.com/Whonix/qubes-whonix/blob/master/debian/control thanks to the improved Qubes support by kicksecure-meta-packages, if applicable.
** https://github.com/ArrayBolt3/qubes-whonix/tree/arraybolt3/kicksecure-qubes-merge
** https://github.com/ArrayBolt3/kicksecure-meta-packages/tree/arraybolt3/kicksecure-qubes-merge
* Patrick: merged, tested and reverted
* Gateway:
sudo apt dist-upgrade --no-install-recommends
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following package was automatically installed and is no longer required:
qubes-core-agent-passwordless-root
Use 'sudo apt autoremove' to remove it.
The following NEW packages will be installed:
codecrypt cython3 diceware dmeventd dosfstools extrepo fuse3 geoip-database kicksecure-cli kicksecure-default-applications-cli
kicksecure-qubes-cli libaio1 libbytes-random-secure-perl libclone-perl libcrypt-passwdmd5-perl libcrypt-random-seed-perl
libcrypto++8 libcryptx-perl libdevmapper-event1.02.1 libfftw3-double3 libfile-listing-perl libfuse3-3 libgeoip1 libhtml-parser-perl
libhtml-tagset-perl libhtml-tree-perl libhttp-cookies-perl libhttp-date-perl libhttp-message-perl libhttp-negotiate-perl
libio-html-perl libio-socket-ssl-perl liblvm2cmd2.03 liblwp-mediatypes-perl liblwp-protocol-https-perl libmath-random-isaac-perl
libnet-http-perl libnet-ssleay-perl libntfs-3g89 libsnappy1v5 libtry-tiny-perl libwww-perl libwww-robotrules-perl
libyaml-libyaml-perl lvm2 magic-wormhole makepasswd ntfs-3g perl-openssl-defaults pwgen python3-attr python3-autobahn
python3-automat python3-base58 python3-bcrypt python3-cbor python3-click python3-colorama python3-constantly python3-cryptography
python3-ecdsa python3-flatbuffers python3-geoip python3-hamcrest python3-hkdf python3-humanize python3-hyperlink
python3-incremental python3-lz4 python3-mnemonic python3-msgpack python3-nacl python3-openssl python3-packaging python3-passlib
python3-pyasn1 python3-pyasn1-modules python3-pyqrcode python3-service-identity python3-setuptools python3-snappy
python3-sortedcontainers python3-spake2 python3-tqdm python3-trie python3-twisted python3-txaio python3-txtorcon python3-u-msgpack
python3-ubjson python3-ujson python3-wsaccel python3-zope.interface
* Workstation:
sudo apt dist-upgrade --no-install-recommends
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following package was automatically installed and is no longer required:
qubes-core-agent-passwordless-root
Use 'sudo apt autoremove' to remove it.
The following NEW packages will be installed:
dmeventd dosfstools firefox-esr kicksecure-cli kicksecure-desktop-applications-recommended kicksecure-qubes-cli kicksecure-qubes-gui libaio1 libdevmapper-event1.02.1 libgarcon-1-0
libgarcon-common liblvm2cmd2.03 libntfs-3g89 libupower-glib3 libxklavier16 lvm2 ntfs-3g xfce4-helpers xfce4-settings
== Split the security-misc into security-misc-shared, security-misc-desktop and security-misc-server ==
* https://github.com/Kicksecure/security-misc/issues/187
* This is in preparation for the next task.
* Discussion on how best to do this posted at https://forums.kicksecure.com/t/splitting-security-misc-into-shared-desktop-and-server-packages/674
== Kicksecure Firewall ==
https://forums.kicksecure.com/t/kicksecure-firewall/378/10
== Meta Packages, Kicksecure, Whonix - Desktop versus Server ==
https://forums.kicksecure.com/t/meta-packages-kicksecure-desktop-versus-kicksecure-server/415
== Secure Mount Options for better Security Hardening ==
* review discussions, wiki
* comment
* improve the solutions research
* https://www.kicksecure.com/wiki/Dev/remount-secure
* https://www.kicksecure.com/wiki/Noexec
* https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707
* vm-config-dist chmod 777 on /mnt/shared conflicts with noexec
== wipe video RAM ==
* add wipe video RAM support to [[ram-wipe]]
* maybe based on https://wiki.archlinux.org/title/Swap_on_video_RAM
* maybe also based on https://github.com/divestedcg/Brace/blob/master/brace/etc/profile.d/brace-env-overrides.sh
# zero video RAM to prevent leakage
# see (CC BY-SA 4.0): https://www.adlerweb.info/blog/2012/06/20/nvidia-x-org-video-ram-information-leak
export R600_DEBUG=zerovram;
export AMD_DEBUG=zerovram;
export RADV_DEBUG=zerovram;
* if doable with reasonable effort
== Tor 0.4.8.9 broken in combination with vanguards ==
* https://gitlab.torproject.org/tpo/core/tor/-/issues/40892
* write a script to use git bisect to auto test which commit introduced this issue maybe based on https://forums.whonix.org/t/vanguards-additional-protections-for-tor-onion-services/8064/64
* if not done by upstream yet
* if doable with reasonable effort
== VirtualBox serial console ==
* {{CodeSelect|inline=true|code=
sudo apt install serial-console-enable
}}
* [[Recovery#Serial_Console|Serial Console]]
* causes bug (spam of journal)
* https://forums.whonix.org/t/serial-console-in-virtualbox/8021/13
* fixable? upstream bug report?
* would installation by default be sane or a security issue?
== KVM related ==
=== KVM - 3D Graphics Acceleration - SPICE - Testing - drm ===
* please test: https://www.whonix.org/wiki/KVM#3D_Graphics_Acceleration_-_Testing_-_drm
* please mention your configuration (still using SPICE), quote Patrick and report here: https://forums.whonix.org/t/how-to-enable-3d-acceleration-in-kvm/16501/22
* test if DRM (direct rendering manager) is enabled as per https://www.whonix.org/wiki/KVM#3D_Graphics_Acceleration_-_Testing_-_drm
* test performance as per https://www.whonix.org/wiki/KVM#3D_Graphics_Acceleration_-_Testing_-_Performance
=== KVM - 3D Graphics Acceleration - Performance Test - Display SDL ===
* https://forums.whonix.org/t/how-to-enable-3d-acceleration-in-kvm/16501/22
* test SDL
* test if DRM (direct rendering manager) is enabled as per https://www.whonix.org/wiki/KVM#3D_Graphics_Acceleration_-_Testing_-_drm
* test performance as per https://www.whonix.org/wiki/KVM#3D_Graphics_Acceleration_-_Testing_-_Performance
=== KVM - 3D Graphics Acceleration - Performance Test - Display GDK ===
* https://forums.whonix.org/t/how-to-enable-3d-acceleration-in-kvm/16501/22
* test GTK
* test if DRM (direct rendering manager) is enabled as per https://www.whonix.org/wiki/KVM#3D_Graphics_Acceleration_-_Testing_-_drm
* test performance as per https://www.whonix.org/wiki/KVM#3D_Graphics_Acceleration_-_Testing_-_Performance
=== KVM - verify AppArmor sVirt confinement operation ===
* https://forums.whonix.org/t/help-welcome-kvm-development-staying-the-course/166/593
=== KVM - use rootless ===
* https://forums.whonix.org/t/rootless-virtual-machines-with-kvm-and-qemu/20952
* port documentation (and XML files, if needed) to qemu:///session, if sane
* search Kicksecure; and Whonix wiki - using [[Special:ReplaceText]]
* re-check if sVirt is still functional
=== KVM - port to unix domain socket based internal networking for Whonix-Gateway to Whonix-Workstation connections ===
* https://forums.whonix.org/t/help-welcome-kvm-development-staying-the-course/166/594
* update documentation
** https://www.whonix.org/wiki/Multiple_Whonix-Workstation#How-to:_Use_more_than_One_Whonix-Workstation_-_Easy
** https://www.whonix.org/wiki/KVM#Creating_Multiple_Internal_Networks
** https://www.whonix.org/wiki/Multiple_Whonix-Gateway#KVM
== machine-id research ==
* in preparation for the next task
* please read prior discussions
* https://www.whonix.org/wiki/Protocol-Leak-Protection_and_Fingerprinting-Protection#Identifiers_Design_Goals
* https://forums.whonix.org/t/revisit-handling-of-var-lib-dbus-machine-id/18827
* https://forums.whonix.org/t/anonymize-etc-machine-id/7721
* https://gitlab.tails.boum.org/tails/tails/-/issues/7100
* nowadays implemented in dist-base-files
** ./packages/kicksecure/dist-base-files/var/lib/dbus/machine-id
** ./packages/kicksecure/dist-base-files/etc/machine-id
* but maybe needs to be moved back to anon-base-files when porting to Debian trixie? (hard to migrate within the same release codename)
* The machine-id files should not be shipped by a package. They are intended to be generated, not hardcoded, thus Debian's code is probably not going to cope well when a package ships these files. Case in point, live-build deleting them to avoid machines with duplicate IDs in the wild, when we want machines with duplicate IDs in the wild.
* Calamares is designed to write the machine-id files at instalation time. It has a dedicated module for this purpose. However, it does not permit specifying a hardcoded machine-id other than a literal "uninitialized" value or an empty file. So we will have to resort to using a shellprocess for Whonix-Host that will detect when Whonix is in use, and overwrite the machine-id files with a static machine-id. Calamares is the proper location to do this at IMO, since it's designed for this, systemd's docs suggest using the installer for this, and I fear we could run into problems trying to do this on first boot with a systemd unit.
** Patrick: Please implement.
** Patrick: Note, Whonix VMs are built using grml-debootstrap. While using a package to handle these files might be the wrong way. Whonix VMs still need these.
== stackable wrappers ==
* in preparation for the next two tasks
* https://forums.whonix.org/t/stackable-wrappers/7944
* https://github.com/Kicksecure/proposals/blob/master/634-stackable-wrappers.txt
* https://forums.whonix.org/t/write-draft-for-stackable-wrappers-on-debian-devel/18776
* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=822693
* review, comment, pull request where applicable
* draft and/or open a discussion on debian-devel
== check out bubblejail ==
* https://github.com/igo95862/bubblejail
* in preparation for next task
== sandbox-app-launcher ==
* [[sandbox-app-launcher]]
* review
* promising? worth bringing back to life, polishing?
* at odds with apparmor.d?
* better using bubblejail?
== automated test suite - cli version ==
* todo: discuss
== apparmor.d review ==
* https://github.com/roddhjav/apparmor.d
* https://forums.whonix.org/t/apparmor-d-full-set-of-apparmor-profiles-1500-profiles/17389
** review
* https://github.com/roddhjav/apparmor.d/issues?q=is%3Aissue+author%3Aadrelanos
** check ticket status
* lightweight security review
** conceivable or too much effort?
== improved server support ==
* documentation
** rebrand wiki CLI for server
* Linux account passwords?
* cloudinit?
* vm-config-dist versus autologin CLI vs GUI vs server
= WAITING ON =
== enable X event buffering by default for Whonix ==
* https://github.com/QubesOS/qubes-issues/issues/9771
* PR: https://github.com/QubesOS/qubes-core-admin-addon-whonix/pull/20
** Patrick: please enable kloak-alike in Qubes by default for existing users that upgrade
** or other, better solution acceptable by Qubes
*** Aaron: Fixed, now works for existing VMs as well.
== grml-debootstrap - EFI partition size ==
* https://github.com/grml/grml-debootstrap/issues/221
* zeha currently does not want to implement this until systemd-boot "happens" (I'm guessing this means until it is supported by grml-debootstrap).
== calamares - enable GRUB force_efi_extra_removable ==
* todo
* if applicable
* PR: https://github.com/calamares/calamares/pull/2446
* Pending discussion.
== GRUB - Debian packages grub-pc and grub-efi co-install-ability ==
* please submit a patch to Debian to make grub-pc and grub-efi co-installable
* [https://bugs-devel.debian.org/cgi-bin/bugreport.cgi?bug=904062 Allow concurrent installation of grub-pc and grub-efi-amd64]
* Submitted and awaiting review: [https://salsa.debian.org/grub-team/grub/-/merge_requests/76#note_590495 Remove ucf conffile conflict between grub-pc and grub-efi-{amd64,ia32}]
* Unfortunately this is not going to be able to make it into Trixie, it will have to wait for Forky before it makes it into Debian Stable.
== user-sysmaint-split - Qubes - Selective sudo Access ==
* implement [https://github.com/QubesOS/qubes-issues/issues/9512 Selective `sudo` Access Enabling in VMs Without `qubes-core-agent-passwordless-root` via `qvm-service`]
* Likely going to end up implementing [https://github.com/QubesOS/qubes-issues/issues/2695 Automate vm sudo authorization setup]
** Need Qubes OS R4.3 for this, not able to install it on primary dev rig yet, awaiting arrival of an (already ordered) external drive enclosure.
*** Patrick: R4.2 should be sufficient?
**** Aaron: New major features cannot be introduced into R4.2. Needs to be developed for R4.3.
** Relveant Qubes OS tickets:
*** https://github.com/QubesOS/qubes-issues/issues/5840
*** https://github.com/QubesOS/qubes-issues/issues/5852
*** https://github.com/QubesOS/qubes-issues/issues/5853
*** https://github.com/QubesOS/qubes-issues/issues/2695
*** https://github.com/QubesOS/qubes-issues/issues/9512
* Waiting for feedback from HW42.
== review safe-print ==
* https://github.com/Kicksecure/helper-scripts/pull/14
== trixie port - misc ==
* waiting for trixie to get frozen and stable enough
* 1) SSH configurations
** move configuration snippets from [[SSH]] wiki page to security-misc [not completed at time of writing in end of 2024 but should be early next year]
** https://github.com/Kicksecure/legacy-dist/blob/master/usr/sbin/release-upgrade
*** add ominous message to release-upgrade script if SSH client or server is installed
*** point out in distribution morphing instructions
* 2) repository codename split project names
** update repository origin value as per https://www.kicksecure.com/wiki/Dev/APT#changed_its_'Origin'_value_from_'whonix'_to_'kicksecure'
** (revert the revert of https://github.com/Kicksecure/derivative-maker/commit/25f5c7e11afd23f58f40286be1fd9097c31a705e)
* 3) move from usability-misc and security-misc to to helper-scripts
** upgrade-nonroot
** other APT related scripts
* 4) convert user-sysmaint-split and sysmaint-panel from "loose packages" to dependencies of the respective meta packages
** add ominous message to release-upgrade script
* 5) Check if /etc/grub.d/10_linux was updated in Debian. If so, update our fork in dist-base-files.
* 6) https://www.whonix.org/wiki/Dev/Redistribution#Major_Upgrade
== trixie port - port to Wayland ==
* https://github.com/Kicksecure/kicksecure-meta-packages/pull/2
== trixie port - meta packages ==
* implement [[Dev/Metapackages]] when porting to trixie
== calamares - make 3.3.12 available in Bookworm ==
* necessary to fix bugs related to the disk encryption user interface
* Sid and Trixie are still at 3.3.9, does maintainer need help packaging 3.3.12?
** Maintainer uploaded 3.3.12 to Sid, should migrate to Testing relatively soon.
** 3.3.11 was hung up on calamares-extensions 3.3.1, and while calamares-extensions 3.3.11 is technically available, a real release of it hasn't been made. Pinged the Calamares devs to see if they could do that, after than I'll ping the Debian Qt/KDE team to get them to package it and that should release calamares into Trixie.
** 3.3.12 was uploaded but was slightly wonky, wasn't migrating, maintainer wasn't fixing the issue yet. Got a DD friend to sponsor an NMU to fix the problem, should hopefully migrate on December 22nd if all goes well. (Thanks to Simon Quigley for sponsorship!)
* Backport 3.3.12 after it is available in Trixie
** Backport submitted to Debian Mentors, review requested from maintainer.
== ISO - GRUB - silence cosmetic errors in live ISO GRUB ==
* Earlier attempts to fix cosmetic errors in GRUB failed, since they introduced bugs into the live-build-provided boot screen.
* Investigate how to fix this, potentially make an upstream feature request or patch if needed
* Errors include loadfont issues, Secure Boot loading issues
* Sent email to grub-devel mailing list to investigate this
== ISO - memtest86+ ==
error: bad shim signature
* Fixable?
* Apparently requires a security review: [https://github.com/rhboot/shim-review/issues/314 Meta: Signing memtest86+ v6.10]
* [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032375 memtest86+: fails to work with Secure Boot enabled]
* Asked about what contributions would allow this to move forward on the debian-efi mailing list: [https://lists.debian.org/debian-efi/2024/12/msg00021.html Memtest86+ Secure Boot signing]
== test SysRq keys under LXQt Wayland ==
* ensure SysRq+unraw, SysRq+k behave as expected in context of [[Login spoofing]]
* Has issues, wlroots bug reported at https://gitlab.freedesktop.org/wlroots/wlroots/-/issues/3930
== ISO - changed files issues ==
(annoted)
+ debsums --silent
debsums: changed file /usr/sbin/sources-media (from calamares-settings-debian package) - issue for future verified boot
debsums: missing file /var/lib/dbus/machine-id (from dist-base-files package) - issue for Whonix-Host, non-ideal for Kicksecure but not a blocker
+ debsums --config --silent
debsums: changed file /etc/calamares/modules/unpackfs.conf (from calamares-settings-debian package) - issue for future verified boot
debsums: changed file /etc/cryptsetup-initramfs/conf-hook (from cryptsetup-initramfs package) - issue for future verified boot
debsums: changed file /etc/machine-id (from dist-base-files package) - issue for Whonix-Host, non-ideal for Kicksecure but not a blocker
* All of these are modified by live-build itself:
** /usr/sbin/sources-media is modified by live-build/share/hooks/normal/5050-dracut.hook.chroot so that it points to the proper location of the on-ISO apt repo when dracut is in use (the location is different when initramfs-tools is used). The need for this could potentially be removed by modifying the sources-media script to autodetect the correct location, though this requires upstream to be receptive to the idea.
*** Please discuss upstream. Since there is already some sort of dm-verity support in upstream live-build (scripts/build/binary_dm-verity), upstream might be receiptive.
**** Feature request filed: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089618
** /var/lib/dbus/machine-id is deleted by live-build/share/hooks/normal/8020-remove-dbus-machine-id.hook.chroot, which has a note in it as follows: "This removes dbus machine id that cache that makes each system unique." This seems important and I can't think of an obvious way to avoid needing to do this. My Kicksecure VMs appear to have machine IDs, but it's unclear how they're being generated originally, so it may be worth enabling the machineid module in our Calamares configuration to ensure that the machine ID is properly generated.
*** See also: https://www.whonix.org/wiki/Protocol-Leak-Protection_and_Fingerprinting-Protection#Identifiers_Design_Goals
*** TODO: Discuss.
**** Proposal for fixing this made.
** /etc/calamares/modules/unpackfs.conf is modified by live-build/share/hooks/normal/5050-dracut.hook.chroot so that it points to the proper location of the on-ISO squashfs containing the operating system. Again, the location is different when initramfs-tools is used. This is a "hardcoded" configuration file, there isn't a way to add autodetection logic here. It might be possible to make a pull request to Calamares that would allow it to skip squashfses that didn't exist?
*** Yes, please discuss upstream.
**** Feature request filed: https://github.com/calamares/calamares/issues/2409
** /etc/cryptsetup-initramfs/conf-hook is modified by live-build/share/hooks/normal/1010-enable-cryptsetup.hook.chroot, where it is used to enable cryptsetup in initramfs-tools. Assuming this isn't legacy configuration, this seems important and I can't think of an obvious way to avoid needing to do this. Might be worth testing to see if this is still necessary though.
*** Yes, please.
**** Bug report made: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089624
** /etc/machine-id is deleted by live-build/share/hooks/normal/8020-remove-dbus-machine-id.hook.chroot. Has a very similar note to the other machine ID deletion hook. Same concerns apply.
*** Proposal for fixing this made.
== ISO - Finish Module Action Follow-Up ==
* https://github.com/calamares/calamares/issues/2321
* please follow-up
* Followed up on Matrix, will follow up again soon on Github if I don't get a response.
* Was informed by Adriaan de Groot that the code is still unfinished, and also on his radar.
== lightdm ssdm ==
* bug report: https://forums.kicksecure.com/t/kicksecure-inside-lmde-5/46/11
* cause of bug could be in rads or security-misc
* Unable to reproduce bug, request for more information at https://forums.kicksecure.com/t/kicksecure-inside-lmde-5/46/13
* More information received, need to retry this one more time
* Tested, finally managed to partially reproduce. Issue appears to be in SDDM.
* Debugging complete, bug report with fix filed. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089004
== live-build - add mmdebstrap support ==
* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031932
* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031929
* Merge request: https://salsa.debian.org/live-team/live-build/-/merge_requests/370
== live-build - use APT with error-on-any ==
* use option apt --error-on=any for all invocations of apt-get (update)
* only needed for apt-get update, otherwise superfluous but non-issue
* this is a security feature
* this is to prevent inconsistent images that succeeded connecting to the "normal" repository but failed to connect to the security repository
* can be implemented using already existing live-build option --apt-options OPTION|"OPTIONS"?
* Requires a patch to live-build. Using --apt-options results in a build failure with E: Command line option --error-on=any is not understood in combination with the other options
* Patch written, submitted upstream as https://salsa.debian.org/live-team/live-build/-/merge_requests/371. New configuration option now used in my branch of live-build.
== security-misc - investigate PAM ==
* there is /etc/pam.d/sudo-i for interactive and /etc/pam.d/sudo
* pam has concepts of common-session-noninteractive vs common-session (non-interactive)
* how could we on the PAM level notice if faillock is used interactively or non-interactively?
* if non-interactive, skip faillock
* if interactive, do not skip faillock
* Bug reports:
** https://github.com/linux-pam/linux-pam/issues/842
** https://github.com/sudo-project/sudo/issues/415
* Once we go sudoless, this will no longer be a concern except for VMs that aren't sudoless.
== live-build - grub.cfg GRUB configuration - loopback.cfg ==
* add https://www.supergrubdisk.org/wiki/Loopback.cfg compatibility (as as Debian Live ISO)
* Requires fixes in live-build and Dracut to make work:
** live-build is specifying the wrong kernel parameter for loopback booting when using dracut - it's using findiso when it should be using iso-scan/filename. A fix for this has been integrated into my fork of live-build. MR to upstream here: https://salsa.debian.org/live-team/live-build/-/merge_requests/376
** dracut is failing to run udevadm trigger during its device scanning, so even when it finds the ISO and attaches it as a loopback device, it never finds it. Only appears to be a problem on Debian Bookworm, Trixie works just fine.
*** Task is on hold until we migrate to Trixie.
** (Side note: At least on QEMU, loopback mounts in GRUB fail with out-of-memory errors if the system uses UEFI. With BIOS it works fine. Not quite sure why this happens, very well may be an issue with QEMU's implementation of UEFI hardware or my usage thereof.)
== live-build - lb-binary should not run apt-get update ==
* todo
* Bug filed at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1087470
* Note that the use of apt-get in the binary stage appears to be very baked into live-build's logic. It's pretty unlikely this will change.
= REVIEW PLEASE =
= ARCHIVED =
== user-sysmaint-split - sysmaint-panel - check system status button - add delay ==
* systemcheck takes 2-3 seconds until user gets feedback. i pressed the button twice and then had a duplicate systemcheck.
* please disable the button for 2-5 seconds after it has been clicked.
* visible disable the button if the effort for that is reasonable
* perhaps a counter that counts down 5, 4, 3, 2, 1?
* perhaps generally should be the case for all buttons
* Implemented: https://github.com/ArrayBolt3/sysmaint-panel/commit/7e39a7df817045ba3c4bc6f7a1f64e82bba71d92
** This is implemented for most buttons, except for Open Terminal, Reboot, Shut Down, and Install Software. The user experience when using those doesn't warrant a timeout lock and adding a timeout lock there would probably annoy the user.
** Visible timeout counter is present, implemented by adding a (5) at the end of each button label for the duration of the lock (where "5" will be replaced with the remaining seconds until the lock times out).
* Patrick: Merged.
== user-sysmaint-split - sysmaint-panel - install updates button confusing ==
* since it only runs apt dist-upgrade, users might miss out on upgrades because users might not know it's apt update followed by apt dist-upgrade
* Mostly resolved in https://github.com/ArrayBolt3/sysmaint-panel/commit/7ae6a0dcee5e15794dfdb78e9f804d0bf9394095, additional questions and details shared in chat
* Patrick: Merged.
== user-sysmaint-split - sysmaint-panel - output formatting issue ==
* shows:
/usr/bin/sudo
/usr/bin/apt
update
* that is confusing even for users that know that command. better: /usr/bin/sudo /usr/bin/apt update
** Fixed: https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/terminal-helper-output
* Patrick: Merged.
== user-sysmaint-split - sysmaint-panel - wrong error message if logging in as wrong user ==
* login with account "user" after booting into sysmaint mode
* ignore warnings by pam-info during login screen that already advice against logging in with account "user" (because the user might miss them in the future due to PAM bugs, pam-info bugs, other login managers)
* actual: sysmaint-panel shows error "boot into sysmaint"
* expected: sysmaint-panel shows error "please login as account "sysmaint"
* Fixed by implementing a new dialog: https://github.com/ArrayBolt3/sysmaint-panel/commit/b782aa512689242d2a8066a1d7a36bc0ce40fc9b
* Patrick: Merged.
== user-admin-split - documentation improvements ==
* Qubes R4.2 vs R4.3
* Qubes uninstallation instructions (passwordless-root)
* Qubes boot modes
* user documentation
* developer documentation
* anything else missing
** Aaron: Don't see much missing, added requested points.
== autologinchange versus empty password ==
* issue:
** pwchange at time of writing does not notify if autologin is enabled
** autologinchange at time of writing does not notify if an empty password is being set
* the user might intend to secure their by using autologinchange and then be surprised that login without a password is still possible
* how could setting a password and autologinchange be more connected from a usability point of view?
* should one tool at the end of its execution recommend the other, if that seems applicable?
** applicable?
*** when disabling autologin, suggest to user to set a password, if password is currently empty.
*** when setting a password, suggest to user to disable autologin, if autologin is currently enabled.
** use colorful background to notify user of this potential discrepancy?
* or suggest or autorun systemcheck login security check only after such changes to make it obvious?
* Implemented: https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/pwchange-autologinchange-link
** Went with the strategy of having each tool warn if things are insecure when the user is doing hardening (i.e. warn about autologin when adding a password, or warn about empty password when disabling autologin)
** Patrick: Merged.
== lightweight update notifications ==
* Qubes vs non-Qubes:
** should not conflict with Qubes internal updater (multiple APT background processes blocking each other) - do this only inside Non-Qubes?
** on the other hand, systemcheck contains many tests that are useful inside Qubes as well
** Qubes developers do not wish the user to see a lot duplicate passive popups, active progress bars and active popups
*** Aaron: Qubes already shows upgrade notifications for VMs, so I would say this feature should not be added to Kicksecure or Whonix under Qubes OS. It's redundant and potentially conflicting.
* non-Qubes: GUI vs CLI?
** GUI: Implement this for the GUI version only?
** CLI: msgcollector supports writing to tty1 even for daemons (systemcheck) started in the background but this is probably confusing and disruptive. (Was default in the past.)
*** Aaron: Agreed, should be a GUI-only feature. CLI users can just run apt commands manually easily enough.
* as a stopgap until one day [[Dev/Automatic_Updates|Dev/Automatic Updates]] gets implemented
* re-use systemcheck for this? Could consider to re-enable autostart of systemcheck by default as it contains already lots of tests. "systemcheck --gui" currently shows:
INFO: Kicksecure APT Repository: Enabled. When the Kicksecure team releases BOOKWORM-DEVELOPERS updates, they will be AUTOMATICALLY installed (when you run apt-get dist-upgrade) along with updated packages from the Debian team. Please read https://www.kicksecure.com/wiki/Trust to understand the risk. If you want to change this, use:
dom0 -> Start Menu -> Template: kicksecure-bookworm -> Derivative Repository
WARNING: Debian Package Update Check Result: apt-get reports that packages can be updated.
Please update your 'kicksecure-bookworm' TemplateVM.
1. Open a TemplateVM terminal. (dom0 -> Start Menu -> Template: kicksecure-bookworm -> Terminal)
2. Update.
upgrade-nonroot
3. Shutdown your TemplateVM. (dom0 -> Qubes VM Manager -> right click 'kicksecure-bookworm' -> Shutdown VM)
4. Shutdown and restart this TemplateBased AppVM. (dom0 -> Qubes VM Manager -> right click 'work-main' -> Shutdown VM)
* The first "INFO: Kicksecure APT Repository" might be too noisy and could easily be disabled in GUI output by default.
* git history contains /usr/libexec/systemcheckdaemon
** Aaron: systemcheck shows a lot of info about multiple components, much of which a user may skip over or be tempted to skip over. I would prefer implementing this in such a way that a typical desktop notification (such as what notify-send can produce) is shown to the user when there are updates.
** Patrick:
*** It's possible to run select functions only, for example: systemcheck --verbose --function check_operating_system.
*** Other functions might be useful as well such as check_package_manager_running and check_dpkg.
* Aaron: Implemented initial version of update notifications using a user-side daemon.
** systemcheck: https://github.com/ArrayBolt3/systemcheck/tree/arraybolt3/updatecheck
*** Patrick: Merged.
** kicksecure-meta-packages: https://github.com/ArrayBolt3/kicksecure-meta-packages/tree/arraybolt3/notifyd
*** Not absolutely necessary, but makes notifications for the whole system much more pleasant to use, and provides a notification applet that can be added to the panel if desired.
*** Patrick: Merged.
== user-sysmaint-split - add screen lock button ==
* for locking screen while walking away from the system in sysmaint mode
* implement low-level lock command in helper-scripts, call the wrapper from sysmaint-panel, to be compatible with multiple screen lockers going forward
* Implemented:
** sysmaint-panel: https://github.com/ArrayBolt3/sysmaint-panel/commit/6913d1451467ebc961236ca4e4c0cd4adcd00a8c
*** Patrick: Merged.
** user-sysmaint-split: https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/fix-qubes-systemd
*** Patrick: Merged.
** helper-scripts: https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/screenlock
*** Patrick: Merged.
== GRUB - boot related enhancements ==
* Are there any other boot related enhancements outstanding? If so, please create tickets for these.
== grml-debootstrap - downstream handling grub-cloud versus /etc/default/grub ==
* After/if https://github.com/grml/grml-debootstrap/pull/299 gets merged...
* config-package-dev displace /etc/default/grub? Avoid "fighting" for configuration file ownership by moving the file out of the way.
* Generate a configuration file using do_once. Probably not owned by any package.
* Ship a default /etc/default/grub configuration file:
## Do not edit this file!
## Please create and add modifications to the following file instead:
## /etc/default/grub.d/50_user.cfg
##
## User documentation:
## https://www.kicksecure.com/wiki/grub
* minor comment on link: https://www.kicksecure.com/wiki/grub (lower case) vs https://www.kicksecure.com/wiki/Grub (normal case) is OK. Preferring lower case for simplicity thanks to MediaWiki extension SaneCase.
* Implemented for the most part in (broken link), though the comment at the top was not added yet because no other method of image generation we do adds that link and we cannot safely divert and replace this file. Details explained in chat.
* Patrick: Pending discussion.
* Aaron: Tried implementing again after discussion, attempt 2: https://github.com/ArrayBolt3/derivative-maker/commit/6b4e1a38345b69ae9c7e2b3212d7d0488cbd8b60
* Patrick: Merged.
* Patrick: Re-opened.
** mount image in step build-steps.d/3200_create-raw-image was broken. (file name base_image vs full image filename)
*** Re-factored and moved to 3500_install-packages
** grub-cloud sets: GRUB_TERMINAL_OUTPUT="gfxterm serial"
** bug: we used to unset: GRUB_TERMINAL=""
** Fixed.
** developer documentation: [[Dev/boot#.2Fetc.2Fdefault.2Fgrub.d.2F20_dist-base-files.cfg|/etc/default/grub.d/20_dist-base-files.cfg]]
** Please review.
*** Aaron: Reviewed implementation and documentation, looks good to me.
reopen:
* Aaron:
** Tangentially related, discovered a bug in my previous dist-base-files patch for enabling grub-cloud compatibility, resulting in the GRUB menu not being displayed on bootup. This is not caused by the grml-debootstrap PR, it was caused by me mistyping a variable name
** Fix: https://github.com/ArrayBolt3/dist-base-files/tree/arraybolt3/fix-grub
Patrick:
* PR seems not needed. See chat.
** Aaron: Replied in chat, PR seems needed to me, some confusion may be happening with different versions of grub-cloud.
*** Patrick: Merged.
== GRUB - lightweight document ISO GRUB ==
* https://github.com/derivative-maker/derivative-maker/tree/master/live-build-data/grub-config
* Dev/boot in similar style
* Added.
== user-sysmaint-split - qubes - features-request bug ==
* Whonix-Gateway Template and Kicksecure error message during upgrade from developers repository
Setting up dist-base-files (3:12.8-1) ...
Processing triggers for qubes-core-agent (4.2.41-1+deb12u1) ...
Traceback (most recent call last):
File "/usr/bin/qvm-features-request", line 111, in
sys.exit(main())
^^^^^^
File "/usr/bin/qvm-features-request", line 102, in main
subprocess.check_call(
File "/usr/lib/python3.11/subprocess.py", line 413, in check_call
raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['qrexec-client-vm', 'dom0', 'qubes.FeaturesRequest']' returned non-zero exit status 1.
Processing triggers for security-misc (3:44.4-1) ...
* Aaron: Cannot reproduce on Qubes R4.3.
** Discussed with Patrick, likely root cause determined. Fixes:
** user-sysmaint-split: https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/qubes-sysmaint-fix
*** Patrick: Merged.
** dist-base-files: https://github.com/ArrayBolt3/dist-base-files/tree/arraybolt3/qubes-sysmaint-fix
*** Patrick: Merged.
== user-sysmaint-split - qubes - qrexec refactoring ==
new file: usr/share/user-sysmaint-split/qubes/qubes-rpc/qubes.TemplateDownload
new file: usr/share/user-sysmaint-split/qubes/qubes-rpc/qubes.TemplateSearch
new file: usr/share/user-sysmaint-split/qubes/rpc-config/qubes.Filecopy
new file: usr/share/user-sysmaint-split/qubes/rpc-config/qubes.Gpg
* a global configuration would be better to avoid getting desync as Qubes appends files or changes file names
* please open a ticket upstream to discuss
** Found an alternative solution that doesn't require upstream changes: https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/better-qrexec-overrides
*** Patrick: Merged.
** Also includes fixes for other issues discovered during testing
== user-sysmaint-split - qubes - autologin message during upgrade ==
Setting up user-sysmaint-split (3:4.0-1) ...
GUI autologin is not applicable to Qubes OS.
* This message is confusing during upgrade.
* Prepend "INFO".
* Only showing during manual run please.
* Implemented:
** helper-scripts: https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/autologinchange-output
*** Patrick: Merged.
** user-sysmaint-split: https://github.com/ArrayBolt3/user-sysmaint-split/commit/89cdc200c8e5fafe6393d3102db1939d9aad37e9
*** Patrick: Merged.
== user-sysmaint-split - systemcheck - autologin check message and documentation ==
* systemcheck recommends the sysmaint wiki page - not applicable for users that upgraded and that are not (yet or not anymore) using user-sysmaint-split
** Aaron: Adjusted systemcheck to point to the Login wiki page instead as suggested below. https://github.com/ArrayBolt3/systemcheck/tree/arraybolt3/login-security
*** Patrick: Merged.
** which wiki page is more suitable? [[login]]?
*** should [[Desktop#Disable_Autologin|disable autologin]] be moved to [[login]]?
** password change instructions are currently on [[Post_Install_Advice|Post-installation Security Advice]]
** Aaron: Moved instructions from both locations to the Login page.
* also related: [[Protection_Against_Physical_Attacks|Protection against Physical Attacks]]
* please modify the wiki for better usability of this part. A wiki page is needed which explains at a glance, links users to more detailed sections.
** Aaron: Modified the Login, Post Install Advice, and Desktop wiki pages to move all login security related documentation into the Login page. Also added additional information about login security in general to the top of the login wiki page to provide good "at a glance" instructions. Also wrote a wiki page for the System Maintenance Panel itself so it could be referenced by other pages.
* systemcheck recommends sysmaint-panel - while not yet installed by default. Simplest solution would be to install it by default as it won't create issues for users not using user-sysmaint-split?
** Aaron: Sounds like a good idea to me. Implemented at https://github.com/ArrayBolt3/kicksecure-meta-packages/tree/arraybolt3/sysmaint-panel.
*** Patrick: Merged.
* systemcheck should point out that password / autologin inside VM is not "as important" (needs consideration when this is useful at all) as on the host? or skip login security check inside VMs?
** Aaron: I think this might be overcrowding the systemcheck output a bit. We currently don't express an opinion on whether the autologin or password protection status for each account is a problem in systemcheck itself, we only hint at it via colors. To me, this feels like the right approach since only the end user will know for sure what is secure for them. I think the login security check is still valuable in VMs though, as some users might have a legitimate reason to password-protect a VM (for instance, in a kiosk-like setup perhaps).
* documentation should point out that password / autologin inside VM is not "as important" (needs consideration when this is useful at all) as on the host? A lot users getting bothered with passwords and login prompts inside VMs if it does not benefit their threat model would be a usability degradation.
** Aaron: Agreed, this seems like a good place to put this kind of documentation. Added to the Login wiki page.
== older ==
[[Dev/todo/archived]]
= backlog - one day =
== apt-get - implement --restrict-install-recommends proof of concept ==
* todo
== Debian Installer Verification ==
* after live-build review queue made progress maybe
== Qubes doas ticket ==
* feature request doas support for Qubes
* ask if Qubes would accept doas configuration snippets
* https://forums.whonix.org/t/replace-sudo-with-doas/17482/22
* Ticket filed as an enhancement request: https://github.com/QubesOS/qubes-issues/issues/9599
* Backlogged, we're going sudoless rather than porting to doas for now.
== Qubes umask ticket ==
* /etc/sudoers.d/umask
* https://forums.whonix.org/t/replace-sudo-with-doas/17482/22
* This was only needed if migrating to doas. Superceded by sudoless mode, moved to backlog
== investigate porting from sudo to doas ==
* https://forums.whonix.org/t/replace-sudo-with-doas/17482
* can our /etc/sudoers.d snippets be ported to doas? is doas powerful enough for our requirements based on our already existing /etc/sudoers.d snippets?
* could we have a system that no longer requires sudo or would we end up with a system that comes with both, sudo and doas? ("double" attack surface)
* use ReplaceText as a wiki search engine to find our current uses of sudo because these would need to be ported to doas
** https://www.kicksecure.com/wiki/Special:ReplaceText
** https://www.whonix.org/wiki/Special:ReplaceText
** search terms:
** sudo
** lxsudo
* Ensure sudoers.d config files used in Kicksecure and Whonix on Qubes OS can be ported to doas
* Did an audit of all uses of sudo in kickseure and whonix codebases, and how difficult they should be to port to doas. Results: https://gist.github.com/ArrayBolt3/6699ec4c631fec28e1f4c0a2e657fcd7
* Superceded by sudoless mode, moved to backlog
== doas - send pull requests to Qubes ==
* [[Dev/todo#Qubes_doas_ticket|Qubes doas ticket]] might be unlikely to get rejected. But replies could take a while.
* Please send a pull requests. Since it is only 2 packages, 3 files the wasted effort if this gets rejected might be low enough?
qubes-core-agent: /etc/sudoers.d/qt_x11_no_mitshm
qubes-core-agent: /etc/sudoers.d/umask
qubes-input-proxy-sender: /etc/sudoers.d/qubes-input-trigger
* Superceded by sudoless mode, moved to backlog
== create /usr/local/etc/doas.d /etc/doas.d parser and /etc/doas.conf configuration file creator ==
* parse /usr/local/etc/doas.d
* parse /etc/doas.d
* parse only configuration files ending with .conf
* do not overwrite a file that does not contain our auto generated configuration file (could be user custom file)
** echo a warning in that case
* atomic, create variable then use sponge
* add to security-misc
* add a dpkg trigger
* /etc/doas.conf would require a header pointing out it is auto-generated.
## Do not edit this file!
## Please create and add modifications to the following file instead:
## /usr/local/etc/torrc.d/50_user.conf
## This file was auto generated by '$BASH_SOURCE' at APT package installation time (a dpkg trigger).
* Superceded by sudoless mode, moved to backlog
== doas - add to security-misc permission hardener whitelist ==
* todo
* Superceded by sudoless mode, moved to backlog
== doas - create /etc/doas.d configuration snippets ==
* add /etc/doas.d configuration snippets to the various packages needing these
* if possible, pending discussion in https://forums.whonix.org/t/replace-sudo-with-doas/17482/19 for review of sudoers.d snippets by upstream
* Superceded by sudoless mode, moved to backlog
== bootloader password ==
* https://forums.kicksecure.com/t/harden-grub-bootloader-using-bootloader-password/723
== vm-config-dist re-installs same version ==
* Why a freshly built ova image attempts to upgrade vm-config-dist, even though it is already the latest version?
* https://download.kicksecure.com/ova/17.2.7.8/
* please investigate
[user ~]% dpkg -l | grep vm-config
ii vm-config-dist 3:10.5-1 all usability enhancements inside virtual machines
[user ~]% upgrade-nonroot
Get:1 tor+https://deb.debian.org/debian bookworm InRelease [151 kB]
Get:2 tor+https://fasttrack.debian.net/debian bookworm-fasttrack InRelease [12.9 kB]
Get:3 tor+https://fasttrack.debian.net/debian bookworm-fasttrack/main amd64 Packages [5296 B]
Get:4 tor+https://deb.debian.org/debian bookworm-updates InRelease [55.4 kB]
Get:5 tor+https://fasttrack.debian.net/debian bookworm-fasttrack/non-free amd64 Packages [492 B]
Get:6 tor+https://deb.debian.org/debian-security bookworm-security InRelease [48.0 kB]
Get:7 tor+https://fasttrack.debian.net/debian bookworm-fasttrack/contrib amd64 Packages [7332 B]
Get:8 tor+https://deb.kicksecure.com bookworm InRelease [62.0 kB]
Get:9 tor+https://deb.debian.org/debian bookworm-backports InRelease [59.0 kB]
Get:10 tor+https://deb.kicksecure.com bookworm/non-free amd64 Packages [913 B]
Get:11 tor+https://deb.debian.org/debian bookworm/non-free amd64 Packages [97.3 kB]
Get:12 tor+https://deb.debian.org/debian bookworm/non-free-firmware amd64 Packages [6236 B]
Get:13 tor+https://deb.debian.org/debian bookworm/contrib amd64 Packages [54.1 kB]
Get:14 tor+https://deb.debian.org/debian bookworm/main amd64 Packages [8789 kB]
Get:15 tor+https://deb.kicksecure.com bookworm/main amd64 Packages [33.7 kB]
Get:16 tor+https://deb.kicksecure.com bookworm/contrib amd64 Packages [509 B]
Get:17 tor+https://deb.debian.org/debian bookworm-updates/non-free-firmware amd64 Packages [616 B]
Get:18 tor+https://deb.debian.org/debian bookworm-updates/main amd64 Packages [2712 B]
Get:19 tor+https://deb.debian.org/debian bookworm-updates/non-free amd64 Packages [12.8 kB]
Get:20 tor+https://deb.debian.org/debian bookworm-updates/contrib amd64 Packages [768 B]
Get:21 tor+https://deb.debian.org/debian-security bookworm-security/contrib amd64 Packages [644 B]
Get:22 tor+https://deb.debian.org/debian-security bookworm-security/non-free-firmware amd64 Packages [688 B]
Get:23 tor+https://deb.debian.org/debian-security bookworm-security/main amd64 Packages [206 kB]
Get:24 tor+https://deb.debian.org/debian bookworm-backports/main amd64 Packages [264 kB]
Get:25 tor+https://deb.debian.org/debian bookworm-backports/contrib amd64 Packages [5624 B]
Get:26 tor+https://deb.debian.org/debian bookworm-backports/non-free-firmware amd64 Packages [3852 B]
Get:27 tor+https://deb.debian.org/debian bookworm-backports/non-free amd64 Packages [11.1 kB]
Fetched 9891 kB in 8s (1227 kB/s)
Reading package lists... Done
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
vm-config-dist
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 40.2 kB of archives.
After this operation, 2048 B of additional disk space will be used.
Do you want to continue? [Y/n] ^Czsh: exit 130 upgrade-nonroot
[user ~]% apt-cache show vm-config-dist
Package: vm-config-dist
Version: 3:10.5-1
Architecture: all
Maintainer: Patrick Schleizer
Installed-Size: 135
Depends: sudo, adduser, p7zip-full
Replaces: power-savings-disable-in-vms, shared-folder-help
Homepage: https://github.com/Kicksecure/vm-config-dist
Priority: optional
Section: misc
Filename: pool/main/v/vm-config-dist/vm-config-dist_10.5-1_all.deb
Size: 40244
SHA256: 41fc4cd7e2f97bdcf23ff80b91cbbc339aca3c60445ffaa4725147e4e28d048a
SHA1: d150305c67a4d3949c714c4b16a6a2c1ebe63353
MD5sum: 471286ecd49b36d287b50f807685036b
Description: usability enhancements inside virtual machines
Sets environment variable `QMLSCENE_DEVICE=softwarecontext` as workaround for
"Automatic fallback to softwarecontext renderer".
.
It is not useful to open a screensaver or to power down the desktop for
operating systems that are run inside VMs. There is no real display that could
be saved and no real power that could be saved. From usability perspective it
also is counter intuitive when looking at the VM window and only seeing a
black screen. Therefore it makes sense to disable power savings in VMs.
`/etc/X11/Xsession.d/20_kde_screen_locker_disable_in_vms.sh`
`/etc/profile.d/20_power_savings_disable_in_vms.sh`
`/etc/X11/Xsession.d/20_software_rendering_in_vms.sh`
`/usr/share/kde-power-savings-disable-in-vms/kdedrc`
`/usr/share/kde-screen-locker-disable-in-vms/kscreenlockerrc`
.
Disables screen locker when running in VMs because that is not useful either.
.
Makes setting up a shared folder for virtual machines a bit easier.
.
* Creates a folder `/mnt/shared` with `chmod 777`, adds a group
"vboxsf", adds user "user" to group "vboxsf". Facilitates auto-mounting of
shared folders.
.
* Helps using shared folders with VirtualBox and KVM a bit
easier (as in requiring fewer manual steps from the user).
.
* `/lib/systemd/system/mnt-shared-vbox.service`
* `/lib/systemd/system/mnt-shared-kvm.service`
.
Set screen resolution 1920x1080 by default for VM in VirtualBox and KVM.
Workaround for low screen resolution 1024x768 at first boot. When using lower
screen resolutions, Xfce will automatically scale down.
`/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/displays.xml`
.
Installs VirtualBox guest additions if package
`virtualbox-guest-additions-iso` is installed if environment variable
`dist_build_virtualbox=true` or if running inside VirtualBox.
(`systemd-detect-virt` returning `oracle`)
`/usr/bin/vbox-guest-installer`
Description-md5: 09e095e928a4c962e728f72d712b4c34
Package: vm-config-dist
Status: install ok installed
Priority: optional
Section: misc
Installed-Size: 133
Maintainer: Patrick Schleizer
Architecture: all
Version: 3:10.5-1
Replaces: power-savings-disable-in-vms, shared-folder-help
Depends: sudo, adduser, p7zip-full
Conffiles:
/etc/dracut.conf.d/30-vm-config-dist.conf 4b17a68bed81773993a0c46d79148986
/etc/gdm3/daemon.conf.dist b1f35c9655abcc3171af5c10ce4d8292
/etc/profile.d/20_kde_screen_locker_disable_in_vms.sh e45dd471bc555b906c6c04b208f4066b
/etc/profile.d/20_power_savings_disable_in_vms.sh bfef62e0edc770197204884b9fc3baea
/etc/profile.d/20_software_rendering_in_vms.sh 32d99ab4948878c5c790145bdafa88ea
/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/displays.xml 573a4880ca28e8e094ea78fa76fb875e
Description: usability enhancements inside virtual machines
Sets environment variable `QMLSCENE_DEVICE=softwarecontext` as workaround for
"Automatic fallback to softwarecontext renderer".
.
It is not useful to open a screensaver or to power down the desktop for
operating systems that are run inside VMs. There is no real display that could
be saved and no real power that could be saved. From usability perspective it
also is counter intuitive when looking at the VM window and only seeing a
black screen. Therefore it makes sense to disable power savings in VMs.
`/etc/X11/Xsession.d/20_kde_screen_locker_disable_in_vms.sh`
`/etc/profile.d/20_power_savings_disable_in_vms.sh`
`/etc/X11/Xsession.d/20_software_rendering_in_vms.sh`
`/usr/share/kde-power-savings-disable-in-vms/kdedrc`
`/usr/share/kde-screen-locker-disable-in-vms/kscreenlockerrc`
.
Disables screen locker when running in VMs because that is not useful either.
.
Makes setting up a shared folder for virtual machines a bit easier.
.
* Creates a folder `/mnt/shared` with `chmod 777`, adds a group
"vboxsf", adds user "user" to group "vboxsf". Facilitates auto-mounting of
shared folders.
.
* Helps using shared folders with VirtualBox and KVM a bit
easier (as in requiring fewer manual steps from the user).
.
* `/lib/systemd/system/mnt-shared-vbox.service`
* `/lib/systemd/system/mnt-shared-kvm.service`
.
Set screen resolution 1920x1080 by default for VM in VirtualBox and KVM.
Workaround for low screen resolution 1024x768 at first boot. When using lower
screen resolutions, Xfce will automatically scale down.
`/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/displays.xml`
.
Installs VirtualBox guest additions if package
`virtualbox-guest-additions-iso` is installed if environment variable
`dist_build_virtualbox=true` or if running inside VirtualBox.
(`systemd-detect-virt` returning `oracle`)
`/usr/bin/vbox-guest-installer`
Description-md5: 09e095e928a4c962e728f72d712b4c34
Homepage: https://github.com/Kicksecure/vm-config-dist
[user ~]%
* SHA256 is OK and matches my locally built package.
myfind . | grep vm-config-dist | grep '.deb$' | xargs sha256sum
+ set -e
+ find . -type f -not -iwholename '*.git*'
41fc4cd7e2f97bdcf23ff80b91cbbc339aca3c60445ffaa4725147e4e28d048a ./genmkfile-packages-result/vm-config-dist_10.5-1_all.deb
41fc4cd7e2f97bdcf23ff80b91cbbc339aca3c60445ffaa4725147e4e28d048a ./aptrepo_local/kicksecure/pool/main/v/vm-config-dist/vm-config-dist_10.5-1_all.deb
41fc4cd7e2f97bdcf23ff80b91cbbc339aca3c60445ffaa4725147e4e28d048a ./aptrepo_remote/kicksecure/pool/main/v/vm-config-dist/vm-config-dist_10.5-1_all.deb
* The Installed-Size of the package on the VM is listed as one size, but the Packages file in Kicksecure's remote repo lists a different Installed-Size. Thus even though the debs are identical, apt believes the packages are different and wants to update to the remote version of the package as a result. See https://unix.stackexchange.com/questions/581291/why-apt-wants-to-upgrade-already-up-to-date-package. Why this is happening is unclear. Perhaps something is going wrong with using reprepro? See below.
# From https://deb.kicksecure.com/dists/bookworm/main/binary-amd64/Packages:
Package: vm-config-dist
...
Installed-Size: 135
...
# From /var/lib/dpkg/status from the linked OVA file:
Package: vm-config-dist
...
Installed-Size: 133
...
* I did an OVA build in the background to see what Installed-Size it resulted in, but then accidentally deleted it, I can do redo the build and check it if desired.
== str_replace utf-8 bug ==
str_replace %%replace-me-clearnet-replace-me%% kicksecure.com /etc/postfix/header_checks.db
Traceback (most recent call last):
File "/usr/bin/str_replace", line 49, in
main()
File "/usr/bin/str_replace", line 26, in main
file_data = source_fh.read()
^^^^^^^^^^^^^^^^
File "", line 322, in decode
UnicodeDecodeError: 'utf-8' codec can't decode byte 0x8e in position 54: invalid start byte
* Low-priority, could be difficult to fix.
== Qubes graphical-session.target missing bug ==
* Which source code file does enable systemd graphical-session.target target on Debian?
* https://github.com/QubesOS/qubes-issues/issues/9576
* Patrick: msgcollector now starts the systemd unit from /etc/xdg/autostart, that is good enough.
== add date and time detection to archive.today frontend ==
* This is necessary for the next task.
* If a link has been archived once in the past, but is severely outdated, we should probably request that archive.today rearchive it. This requires that we know when archive.today archived each page.
* (It might be worthwhile to detect when a link was added to the Wiki and use that as a deciding factor as to whether or not we should archive the link again. Might be doable by using the archive.today backups from Github.)
* We decided to not attempt re-archiving already archived content, thus this is no longer needed for now.
== mediawiki bot setup ==
* no wiki mass editing required for now
* will be required for mediawiki mass editing
* https://www.kicksecure.com/wiki/Special:BotPasswords
* https://www.kicksecure.com/wiki/Special:BotPasswords/botname
* https://www.whonix.org/wiki/Special:BotPasswords
* https://www.whonix.org/wiki/Special:BotPasswords/botname
* note: replace botname with actual name of bot
== rootless X11 ==
* only if doable with low effort such as just changing some configs (such as in lightdm config) or changing some installed packages
* Would require switching away from LightDM or enabling rootless X11 support in LightDM, thus moving to backlog.
== power9 RAM encryption research ==
* todo
== auto-detect, prompt for potential root devices in case the root= device is misconfigured or missing ==
* https://github.com/dracutdevs/dracut/issues/2589
* if doable with reasonable effort please send a pull request to dracut-'''ng'''
* Pull request: https://github.com/dracut-ng/dracut-ng/pull/694
* update: as discussed, low priority if effort is too high
== dracut add support for undeclared CDLABEL ==
as discussed
== live-build - Retry button in derivative-maker doesn't work ==
* low priority, move to backlog please
= Footnotes =
{{Footer}}