{{Header}}
{{title|title=
ToDo for Developers
}}
{{#seo:
|description=TODO
}}
{{devwiki}}
{{intro|
TODO
}}
{{Developers-only}}
= TODO DEV =
== trixie-port - misc qubes test failures ==
* From Marek:
** https://openqa.qubes-os.org/tests/159131
** https://openqa.qubes-os.org/tests/159129#step/TC_00_Dom0Upgrade_whonix-gateway-18/2
** https://openqa.qubes-os.org/tests/159123 (this one is due to sudo blocked)
** https://openqa.qubes-os.org/tests/159089
** https://github.com/Whonix/updates-status/issues/290#issuecomment-3524509617
** https://github.com/Whonix/updates-status/issues/289#issuecomment-3524513760
* From Ben:
** https://openqa.qubes-os.org/tests/159100#step/TC_00_DispVMPerf_whonix-workstation-18/21
== trixie-port - set-system-keymap improvements #2 ==
* 1) bug: in sysmaint session sudo set-system-keymap de fails to reload labwc. reboot required to change keyboard layout. (confusion resolved: system vs user configuration)
* 2) bug: set-system-keymap / set-console-keymap is broken in some situations:
** inside dracut emergency shell
** single user mode (kernel parameter single)
** this is because localectl is unavailable. Patrick pushed some changes to ignore this.
* 3) feature request: set-system-keymap should configure the system keymap in case of
** single user mode (kernel parameter single) - possible by re-generating initrd running "sudo dracut -f" - tested - functional
** dracut emergency shell - same as above.
** run sudo dracut -f &>/dev/null to hide verbose dracut output and report only success or failure.
** Patrick implemented this.
* 4) feature request: set grub stage 2 keyboard layout
** 1 or 2 separate grub boot menu entries
*** additional boot menu entry 1: specific user-chosen keymap only
**** use case: easier to use GRUB menu entry - no need to scroll through lots of language entries
*** additional boot menu entry 2: generate all keymaps (within reasonable limits?)
**** What would be a good time/trigger to generate the keymaps? Useful/avoidable to keep re-generating the keymaps over and over again? A new /etc/grub.d drop-in? Part of which script?
**** use case: usable on the ISO
**** use case: users can easily try kernel boot parameters to attempt to fix the boot process in case of hardware issues
*** boot menu entries should be at the very bottom
*** enabling verbose ("set -x") equivalent may be useful
** boot with GRUB standard keyboard. Only if the user selects a custom GRUB keyboard layout change menu try loading a different keyboard driver and layout.
** Aaron: USB keyboard support does not appear practical, as numerous GRUB issues occur when using nativedisk and insmod usb_keyboard:
*** GRUB randomly can't find hard drives sometimes
*** Stack overflows occur
*** Sometimes "alloc magic" errors appear
*** Fonts can become very messed up
*** Boot usually becomes impossible
* 5) feature request: set-labwc-keymap: --persist should be the default?
* 6) feature request: apply console layout change by running systemctl --no-block --no-pager restart keyboard setup
* 7) set-console-keymap: allow running as non-root / support file ~/.keyboardDiscussed, researched, not possible to set console keymap without root permissions and setting the keymap system-wide.
* 8) bug: Should write INFOs to stdout, not stderr? Or is there a reason to write everything to stderr? In such special cases, please document this by adding a script comment on how channels (stdout, stderr) are used.
== trixie-port - red XDG_RUNTIME_DIR unset warning during shutdown ==
* Non-Qubes-Whonix Whonix-Workstation
* no adverse effects, but looks scary for users
* Aaron: I've seen this before, but could not reproduce it on-demand for testing.
** Pushed commits to desktop-config-dist and user-sysmaint-split in an attempt to resolve the issue and a related problem with scary logs being shown during shutdown. Unfortunately I ended up reproducing the issue by accident even after these changes were installed.
* Patrick:
** What place is supposed to set XDG_RUNTIME_DIR? Can we set it?
** Could you ask labwc please?
** libpam-systemd missing? as per
*** https://github.com/BlitterStudio/amiberry/issues/453#issuecomment-549150776
== trixie-port - lengthen live-config-dist timeouts ==
* Physical hardware installations to a USB drive oftentimes are slow due to slow USB key performance
* Timeouts sometimes occur during the installation process, resulting in failed installations
* Lengthen timeouts in live-config-dist so that this use case is better supported
== fix VirtualBox green turtle ==
* Test with Windows Home, if possible.
* Test with Windows Pro.
* Document how to use VirtualBox with Hyper-V.
** https://www.virtualbox.org/manual/topics/AdvancedTopics.html#hyperv-support
** This is important because it is the future.
** It is also important because it requires fewer changes to Windows. It does not require disabling Windows security features.
** Using VirtualBox with Hyper-V might not be possible on Windows Home.
*** There are mixed reports about whether Windows Home supports "full" Hyper-V. The Home edition might use Hyper-V internally, which causes issues for VirtualBox. ("green turtle")
* Document how to use VirtualBox with VirtualBox's native virtualization ("blue chip" symbol instead of "green turtle").
** This might be useful for users on Windows Home edition.
** Add the required commands to fix the VirtualBox "green turtle" in the wiki: [[VirtualBox/Green_Turtle_Issue]]
** Documentation on how to manually change the settings is useful for understanding but should not be the ultimate goal.
** All steps should be executable using command-line commands only, as there are too many steps to perform manually.
** Consider accomplishing this using Windows Intune.
** Write a batch script (if not using Windows Intune).
** Add an option to the Windows Installer to do this.
** If unsolvable, document everything learned or attempted. This might assist others in continuing the work. Collect any helpful links and add quotations from useful information.
* Essentially, explore and document both approaches: using VirtualBox with Hyper-V and using VirtualBox with its native virtualization while disabling Windows' Hyper-V.
* Aaron: Current research:
** Intune is not free and does not work on home editions of Windows, thus not usable.
** PowerShell scripting would likely make quick work of this, but unfortunately Microsoft prevents one from running PowerShell scripts without taking explicit (and IIRC convoluted) steps to enable them, as a security feature.
** Probably the easiest solution is to use a batch file and then execute it as administrator (which is tricky but not impossible; requires calling a ShellExecuteExW function in the Windows API with the "runas" verb, see https://learn.microsoft.com/en-us/windows/win32/shell/launch, this should trigger a UAC prompt, then the script should be able to run and do whatever it needs to).
** Batch files for disabling Hyper-V and re-enabling virtualization-based security under Windows 11 Home have been created. Still need to wire them into Whonix-Installer itself.
* todo: add debug output to script in case there are issues, users can post the debug output
** Aaron: Done.
* todo: run hypervisorlaunchtype auto and hypervisorlaunchtype Off to work around windows bug experienced by Patrick
** Aaron: Done.
* todo: run at the end for debugging Get-CimInstance Win32_ComputerSystem | Select-Object HypervisorPresent
** add link as comment: https://forums.ea.com/discussions/battlefield-6-technical-issues-en/unable-to-run-in-a-virtual-machine-please-exit-the-vm-and-try-again-121/12789008
* todo: add these commands?
** https://forums.ea.com/discussions/battlefield-6-technical-issues-en/unable-to-run-in-a-virtual-machine-please-exit-the-vm-and-try-again-121/12789008
*** Aaron: Likely unnecessary, but should be kept in the task list for reference.
* todo: disable firmware protection
** Aaron: Done.
* todo: explain commands and potential failures as echo comments
** Aaron: Done.
* todo: add separator output between lines
** Aaron: Done.
* todo: allow the script to be executed by the installer
== trixie-port - address systemcheck log warnings ==
* there are a number of journal messages in systemcheck output in Non-Qubes-Whonix
* there might be others for Qubes-Whonix
== trixie-port - usability-misc versus policyrcd-script-zg2 ==
* usability-misc Depends: on policyrcd-script-zg2
* todo: think through if this dependency should be removed, moved elsewhere and can interact badly with user-sysmaint-split policyrcd
* Aaron:
** Very unlikely to interact badly. policyrcd-script-zg2 uses the alternatives system, as does user-sysmaint-split, and user-sysmaint-split installs its policy-rc.d with a higher priority than policyrcd-script-zg2, therefore it will take priority. However, this also means that the functionality offered by policyrcd-script-zg2 is broken, likely including the pointer to helper-scripts' policy-rc.d in the POLICYRCD environment variable used by apt-get-noninteractive.
** The use of POLICYRCD in apt-get-noninteractive seems superfluous and possibly even bad. During package builds, disabling daemon restart makes sense, but this is done by installing helper-scripts' policy-rc.d with a higher priority than even user-sysmaint-split's version, so POLICYRCD is unnecessary to prevent things like unintentional connections to Tor. Done in help-steps/prevent-daemons-from-starting. Users who use apt-get-noninteractive would probably reasonably expect daemons to be restarted during installation of new packages.
** Suggestion: Remove dependency, strip all instances of POLICYRCD from codebase where the variable is set to a path. (Currently the variable is only set in apt-get-noninteractive and dpkg-noninteractive. There is also a use in grml-debootstrap but it appears to be used as a flag, not a path, thus this should not be removed.)
* Patrick:
** Because daemon restarts can cause APT upgrade failures and `apt-get-noninteractive` is designed as a tool to easily fix broken APT. Documented in its man page just now. Therefore, please keep that as is.
** todo: move dependency of policyrcd-script-zg2 from usability-misc to helper-scripts?
** todo: review policyrcd-script-zg2. seems to be a stable, not changing much, simple package with only 1 essential file: /usr/sbin/zg-policy-rc.d
** todo: please port user-sysmaint-split to policyrcd-script-zg2, if sensible
== sdwdate-gui - json decode bug ==
+ /usr/libexec/helper-scripts/terminal-wrapper 'leaprun sdwdate-log-viewer'
sdwdate_status_changed: WARNING: Could not parse JSON from sdwdate
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/sdwdate_gui/sdwdate_gui_client.py", line 393, in sdwdate_status_changed
status_dict: dict[str, str] = json.load(f)
10:36, 1 November 2025 (UTC)[[Special:Contributions/127.0.0.1|127.0.0.1]] 10:36, 1 November 2025 (UTC)^^^
File "/usr/lib/python3.13/json/__init__.py", line 293, in load
return loads(fp.read(),
cls=cls, object_hook=object_hook,
parse_float=parse_float, parse_int=parse_int,
parse_constant=parse_constant, object_pairs_hook=object_pairs_hook, **kw)
File "/usr/lib/python3.13/json/__init__.py", line 346, in loads
return _default_decoder.decode(s)
10:36, 1 November 2025 (UTC)10:36, 1 November 2025 (UTC)10:36, 1 November 2025 (UTC)10:36, 1 November 2025 (UTC)[[Special:Contributions/127.0.0.1|127.0.0.1]]^^^
File "/usr/lib/python3.13/json/decoder.py", line 345, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
10:36, 1 November 2025 (UTC)10:36, 1 November 2025 (UTC)10:36, 1 November 2025 (UTC)^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.13/json/decoder.py", line 363, in raw_decode
raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)
sdwdate_status_changed: WARNING: Could not parse JSON from sdwdate
== privleap - improve debug output ==
* "ERROR: You are unauthorized ..."
** Who is "You"? :)
** todo: please add who "you" is. This might simplify debugging when using nested privleap.
== systemcheck - document ignored systemcheck warning messages ==
* /etc/systemcheck.d/30_default.conf contains a lot of ignored warnings/errors
* please add comments on top why that line is being ignored
* add links to upstream issues
* in unknown cases, please investigate, report upstream
* in case of unknowns, high effort, rabbit holes, please create follow-up issues
== sysmaint-panel - add gsmartcontrol and smart-notifier ==
* non-Qubes only
* hardware only
* add gsmartcontrol
* also add smart-notifier, if sensible to task bar?
== change program menu icons ==
* sysmaint-panel and live-indicator
* please use different icon (not necessarily project logo)
== 351-socks-auth-extensions ==
* please search code base for: random_socks_user_name
* implement, if sensible: https://spec.torproject.org/proposals/351-socks-auth-extensions.html
== Qubes OS - whonix-workstation-18 performance issues compared to debian-13-xfce ==
* Overview: https://openqa.qubes-os.org/tests/158005/file/system_tests-whonix-workstation-18_graph_08_template_mean.png
* More detailed analysis:
** Debian 13: https://openqa.qubes-os.org/tests/158005/file/system_tests-debian-13-xfce_graph_04_line_0_exec.png
** Debian 13: https://openqa.qubes-os.org/tests/158005/file/system_tests-debian-13-xfce_graph_04_line_2_total.png
** Whonix 18: https://openqa.qubes-os.org/tests/158005/file/system_tests-whonix-workstation-18_graph_04_line_0_exec.png
** Whonix 18: https://openqa.qubes-os.org/tests/158005/file/system_tests-whonix-workstation-18_graph_04_line_2_total.png
* Whonix is about 1.5 to 3 seconds slower in app startup in many test cases.
* Investigate, find ways to reduce the performance delta
== dracut improvements ==
* install bash module by default? vs qubes initial memory
* set SYSTEMD_SULOGIN_FORCE=1 by default to allow login into dracut emergency console even if root account password is locked
== terminal login messages ==
* adjust cli (virtual console) login manager messages based on session type (user session versus sysmaint session)
grep -r -i "default username"
find . | grep --fixed-strings issue.d
find . | grep --fixed-strings motd.d
== heads - add whole disk boot mode ==
* Kicksecure's ISO does not boot easily on Heads because booting it requires mounting the full disk device, whereas Heads is only designed to open individual disk partitions.
* Add a new option to the boot menu for the whole disk device, for compatibility with ISOs like Kicksecure's.
* Might not be needed it Heads upstream implements it first.
== VirtualBox - shared folder - error handling ==
* user story: I think that I added a shared folder alraedy. But I am mistaken without knowing. The following error message by mnt-shared-vbox.service leads to hunting non-existing issues. The only issue is the omitted host configuration.
Nov 06 16:29:18 localhost mount-shared[1099]: /sbin/mount.vboxsf: mounting failed with the error: No such file or directory
== VirtualBox - shared folder - confusing readme ==
* The readme shows up even after shared folder is perfectly functional.
* Maybe best to abolish the readme.
* Readme is copied over and over again?
== apparmor - allow_disconnected concerns ==
* https://github.com/ArrayBolt3/kloak/commit/691d1512cd870db7297f5d38aeba421f08543311
* is allow_disconnected.path=/disconnected safe? Any upstream documentation on what exactly leads to a path becoming "disconnected" and why this is necessary?
* Possible to avoid needing this? Why does Python attempt to access /dev/null through a disconnected path?
* use include abstractions/python?
== approx - work around and report metadata caching problems ==
* Sometimes the data in the approx cache goes out of date and approx fails to update it, resulting in failed builds and possibly resulting in builds containing outdated packages
* Reproduce issue, report upstream, create workaround in derivative-maker
* Aaron: Issue reported: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118031
* Aaron: Workaround created: https://github.com/ArrayBolt3/derivative-maker/commit/42f6e3ba146e60a89167acba67c041aecb49d505
** Patrick: Merged.
== qubes - qrexec to NetVM ==
* investigate if it is possible to get the name of a qube's NetVM from within the qube, or otherwise send qrexec requests to the NetVM
* contribute feature to upstream if it doesn't exist
* use case: don't require sdwdate-gui in Qubes-Whonix-Workstation to be explicitly configured to talk to the appropriate Qubes-Whonix-Gateway in a multi-gateway setup
== compiled code - investigate using clang ==
* clang provides a minimal UBSan runtime which may be usable as an additional hardening feature.
* Investigate if this is worthwhile.
* gcc supports more warnings, perhaps use gcc and clang together for "diagnostic builds" and static analysis, and clang for release builds?
* Perhaps build twice with, first with gcc for testing only, then with clang?
** Patrick: Keeping gcc support might be worthwhile as per non-technical reasons: [[Miscellaneous_Threats_to_User_Freedom#GCC_vs_Clang-LLVM|GCC vs Clang-LLVM]]
== port to sequoia-pgp ==
* port all code base from gpg to sequoia-pgp as much as sensible
* related - not part of this task - only for reference - https://github.com/QubesOS/qubes-issues/issues/8241
* https://sequoia-pgp.org/blog/2022/12/19/202212-chameleon-0.1/
* https://packages.debian.org/trixie/sequoia-chameleon-gnupg
** Can we just symlink /usr/bin/gpg to /usr/bin/gpg-sq?
* Aaron: Unsure if replacing gpg with gpg-sq wholesale is a good idea. Quoting the blog post on gpg-sq:
** "A consequence of not modifying GnuPG’s state but using an overlay is that changes made using the Chameleon will not be picked up by GnuPG. For example, if you import a certificate using the Chameleon, it will only be inserted into the overlay, and GnuPG will not see it."
** Would prefer porting to sq's native API instead, to avoid consistency issues.
* Aaron: Delay until after the release of Kicksecure 18 perhaps? That way the work done here doesn't end up causing us major problems before the release is complete.
** Delaying this may be essential, as Whonix 18 should release before Qubes OS R4.3 does.
** Please move to WAITING ON if good to delay, move back to TODO if we should pursue this now.
*** Patrick: Please do in sequoia branch.
== user-sysmaint-split versus Qubes Video Companion is broken on Whonix-Workstation ==
* please comment how this could be resolved
* https://github.com/QubesOS/qubes-issues/issues/10163
* https://forums.whonix.org/t/qubes-sudo-su-root-hardening-development-discussion/8561/73
== kloak - Qubes OS mouse anonymization improvements ==
* https://github.com/QubesOS/qubes-issues/issues/10292
== optimize accountctl / get-user-list / get-password-status-list ==
* current implementation: forks frequently, has to re-open and re-parse /etc/shadow and related files for every query. Results in noticeable performance delays in some scripts, also is non-atomic and vulnerable to race conditions.
* better implementation: a library that caches /etc/shadow and related files when the library is sourced. Queries rely on in-memory data and avoid forking if possible.
* refactor existing bash code? rewrite in Python? Python may be simpler and faster, but existing bash implementation seems very stable.
== three finger salute ==
* https://forums.kicksecure.com/t/ctrl-alt-del-three-finger-salute-action/1197
* the three finger salute should so something useful similar to what it does on Windows
** lock screen (Qubes does that)
** start task manager
** emergency shutdown button
* Open a sysmaint (or root) shell?
** This feature can be deferred.
** SAK alike?
*** Can a compromised Wayland swallow the three finger salute and mount a login spoofing attack?
**** Aaron: No, because the salute is read by the handler via evdev, which is provided directly by the kernel. It could receive the keypress despite emerg-shutdown or similar seeing it too, but emerg-shutdown would SIGSTOP the compositor before running the actual Ctrl+Alt+Delete handler.
*** Perhaps we should use the real SAK, but reconfigure its action, if that is at all possible?
**** Aaron: Does not appear to be possible, see https://www.kernel.org/doc/html/v6.0/security/sak.html
** research SIGSTOP
*** Aaron: Looks like it works reliably, even when a stuck kernel thread is involved
** research locked up kernel threads and their abuse potential
*** Aaron: It appears the worst they can do is prevent processes from fully exiting, which isn't a problem for us. They also seem to be very hard to create, unless you have root access. See https://chrisdown.name/2024/02/05/reliably-creating-d-state-processes-on-demand.html
** anti-phishing code
*** static
*** TOTP - perhaps at a later time
== live-hardener vs efi bug ==
* probably already resolved?
Aug 10 08:30:55 host live-hardener[767]: mount: /boot/efi: wrong fs type, bad option, bad superblock on overlay, missing codepage or helper program, or other error.
== emergency-shutdown - bug - breaks Calamares installer ==
* todo
* Patrick: Still an issue? Duplicate of [[Dev/todo#Kicksecure_installer_versus_live-hardener_bug|Kicksecure installer versus live-hardener bug]]?
** might have been fixed in: https://github.com/Kicksecure/security-misc/commit/c59a3b233bd8893d466c020a2e2695ab545c6e60
** KVM affected?
== emerg-shutdown - delayed shutdown ==
* emerg-shutdown may be triggered by accident, users should have an opportunity to cancel unless the root device has vanished entirely
* for delayed shutdowns, show a warning of some sort and provide clear instructions on how to cancel the shutdown
** switch to a TTY and display a red screen with warning text on it?
*** may conflict with agetty, investigate how to suppress it (or switch to a TTY that isn't in use and that agetty isn't configured to spawn on)
* some users may need instant shutdown without warning, allow configuring the shutdown timeout, including making it 0
== emerg-shutdown - versus ram-wipe ==
* an init (systemd) wrapper?
* root disk must be unmounted so kernel deletes {{fde}} key from RAM
== emerg-shutdown - bugs ==
* Qubes:
** Should probably not run in Qubes at all? Disable using systemd unit file conditional?
Aug 10 06:10:23 host emerg-shutdown[635]: Failed to find any input device supporting panic keys!
Aug 10 06:10:23 host systemd[1]: emerg-shutdown.service: Main process exited, code=exited, status=1/FAILURE
Aug 10 06:10:23 host systemd[1]: emerg-shutdown.service: Failed with result 'exit-code'.
Aug 10 06:10:35 host memlockd[677]: Mapped file /lib/x86_64-linux-gnu/libgpg-error.so.0
* Non-Qubes:
** So far only observed in non-Qubes.
Aug 11 08:27:57 localhost memlockd[1006]: Error mmaping /etc/resolv.conf: Invalid argument
== emergency-shutdown - debugging improvements ==
* add more debug output:
** every relevant code path should be written to journal
** trigger needs to be recorded
** action needs to be recorded
** purpose: in case of bugs (such as above), it should be able to debug this at least with a (virtual) serial console
== chvt hardening ==
* https://forums.kicksecure.com/t/chvt-change-foreground-virtual-terminal-vt-tty-prevent-malware-from-forced-tty-change/1274
== Qubes OS IPv6 DNS ==
* https://github.com/QubesOS/qubes-core-agent-linux/pull/592
== Qubes in-vm kernel boot mode support ==
* GRUB patch for Xen command line parsing has been merged
* implement boot mode support for in-vm kernels in qubes-core-admin
* Qubes issue: https://github.com/QubesOS/qubes-issues/issues/9872
== Qubes in-vm kernel support in general ==
* https://github.com/QubesOS/qubes-issues/issues/9570
* https://github.com/QubesOS/qubes-issues/issues/8649
* https://github.com/QubesOS/qubes-issues/issues/9759
== timesync developer wiki page improvements ==
* https://www.whonix.org/wiki/Dev/TimeSync
* [[anondate]]
* https://www.kicksecure.com/wiki/Dev/sdwdate
* please study, improve
* take note of Tor consensus and replay attacks
* in preparation for follow-up tasks
== sdwdate refactoring and improvements ==
* study sdwdate source code
* lightweight refactoring (such as no longer using classes because these are used inconsistently)
* separate into sdwdate-daemon and sdwdate-time-fetcher?
** Aaron: sdwdate-daemon is a very interesting idea, most likely useful for the ClockVM idea, however it is only feasible in situations where one either has multiple networked physical machines or multiple connected virtual machines (i.e. VBox with one Whonix-Gateway and many Whonix-Workstations, or Qubes OS). This is because the daemon has to be able to change the system's time as it sees fit in order to get Tor working (i.e. first get consensus to work by using certificate lifetime if possible, then get circuits to work using consensus, then get real time from three separate servers which are now accessible since circuits work). There is no way to isolate CLOCK_REALTIME changes from the rest of the system, Linux has time namespaces but they don't virtualize CLOCK_REALTIME. Thus sdwdate-daemon would have to be able to modify the system time freely in its mission to find the right time.
** In theory, this could be avoided if time changes could be communicated to the Tor daemon without modifying the system's wall clock. I do not know if this is possible, I suspect it isn't. Even though it is technically feasible, it would potentially be immensely complicated to implement.
** Perhaps implement sdwdate-daemon as a process that only returns whatever the next time step is, and also indicate whether there are further steps? Then sdwdate-time-fetcher could either ignore the date if the daemon indicates more steps are still to come, or accept it. The ClockVM itself would unconditionally accept sdwdate-daemon's reported time values in order to assist it in finding the correct time, then client VMs would only update their clock once the "final step" was reached.
* sdwdate oneshot feature (pick the median time from the 3 pools, output to console, then exit) if considered useful for the next bullet point
* add support for sdwdate to be used as a [https://forums.whonix.org/t/qubes-whonix-gateway-as-clockvm/19015 Qubes-Whonix-Gateway as ClockVM]
* note: sdwdate can already fix the clock if it is very slow (with the help of Tor consensus and anondate)
** Aaron: If the clock is very very slow, this seems to not work. Might be possible to use Tor certificates to get within a year of the correct date, then attempt to brute-force a month that will allow Tor consensus to work. As long as the Tor network itself will not work if the clock is too far off, we don't have to worry too much about replay attacks, untrusted data, etc. - the worst an attacker could do is denial of service, we'll only get working connectivity if we get very close to the correct time (or an adversary controls so many of the servers we're using it can trick us into thinking our time is correct, which is statistically unlikely...? is it actually statistically unlikely?)
* add feature to sdwdate to allow it fixing the clock if it is very fast too
** it may not be possible to implement such a feature securely (setting the clock forward has no security risk but setting the clock backwards makes already expired keys valid again). perhaps should just be a manual action? in theory, by setting the clock backwards very far into the past, sdwdate should be able to fix it. Perhaps we could try once to set the clock backwards just a few hours (not years) based on Tor consensus / anondate? Or perhaps this should only be possible by manual user action?
* use chrony - time setting only - not time fetching - as a replacement for sclockadj as per [[Dev/sdwdate]]
** or if easier, saner, port sclockadj from clock_settime to adjtimex?
** Aaron: Probably easier to port sclockadj, chrony looks a bit dangerous to me.
** please research, consider various options
== kicksecure - update torification improvements ==
* only shipped-by-default apt repositories go through Tor
* ideally, newly added apt repositories should go through Tor as well, as should flatpak installation and updates
** Flatpaks can be made to go through Tor by enabling an HTTPTunnelPort in Tor, then setting http_proxy and https_proxy to http://localhost:9080 (assuming your port number is 9080) when running Flatpak. There doesn't appear to be a way to set a proxy in Flatpak's configuration, thus this would probably require a wrapper.
== flatpak update integration ==
* users are given the ability to easily install flatpaks via browser-choice, but aren't given any easy way to update them
* add code to upgrade-nonroot that also updates flatpaks
* Aaron: Implemented: https://github.com/ArrayBolt3/usability-misc/tree/arraybolt3/flatpak-update
* Patrick: should be deferred until update torification has been improved
== stream isolation socks user name new spec implementation ==
* https://spec.torproject.org/proposals/351-socks-auth-extensions.html
* note: curl socks user name in Qubes source code
== investigate Debian Rolling ==
* investigate why Debian Rolling initiative failed
** From initial research:
*** Lots of disagreement about how exactly to implement it, although https://lists.debian.org/debian-devel/2011/05/msg00275.html had a very large amount of positive feedback compared to other proposals
**** See also DEP-10 (https://dep-team.pages.debian.net/deps/dep10/) which is somewhat orthogonal but related
*** Limited manpower, no one appears to have tried to actually do it
*** Need to cope with the activity occurring in Debian's unstable and testing repositories, which have some turbulence and can cause issues if one isn't careful
*** Likely worth trying to resurrect
* contact people involved previously, if that makes sense
* suggest prospective developers
* Started to write tooling for this: https://github.com/ArrayBolt3/drk Very incomplete, nowhere near usable. Will keep developing this.
== repository-dist-wizard - improvements ==
* {{Github_link|repo=repository-dist}}
* GUI: detect stable, stable-proposed-updates, testers, developers setting in GUI. I.e. if re-running the tool, keep the former setting. Should this depend on previous choice in the GUI (status files, probably easier) or actual status on the disk (might be manually modified by the user)
* add support for switching back and forth between clearnet and onion
== Tool to onionize all APT sources ==
* https://forums.whonix.org/t/tool-to-onionize-all-apt-sources/13367
* Should it be part of repository-dist or a standalone tool?
== verified boot implementation ==
* assume firmware can extend trust to kernel via Sovereign Boot
* create a system for extending trust from kernel to initramfs and userland
* possibly investigate immutable images?
* Implementation idea notes:
** A system running with Verified Boot enabled must have the root partition in live mode (read only with tmpfs overlay). Therefore something similar to live mode will be needed when running in "verified mode"
** dm-verify is what Google uses, there seems to be no compelling reason for us to avoid it.
** Kernel modifications are not permitted, Kicksecure will be signing Debian's shim meaning only vanilla Debian kernels will be bootable. Rely on alternative ways of storing the dm-verify root hash in a secure immutable fashion, such as:
*** TPM / Measured Boot? Highly desirable if security issues don't result, as this avoids the need for user interaction unless something goes wrong.
**** Would require some way of authenticating that the TPM has not been reset (similar to Heads TOTP/HOTP codes)
*** User providing the hash on an external drive?
*** Verification passphrase similar to LUKS passphrase?
** Patrick: TPM is unavailable inside VMs? In this case, verified boot support is still desirable.
* Patrick
** Whonix-Gateway: either no verified boot initially or install user-sysmaint-split by default
** persistent mode, verified boot should still allow for logs persistent
** [[Verified_Boot#When_the_verification_is_over.3F|When the verification is over?]]:
*** "verification is a continuous process happening as data is loaded into memory"
*** "This means if malware manages to modify the /usr/bin/mv program despite immutability, then dm-verity would notice this the next time the user or system is attempting to execute that command."
*** This security gained from this feature is somewhat reduced if the attacker can use ephermal overlays.
** consider [[Sysmaint#enable_sudo_access_in_USER_session|enable sudo access in USER session]] (developer debug mode): disable verified boot + write to disk + regenerate verified boot hash tree (this is to ease debugging issues only happening in user session but not in sysmaint session)
* prefer Debian on true read-only filesystem without ephemeral overlay to benefit from kernel verified continuous verification after boot feature
** [[Verified_Boot#Challenges_with_Immutable_Filesystems|Challenges with Immutable Filesystems]]
*** As-needed ephemeral overlays
*** Use alternate software that doesn't require root to be writable
*** as feasible, up for discussion
== permission-hardener - live bug ==
* got a bug report by e-mail
sudo apt install network-manager-openvpn-gnome
security-misc (3:44.4-1) ...
INFO: triggered security-misc: 'security-misc' security-misc DPKG_MAINTSCRIPT_
NAME: 'postinst' $\*: 'triggered /usr' 2: '/usr'
/usr/libexec/security-misc/mmap-rnd-bits: INFO: Successfully written ASLR map
config file:
/etc/sysctl.d/30_security-misc_aslr-mmap.conf
Running SUID Disabler and Permission Hardener... See also:
https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener
/var/lib/dpkg/info/security-misc.postinst: INFO: running: permission-hardener
enable
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root shadow 744 /usr/lib/live/mount/rootfs/filesystem/usr/sbin/unix_chkpwd
dpkg-statoverride: : `/usr/lib/live/mount/rootfs/filesystem/usr/sbin/unix_chkpwd'
permission-hardener: [ERROR]: Command 'dpkg-statoverride --add --update root shadow 744 /usr/lib/live/mount/rootfs/filesystem/usr/sbin/unix_chkpwd' failed with exit code '2'! calling functio
n name: 'commit_policy'
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener-v2/new_mode --add root shadow 744 /usr/lib/live/mount/rootfs/filesystem/usr/sbin/unix_chkp
wd
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/rootfs/filesystem/usr/bin/pkexec
dpkg-statoverride: : `/usr/lib/live/mount/rootfs/filesystem/usr/bin/pkexec'
permission-hardener: [ERROR]: Command 'dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/rootfs/filesystem/usr/bin/pkexec' failed with exit code '2'! calling function name:
'commit_policy'
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener-v2/new_mode --add root root 744 /usr/lib/live/mount/rootfs/filesystem/usr/bin/pkexec
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/rootfs/filesystem/usr/bin/sudo
dpkg-statoverride: : `/usr/lib/live/mount/rootfs/filesystem/usr/bin/sudo'
permission-hardener: [ERROR]: Command 'dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/rootfs/filesystem/usr/bin/sudo' failed with exit code '2'! calling function name: 'c
ommit_policy'
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener-v2/new_mode --add root root 744 /usr/lib/live/mount/rootfs/filesystem/usr/bin/sudo
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root shadow 744 /usr/lib/live/mount/medium/usr/sbin/unix_chkpwd
dpkg-statoverride: : `/usr/lib/live/mount/medium/usr/sbin/unix_chkpwd'
permission-hardener: [ERROR]: Command 'dpkg-statoverride --add --update root shadow 744 /usr/lib/live/mount/medium/usr/sbin/unix_chkpwd' failed with exit code '2'! calling function name: 'co
mmit_policy'
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener-v2/new_mode --add root shadow 744 /usr/lib/live/mount/medium/usr/sbin/unix_chkpwd
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/medium/usr/bin/pkexec
dpkg-statoverride: : `/usr/lib/live/mount/medium/usr/bin/pkexec'
permission-hardener: [ERROR]: Command 'dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/medium/usr/bin/pkexec' failed with exit code '2'! calling function name: 'commit_pol
icy'
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener-v2/new_mode --add root root 744 /usr/lib/live/mount/medium/usr/bin/pkexec
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/medium/usr/bin/sudo
dpkg-statoverride: : `/usr/lib/live/mount/medium/usr/bin/sudo'
permission-hardener: [ERROR]: Command 'dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/medium/usr/bin/sudo' failed with exit code '2'! calling function name: 'commit_polic
y'
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener-v2/new_mode --add root root 744 /usr/lib/live/mount/medium/usr/bin/sudo
permission-hardener: [NOTICE]: To compare the current and previous permission modes, install 'meld' (or preferred diff tool) for comparison of file mode changes:
sudo apt install --no-install-recommends meld
meld /var/lib/permission-hardener-v2/existing_mode/statoverride /var/lib/permission-hardener-v2/new_mode/statoverride
permission-hardener: [ERROR]: Exiting with non-zero exit code: '203'
/var/lib/dpkg/info/security-misc.postinst: ERROR: Permission hardening failed.
* random guess: Could there be issues with non-latin language settings?
* Why is it /usr/lib/live/mount/rootfs/filesystem?
* Could it be that the user booted into live mode?
* Maybe a case of low RAM where no further writes to RAM were possible?
* Booting into live mode and using APT should be supported as much as feasible.
* In case of insufficient information, could you please add debug code to provide more information in the future?
* Unsure if further information can be requested form the reporter, but I could try.
* Useful to add:
test -w "${file_name_from_stat}"
* permission hardener might not be the cause of this issue. However, ideally it would show a better error message pointing out the issue.
* Aaron: Cannot reproduce on ISO or in LIVE mode USER.
** The /usr/lib/live/mount path suggests that the issue is the result of attempting to distribution-morph a vanilla Debian Live session. This, IMO, is not something we should support, because:
*** All changes will be lost on reboot, meaning someone who uses this in production will be downloading a lot of Kicksecure packages from our infra every time they start the system.
*** We already offer a live Kicksecure ISO.
*** None of the kernel hardening options will be enabled, and they can't be enabled, because that would require a reboot which will discard everything.
*** And of course, permission-hardener doesn't expect anything under /usr to be read-only.
** Would suggest adding a warning to the distribution morphing documentation that a live Debian ISO session can't be morphed, and that one should download a live Kicksecure ISO if they need a Kicksecure-enhanced live system.
* Patrick: Done. Documented.
* Could you please add better error handling in this case?
== audio ==
=== audio generally ===
* https://forums.whonix.org/t/port-from-pulseaudio-to-pipewire-for-audio-support/16879/40
* please read, comment if something useful to share
=== VirtualBox Intel HD Audio and PipeWire Incompatibility / Audio broken after increasing ram to 5 GB / No sound after latest updates - PipeWire Bug? ===
* https://forums.whonix.org/t/virtualbox-intel-hd-audio-and-pipewire-incompatibility-audio-broken-after-increasing-ram-to-5-gb-no-sound-after-latest-updates-pipewire-bug/18211
* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081965
* please investigate if doable with reasonable effort
* Tried switching between Pulseaudio and Pipewire on a booted VM, discovered I could "initialize" the speakers with Pulseaudio and then Pipewire would work thereafter
* Virtually certain this is an upstream bug, was able to reproduce with both Ubuntu 24.04 and Arch Linux.
* Suggest switching to AC97 audio (even Arch Linux defaults to this under Virtualbox).
* Need to investigate upstream code
* Could not get any meaningful hints from pipewire, wireplumber, and pipewire-pulse logs. Pulseaudio shows an "alsa woke us up to write new data to the device but there was actually nothing to write" error in its logs. At this point this is likely to be a bug in VirtualBox or the snd-hda-intel kernel driver.
== live-build - test lb config --dm-verity ==
* Does the ISO still function if build with lb config --dm-verity?
* Does it break apt-get install pkg-name? It might not break it due to overlayfs.
* Lacks live-build support when used with dracut:
** lb config won't even run if you try to enable verity and dracut at the same time, unless you override live-build by commenting that sanity check out
** The ISO won't build initially because the dm-verity building code is trying to find the live filesystem in the wrong location
** dracut isn't configured to include systemd-veritysetup-generator, needed for verifying the root FS in the first place
** No kernel command line options are added to the ISO for verity setup
== Kicksecure Firewall ==
https://forums.kicksecure.com/t/kicksecure-firewall/378/10
== Meta Packages, Kicksecure, Whonix - Desktop versus Server ==
https://forums.kicksecure.com/t/meta-packages-kicksecure-desktop-versus-kicksecure-server/415
== wipe video RAM ==
* add wipe video RAM support to [[ram-wipe]]
* maybe based on https://wiki.archlinux.org/title/Swap_on_video_RAM
* maybe also based on https://github.com/divestedcg/Brace/blob/master/brace/etc/profile.d/brace-env-overrides.sh
# zero video RAM to prevent leakage
# see (CC BY-SA 4.0): https://www.adlerweb.info/blog/2012/06/20/nvidia-x-org-video-ram-information-leak
export R600_DEBUG=zerovram;
export AMD_DEBUG=zerovram;
export RADV_DEBUG=zerovram;
* if doable with reasonable effort
== Tor 0.4.8.9 broken in combination with vanguards ==
* https://gitlab.torproject.org/tpo/core/tor/-/issues/40892
* write a script to use git bisect to auto test which commit introduced this issue maybe based on https://forums.whonix.org/t/vanguards-additional-protections-for-tor-onion-services/8064/64
* if not done by upstream yet
* if doable with reasonable effort
* Aaron: vanguards has been removed from Debian Trixie, still worth doing?
== VirtualBox serial console ==
* {{CodeSelect|inline=true|code=
sudo apt install serial-console-enable
}}
* [[Recovery#Serial_Console|Serial Console]]
* causes bug (spam of journal)
* https://forums.whonix.org/t/serial-console-in-virtualbox/8021/13
* fixable? upstream bug report?
* would installation by default be sane or a security issue?
== KVM related ==
=== KVM - 3D Graphics Acceleration - SPICE - Testing - drm ===
* please test: https://www.whonix.org/wiki/KVM#3D_Graphics_Acceleration_-_Testing_-_drm
* please mention your configuration (still using SPICE), quote Patrick and report here: https://forums.whonix.org/t/how-to-enable-3d-acceleration-in-kvm/16501/22
* test if DRM (direct rendering manager) is enabled as per https://www.whonix.org/wiki/KVM#3D_Graphics_Acceleration_-_Testing_-_Direct_Rendering_Manager
* test performance as per https://www.whonix.org/wiki/KVM#3D_Graphics_Acceleration_-_Testing_-_Performance
=== KVM - 3D Graphics Acceleration - Performance Test - Display SDL ===
* https://forums.whonix.org/t/how-to-enable-3d-acceleration-in-kvm/16501/22
* test SDL
* test if DRM (direct rendering manager) is enabled as per https://www.whonix.org/wiki/KVM#3D_Graphics_Acceleration_-_Testing_-_drm
* test performance as per https://www.whonix.org/wiki/KVM#3D_Graphics_Acceleration_-_Testing_-_Performance
=== KVM - 3D Graphics Acceleration - Performance Test - Display GDK ===
* https://forums.whonix.org/t/how-to-enable-3d-acceleration-in-kvm/16501/22
* test GTK
* test if DRM (direct rendering manager) is enabled as per https://www.whonix.org/wiki/KVM#3D_Graphics_Acceleration_-_Testing_-_drm
* test performance as per https://www.whonix.org/wiki/KVM#3D_Graphics_Acceleration_-_Testing_-_Performance
=== KVM - verify AppArmor sVirt confinement operation ===
* https://forums.whonix.org/t/help-welcome-kvm-development-staying-the-course/166/593
=== KVM - use rootless ===
* https://forums.whonix.org/t/rootless-virtual-machines-with-kvm-and-qemu/20952
* port documentation (and XML files, if needed) to qemu:///session, if sane
* search Kicksecure; and Whonix wiki - using [[Special:ReplaceText]]
* re-check if sVirt is still functional
=== KVM - port to unix domain socket based internal networking for Whonix-Gateway to Whonix-Workstation connections ===
* https://forums.whonix.org/t/help-welcome-kvm-development-staying-the-course/166/594
* update documentation
** https://www.whonix.org/wiki/Multiple_Whonix-Workstation#How-to:_Use_more_than_One_Whonix-Workstation_-_Easy
** https://www.whonix.org/wiki/KVM#Creating_Multiple_Internal_Networks
** https://www.whonix.org/wiki/Multiple_Whonix-Gateway#KVM
=== KVM - IPv6 router advertisement issues ===
* when 634-stackable-wrappers.md}}
* Debian feature request: [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=822693 Feature Request: Automatically starting programs under firejail]
* review, comment, pull request where applicable
* draft and/or open a discussion on debian-devel
* use cases:
** automatically sandbox applications (such as when typing "browser-name")
** warn user against starting certain applications inside sysmaint session such as browsers
** apply system resources restraint: https://forums.whonix.org/t/constrained-system-resources-program-starter-wrapper/10914
== check out bubblejail ==
* https://github.com/igo95862/bubblejail
* in preparation for next task
== sandbox-app-launcher ==
* [[sandbox-app-launcher]]
* review
* promising? worth bringing back to life, polishing?
* at odds with apparmor.d?
* better using bubblejail?
== automated test suite - cli version ==
* todo: discuss
== apparmor.d review ==
* https://github.com/roddhjav/apparmor.d
* https://forums.whonix.org/t/apparmor-d-full-set-of-apparmor-profiles-1500-profiles/17389
** review
* https://github.com/roddhjav/apparmor.d/issues?q=is%3Aissue+author%3Aadrelanos
** check ticket status
* lightweight security review
** conceivable or too much effort?
== improved server support ==
* documentation
** rebrand wiki CLI for server
* Linux account passwords?
* cloudinit?
* vm-config-dist versus autologin CLI vs GUI vs server
== hidepid ==
* general information: https://www.kicksecure.com/wiki/Security-misc#hidepid
* enable by default for users of user-sysmaint-split?
* hidepid seems to make most sense if using user-sysmaint-split, because then account "user" cannot use sudo/pkexec anyhow
* test and implement https://github.com/systemd/systemd/issues/29893#issuecomment-2757436101 if sane
== research shred ==
* research if shred is still useful nowadays
* if not, should be replaced by safe-rm
= WAITING ON =
== trixie-port - Qubes journal log messages ==
* Qubes. Should be fixed but is not fixed. Happening after boot.
Oct 27 13:40:36 host qrexec-agent[12402]: 2025-10-27 13:40:36.085 qrexec-agent[12402]: exec.c:902:find_qrexec_service: Warning: ignoring skip-service-descriptor=true for execute executable service /etc/qubes-rpc/qubes.UpdatesProxy
* Qubes. Happening after boot.
Oct 27 13:50:13 host systemctl[14620]: Failed to connect to user scope bus via local transport: $DBUS_SESSION_BUS_ADDRESS and $XDG_RUNTIME_DIR not defined (consider using --machine=@.host --user to connect to bus of other user)
* Qubes. Happening when using sdwdate-gui log viewer from systray to open a terminal emulator.
host xdg-desktop-por[1655]: Failed to load RealtimeKit property: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.RealtimeKit1 was not provided by any .service files
* Same as above.
xdg-desktop-por[1655]: Failed connect to PipeWire: Couldn't create PipeWire context
* https://forums.whonix.org/t/systemcheck-messages-in-qubes-whonix-18/22339
* Aaron: Fixed for most in place, still outstanding issues:
** DBUS_SESSION_BUS_ADDRESS issue is a Qubes bug: https://github.com/QubesOS/qubes-issues/issues/10384
** Still unsure what's causing the /tmp/user/1000 issue, see https://forums.whonix.org/t/systemcheck-messages-in-qubes-whonix-18/22339/5
== trixie-port - screen briefly unlocked after wake from suspend ==
* LXQt unfortunately puts the system into suspend before locking the screen. However, this does not occur on Arch Linux. Debug and determine whether Debian needs a patch or our configuration needs to change.
** Aaron: Debugged, discovered how to reproduce the bug on Arch, created a bug report with some analysis: https://github.com/lxqt/liblxqt/issues/371
== calamares - keyboard layout setting broken in Wayland ==
* todo
* please set up for
** CLI user
** CLI sysmaint
** GUI user
** GUI sysmaint
* Aaron: Moving the systemd-localed keyboard layout set disable file out of the way does not result in labwc picking up the keyboard layout settings from Calamares. Will need to create a shellprocess module or similar to hack this into working right.
* Aaron: Implemented, changes pushed to helper-scripts, user-sysmaint-split, lxqt-wayland-session, and live-config-dist. All four scenarios now work as expected.
** Patrick: Merged.
* Patrick: Is this reported upstream, so one day Debian, calamares will be fixed and can be used without XWayland?
** Aaron: Looked at Debian's systemd bug reports, did not find anything. Filed a report of my own against the systemd package (as that's the package that ships /usr/share/dbus-1/system.d/systemd-localed-read-only.conf). https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118702
== Qubes R4.3 bypass review ==
* https://github.com/QubesOS/qubes-issues/issues/10328
* are there more ways in which that can go wrong?
* realistic to fundamentally re-design this to avoid such kinds of issues?
** Aaron: NetVM authentication, to ensure the NetVM used by a particular qube provides the features and security/anonymity guarantees needed by that qube? May be vaguely related to the "qrexec to NetVM" task.
* https://github.com/QubesOS/qubes-issues/issues/6948
* https://github.com/QubesOS/qubes-issues/issues/3994
* Aaron: Looked at the relevant issues, I'm not entirely sure how the Salt issue is directly relevant, but I did look at it and will keep it in mind.
* Aaron: Sent an email with some ideas to the qubes-devel mailing list: https://www.mail-archive.com/qubes-devel@googlegroups.com/msg05660.html
* Aaron: Feature request: https://github.com/QubesOS/qubes-issues/issues/10334
** Major feature request, will most likely need to wait until after the release of R4.3.
== trixie port - sdwdate permission issues ==
* qubes-public, Marek:
ok, I have real systemcheck results now, there are a couple issues found in sys-whonix, but overall nothing major IMO: https://openqa.qubes-os.org/tests/156993/file/whonixcheck-whonixcheck-sys-whonix.log
sdwdate[2269]: PermissionError: [Errno 13] Permission denied: '/var/lib/sdwdate/time-replay-protection-utc-unixtime'
* Aaron: Unable to reproduce. The file shown above is owned by sdwdate:sdwdate on my release-upgraded sys-whonix qube, AppArmor permits sdwdate to access it, and the error above does not show in the output of systemcheck --verbose --leak-tests.
* Aaron: Reproduced in Whonix-Gateway 18 template downloaded from Qubes community template repo. Somehow the entire /var/lib/sdwdate directory is owned by debian-tor:UNKNOWN (uid 108, gid 120).
** Fix created, pending review and merge: https://github.com/QubesOS/qubes-core-agent-linux/pull/615
== Qubes misc review ==
* https://github.com/QubesOS/qubes-core-agent-linux/pull/613
* https://github.com/QubesOS/qubes-core-admin-addon-whonix/pull/25
== Qubes R4.2 default_dispvm bypass ==
* https://github.com/QubesOS/qubes-issues/issues/10328
** Aaron: Waiting on https://github.com/QubesOS/qubes-core-admin-addon-whonix/pull/25 for this as I intend to backport this to R4.2 to solve this.
== kloak - handle dynamic keyboard layout changes ==
* when the user changes the keyboard layout in labwc, kloak's keyboard layout configuration does not change to match
* Aaron: Discovered this is a bug in labwc, reported: https://github.com/labwc/labwc/issues/3113
** Waiting on upstream's response. For now, we should document that one must restart kloak with Right Shift + Escape to make a keyboard layout change take effect.
== apt solver bug - pulling in incorrect alternative dependencies ==
* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1113744
* Obtain requested debugging information and attach to ticket
* Aaron: Added new information to ticket, waiting on response.
== trixie port - update derivative signing key derivative.asc ==
* plan how to use a new signing key
** Aaron: Where all do we use the signing key? It's used to sign:
*** apt packages
*** git commits
*** git tags
*** OS images
*** Warrant canaries?
**** These are signed by OpenBSD's signify tool, not GPG, thus their key migration does not necessarily have to be bound to derivative.gpg's rotation.
*** anything else?
** apt package migration:
*** Due to how apt packages work, it is probably best to do this during release upgrade. Ship a new version of the key in legacy-dist in Bookworm only, install it during the release upgrade procedure and ensure all packages that are ever a part of the trixie repositories are signed with the new key.
** git commit/tag migration:
*** The key expires, so there isn't a risk of it being used to sign newer packages after expiration. Just start signing commits with the new key and let expiration handle everything else.
*** Add the new key to the list of trusted keys in derivative-maker so that people can still build older tags/commits if they need to.
** OS image migration:
*** Just start using the new key to sign OS images. Announce the key change publicly (i.e. on the forums) so users expect to need to update their key. Sign the new key with the old key so that users with high security requirements can transition from one key to the next without having to re-establish trust in the key.
** Canary migration, if needed:
*** Can we just start signing canaries with the new key? Or do we need to put the canaries in a different location and stop updating the old ones?
* Patrick:
** The plan might be good enough.
** I might just extend the validity of the signing key and postpone this plan.
* Patrick:
** Key has been extended.
* Aaron:
** Moved to WAITING ON for now, we should move this back to TODO once we're ready to do the actual key rotation.
== investigate Tor Browser metadata signing and expiration ==
* in context of: https://github.com/QubesOS/qubes-issues/issues/9983#issuecomment-3028994433
* Tor Browser does not appear to sign metadata. Even metadata used by Tor Browser's internal updater might be relying on unsigned metadata.
* Important to explain: Not only signed metadata is required, also fresh metadata is required. Therefore periodic re-signing is required.
* Compare with Firefox: Does Firefox's internal updater even have this feature? If Firefox has it, making the argument for Tor Browser to enable it might be much easier. If not, it might be better to request this feature from Mozilla as well.
* goal of this ticket: The only goal of this ticket is to post feature requests / bug reports on Tor Project (and Mozilla issue tracker if applicable) and to properly communicate this.
* non-goal: implementation
* info:
** Tor Browser uses json files: https://aus1.torproject.org/torbrowser/update_3/release/download-linux-x86_64.json
** Firefox uses xml as per https://firefox-source-docs.mozilla.org/toolkit/mozapps/update/docs/InAppUpdateProcess.html
* draft:
'''Rollback Attacks Definition:'''
The Update Framework (TUF) defines `rollback attacks` [x]
> An attacker presents files to a software update system that are older than those the client has already seen. With no way to tell it is an obsolete version that may contain vulnerabilities, the user installs the software. Later on, the vulnerabilities can be exploited by attackers.
'''Rollback Attack Protection and Valid-Until Field'''
Rollback attacks attempt to trick the updater into applying an outdated (and potentially vulnerable) version of the software. One widely recommended mitigation against rollback attacks is using a "Valid-Until" field or equivalent freshness period in the signed metadata, after which a given update should no longer be accepted.
Firefox's internal updater does not publicly mention using a "Valid-Until" field (or explicit expiration on update metadata) to guarantee update freshness or safeguard against replay/rollback attacks in the same way as systems like The Update Framework (TUF) or Debian's APT
'''Non-solutions:'''
TLS might mitigate this attack but higher security than what TLS can offer should be provided in case TLS or server compromise.
'''Solution:'''
Server side:
Sign, automatically periodically re-sign update metadata.
Client side:
Accept only metadata signed up to a certain age.
'''Resources:'''
Mozilla has blogged about rollback attacks in the past. [x]
[x] https://theupdateframework.io/docs/security/
[x] https://blog.mozilla.org/attack-and-defense/2020/10/12/guest-blog-post-rollback-attack/
* Aaron: Filed issue against Tor Browser: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/44039 Also requested a Tor Project Gitlab account, which I now have.
** I did not file a report against Mozilla Firefox, because their update mechanism involves automatically generated XML created by a backend server, whereas The Tor Project's update metadata seems to be static and not nearly as complicated.
== grml-debootstrap bootloader installation failure in Docker ==
* https://github.com/grml/grml-debootstrap/issues/348#issuecomment-3017083278
* please use discretion on how worthwhile it is to spend time on this. as in, if you think it's doable without huge effort and you like docker, please implement. Otherwise, please only provide instructions for reproduction and leave it to upstream or tableseeker to fix.
** Aaron: Ran into complications trying to fix this myself, handed off to tabletseeker for further investigation.
== RPi GRUB - contribute to Debian ==
* Start a discussion and contribute to https://raspi.debian.net/ if accepted by upstream.
* This and the above ticket might result in implementation feedback, such as for options in config.txt.
* Combined this and the debian-arm notification ticket into a single email.
* https://lists.debian.org/debian-arm/2025/04/msg00012.html
* Found:
** https://salsa.debian.org/raspi-team
** https://salsa.debian.org/raspi-team
** Seems active as per: https://salsa.debian.org/raspi-team/image-specs/-/issues/74
** https://salsa.debian.org/raspi-team/image-specs/-/issues
*** Please consider posting a feature request there for RPi GRUB support, if that is sensible. Draft:
add support for GRUB as bootloader for RPi
I've recently succeeded in converting an existing Debian Trixie RPi image to boot using GRUB on the RPi 4B and extensively documented how to do that. [1] I also posted about this on the debian-arm mailing list. [2]
Booting in this way has several substantial advantages over the current Raspberry Pi boot process:
* The kernel command line can be modified via /etc/default/grub and files under /etc/default/grub.d. Some software requires or benefits from such modifications and leverages this mechanism in GRUB to make non-invasive changes to the command line. With direct kernel boot, these changes are silently ignored, while with U-Boot + GRUB, they are correctly applied.
* In the event of a bad kernel update, users can easily boot into older kernels as they would on a typical desktop system.
* Recovering from a broken boot without a secondary system becomes much easier, as users can use the GRUB and U-Boot consoles to debug and manually boot the system.
* Multiboot installations on the Pi become possible.
Is this a feature for which you would welcome a merge request here, either as an option or even as the default?
Obviously, at this point, RPi GRUB support could only be added to Forky and later.
(I've also recently submitted a pull request to `grml-debootstrap` (a Debian bootable image builder tool) [3] [4] implementing "basic" RPi support.)
* [1] https://www.kicksecure.com/wiki/Dev/boot#Booting_Debian_Trixie_with_GRUB_+_u-boot_on_Raspberry_Pi_4
* [2] https://lists.debian.org/debian-arm/2025/04/msg00012.html
* [3] http://packages.debian.org/grml-debootstrap
* [4] https://github.com/grml/grml-debootstrap/pull/335
* Aaron: Filed issue upstream using template: [https://salsa.debian.org/raspi-team/image-specs/-/issues/78 Support U-Boot + grub-efi boot flow]
** Also filed a bug report against raspi-firmware: [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1102607 Add support for U-Boot + grub-arm64-efi boot flow]
== RPi grml-debootstrap ==
* https://github.com/grml/grml-debootstrap/issues/114
* Draft PR at https://github.com/grml/grml-debootstrap/pull/335, needs more testing and work
* Tested and polished PR and marked it as ready for review.
* Added question about future support for U-Boot + grub-efi-arm64.
== grml-debootstrap - EFI partition size ==
* https://github.com/grml/grml-debootstrap/issues/221
* zeha currently does not want to implement this until systemd-boot "happens" (I'm guessing this means until it is supported by grml-debootstrap).
== GRUB - Debian packages grub-pc and grub-efi co-install-ability ==
* please submit a patch to Debian to make grub-pc and grub-efi co-installable
* [https://bugs-devel.debian.org/cgi-bin/bugreport.cgi?bug=904062 Allow concurrent installation of grub-pc and grub-efi-amd64]
* Submitted and awaiting review: [https://salsa.debian.org/grub-team/grub/-/merge_requests/76#note_590495 Remove ucf conffile conflict between grub-pc and grub-efi-{amd64,ia32}]
* Unfortunately this is not going to be able to make it into Trixie, it will have to wait for Forky before it makes it into Debian Stable.
== ISO - GRUB - silence cosmetic errors in live ISO GRUB ==
* Earlier attempts to fix cosmetic errors in GRUB failed, since they introduced bugs into the live-build-provided boot screen.
* Investigate how to fix this, potentially make an upstream feature request or patch if needed
* Errors include loadfont issues, Secure Boot loading issues
* Sent email to grub-devel mailing list to investigate this
== ISO - memtest86+ ==
error: bad shim signature
* Fixable?
* Apparently requires a security review: [https://github.com/rhboot/shim-review/issues/314 Meta: Signing memtest86+ v6.10]
* [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032375 memtest86+: fails to work with Secure Boot enabled]
* Asked about what contributions would allow this to move forward on the debian-efi mailing list: [https://lists.debian.org/debian-efi/2024/12/msg00021.html Memtest86+ Secure Boot signing]
== test SysRq keys under LXQt Wayland ==
* ensure SysRq+unraw, SysRq+k behave as expected in context of [[Login spoofing]]
* Has issues, wlroots bug reported at https://gitlab.freedesktop.org/wlroots/wlroots/-/issues/3930
== ISO - changed files issues ==
(annoted)
+ debsums --silent
debsums: changed file /usr/sbin/sources-media (from calamares-settings-debian package) - issue for future verified boot
debsums: missing file /var/lib/dbus/machine-id (from dist-base-files package) - issue for Whonix-Host, non-ideal for Kicksecure but not a blocker
+ debsums --config --silent
debsums: changed file /etc/calamares/modules/unpackfs.conf (from calamares-settings-debian package) - issue for future verified boot
debsums: changed file /etc/cryptsetup-initramfs/conf-hook (from cryptsetup-initramfs package) - issue for future verified boot
debsums: changed file /etc/machine-id (from dist-base-files package) - issue for Whonix-Host, non-ideal for Kicksecure but not a blocker
* All of these are modified by live-build itself:
** /usr/sbin/sources-media is modified by live-build/share/hooks/normal/5050-dracut.hook.chroot so that it points to the proper location of the on-ISO apt repo when dracut is in use (the location is different when initramfs-tools is used). The need for this could potentially be removed by modifying the sources-media script to autodetect the correct location, though this requires upstream to be receptive to the idea.
*** Please discuss upstream. Since there is already some sort of dm-verity support in upstream live-build (scripts/build/binary_dm-verity), upstream might be receiptive.
**** Feature request filed: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089618
** /var/lib/dbus/machine-id is deleted by live-build/share/hooks/normal/8020-remove-dbus-machine-id.hook.chroot, which has a note in it as follows: "This removes dbus machine id that cache that makes each system unique." This seems important and I can't think of an obvious way to avoid needing to do this. My Kicksecure VMs appear to have machine IDs, but it's unclear how they're being generated originally, so it may be worth enabling the machineid module in our Calamares configuration to ensure that the machine ID is properly generated.
*** See also: https://www.whonix.org/wiki/Protocol-Leak-Protection_and_Fingerprinting-Protection#Identifiers_Design_Goals
*** TODO: Discuss.
**** Proposal for fixing this made.
** /etc/calamares/modules/unpackfs.conf is modified by live-build/share/hooks/normal/5050-dracut.hook.chroot so that it points to the proper location of the on-ISO squashfs containing the operating system. Again, the location is different when initramfs-tools is used. This is a "hardcoded" configuration file, there isn't a way to add autodetection logic here. It might be possible to make a pull request to Calamares that would allow it to skip squashfses that didn't exist?
*** Yes, please discuss upstream.
**** Feature request filed: https://github.com/calamares/calamares/issues/2409
** /etc/cryptsetup-initramfs/conf-hook is modified by live-build/share/hooks/normal/1010-enable-cryptsetup.hook.chroot, where it is used to enable cryptsetup in initramfs-tools. Assuming this isn't legacy configuration, this seems important and I can't think of an obvious way to avoid needing to do this. Might be worth testing to see if this is still necessary though.
*** Yes, please.
**** Bug report made: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089624
** /etc/machine-id is deleted by live-build/share/hooks/normal/8020-remove-dbus-machine-id.hook.chroot. Has a very similar note to the other machine ID deletion hook. Same concerns apply.
*** Proposal for fixing this made.
== ISO - Finish Module Action Follow-Up ==
* https://github.com/calamares/calamares/issues/2321
* please follow-up
* Followed up on Matrix, will follow up again soon on Github if I don't get a response.
* Was informed by Adriaan de Groot that the code is still unfinished, and also on his radar.
== live-build - add mmdebstrap support ==
* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031932
* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031929
* Merge request: https://salsa.debian.org/live-team/live-build/-/merge_requests/370
== live-build - use APT with error-on-any ==
* use option apt --error-on=any for all invocations of apt-get (update)
* only needed for apt-get update, otherwise superfluous but non-issue
* this is a security feature
* this is to prevent inconsistent images that succeeded connecting to the "normal" repository but failed to connect to the security repository
* can be implemented using already existing live-build option --apt-options OPTION|"OPTIONS"?
* Requires a patch to live-build. Using --apt-options results in a build failure with E: Command line option --error-on=any is not understood in combination with the other options
* Patch written, submitted upstream as https://salsa.debian.org/live-team/live-build/-/merge_requests/371. New configuration option now used in my branch of live-build.
== security-misc - investigate PAM ==
* there is /etc/pam.d/sudo-i for interactive and /etc/pam.d/sudo
* pam has concepts of common-session-noninteractive vs common-session (non-interactive)
* how could we on the PAM level notice if faillock is used interactively or non-interactively?
* if non-interactive, skip faillock
* if interactive, do not skip faillock
* Bug reports:
** https://github.com/linux-pam/linux-pam/issues/842
** https://github.com/sudo-project/sudo/issues/415
* Once we go sudoless, this will no longer be a concern except for VMs that aren't sudoless.
== live-build - grub.cfg GRUB configuration - loopback.cfg ==
* add https://www.supergrubdisk.org/wiki/Loopback.cfg compatibility (as as Debian Live ISO)
* Requires fixes in live-build and Dracut to make work:
** live-build is specifying the wrong kernel parameter for loopback booting when using dracut - it's using findiso when it should be using iso-scan/filename. A fix for this has been integrated into my fork of live-build. MR to upstream here: https://salsa.debian.org/live-team/live-build/-/merge_requests/376
** dracut is failing to run udevadm trigger during its device scanning, so even when it finds the ISO and attaches it as a loopback device, it never finds it. Only appears to be a problem on Debian Bookworm, Trixie works just fine.
*** Task is on hold until we migrate to Trixie.
** (Side note: At least on QEMU, loopback mounts in GRUB fail with out-of-memory errors if the system uses UEFI. With BIOS it works fine. Not quite sure why this happens, very well may be an issue with QEMU's implementation of UEFI hardware or my usage thereof.)
== live-build - lb-binary should not run apt-get update ==
* todo
* Bug filed at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1087470
* Note that the use of apt-get in the binary stage appears to be very baked into live-build's logic. It's pretty unlikely this will change.
== live-build - policy-rc.d handling ==
* https://salsa.debian.org/live-team/live-build/-/merge_requests/409
= REVIEW PLEASE =
== trixie-port - livecheck-lsblk.service broken in Qubes ==
* noticed only once in sys-whonix
Nov 11 03:56:11 host systemd[1]: Starting livecheck-lsblk.service - Obtains lsblk output for use by livecheck...
Nov 11 03:56:12 host livecheck-lsblk[654]: overwrite: ERROR: Error while writing file '/run/desktop-config-dist/livecheck-lsblk', and >
Nov 11 03:56:12 host systemd[1]: livecheck-lsblk.service: Main process exited, code=exited, status=1/FAILURE
Nov 11 03:56:12 host systemd[1]: livecheck-lsblk.service: Failed with result 'exit-code'.
Nov 11 03:56:12 host systemd[1]: Failed to start livecheck-lsblk.service - Obtains lsblk output for use by livecheck.
* https://github.com/Kicksecure/desktop-config-dist/blob/master/usr/lib/systemd/system/livecheck-lsblk.service probably needs to wait for systemd-tmpfiles
** Aaron: Implemented in desktop-config-dist.
* Patrick: Merged.
== trixie-port - reconsider non-Qubes RAM settings ==
* rads RAM threeshold?
* non-Qubes minimum RAM for CLI? 512 insufficient nowadays?
** Aaron: Should be sufficient now that we have swapfile issues solved.
== trixie-port - login broken in cli ==
* sysmaint session
* 512 MB RAM
* login as sysmaint succcess
* message "You are using the sysmaint account. This account has sudoers capabilities." visible but then system frozen
* only reproducible at first login, maybe not reproducible
* Aaron: RAM issue, encrypted swapfiles as made by swap-file-creator work on Bookworm but are broken on Trixie.
** unencrypted: works
** encrypted by virtue of being on a LUKS-encrypted partition: works
** file on an unencrypted filesystem which is then itself encrypted and device-mapper mounted, then used as a swapfile: broken, machine hangs as if memory is exhausted while gigabytes of swap remain
** Reported bug to LKML: https://lore.kernel.org/lkml/20251111231835.1232ad8f@kf-m2g5/T/#u
** Adjusted swap-file-creator to use unencrypted swapfiles, but only allow creating swapfiles on systems with LUKS FDE. Commits pushed to swap-file-creator.
== qubes memory issues ==
* https://forums.whonix.org/t/increased-memory-usage/22092/12
* sdwdate_gui_client.py: please port to asyncio - not trixie branch
** Aaron: Initial porting attempt, needs more testing but seems to work initially: https://github.com/ArrayBolt3/sdwdate-gui/tree/arraybolt3/sdwdate-gui-client-asyncio
** Patrick: Merged.
* Several more possibly memory-related issues reported:
** https://github.com/qubesos/qubes-issues/issues/10349
** https://github.com/QubesOS/qubes-core-admin/pull/748#issuecomment-3489978459
** alimj reported OOM crashes in the qubes-public Matrix room
* Commits pushed to security-misc, developer-meta-files, and kicksecure-meta-packages to disable USBGuard on Whonix always, and on Kicksecure when there is no USB controller.
* Patrick: Merged.
* -----
* Patrick: asyncio also merged.
* Patrick: Please review, merge (only the bug fix - not the test script) - https://github.com/assisted-by-ai/sdwdate-gui/pull/1
** Aaron: Merged, did substantial refactoring and fixed an uncaught bug in the process (inconsistent handling of config file parsing)
* Patrick: Please increase Qubes default memory, if applicable.
** Aaron: Per Qubes OS's current wishes, attempting to avoid this if possible. If memory is still an issue after merging the new sdwdate-gui code, will request a memory limit bump.
* Patrick: bug: chokes on gateway=sys-whonix - without quotes. Some users will use it that way because that is how it was documented in the past. I added code to legacy-dist. Please review.
** Aaron: Left comments in chat.
*** Will move migration code to sdwdate-gui postinst script.
**** This is now done, commits pushed to legacy-dist and sdwdate-gui.
* Patrick: please review https://github.com/assisted-by-ai/sdwdate-gui/pull/2
** Aaron: Merged.
== login security check bug ==
* sys-whonix
INFO: user-sysmaint-split session detection result: SYSMAINT Session.
INFO: Whonix Login Security Check:
+----------+--------------------------------------+
| Users | Password GUI Autologin |
+----------+--------------------------------------+
| root | Locked (Present) Disabled |
| user | Absent Disabled |
| sysmaint | Absent Enabled |
+----------+--------------------------------------+
* anon-whonix
[INFO] [systemcheck] user-sysmaint-split session detection result: USER Session.
INFO: Whonix Login Security Check:
+----------+--------------------------------------+
| Users | Password GUI Autologin |
+----------+--------------------------------------+
| root | Restricted (Absent) Disabled |
| user | Locked (Absent) Enabled | [Locked (Absent) - green color]
| sysmaint | Locked (Absent) Enabled | [Locked (Absent) - orange color]
+----------+--------------------------------------+
* Kicksecure Qubes
[INFO] [systemcheck] user-sysmaint-split session detection result: USER Session.
[INFO] [systemcheck] Kicksecure Login Security Check:
+----------+--------------------------------------+
| Users | Password GUI Autologin |
+----------+--------------------------------------+
| root | Restricted (Absent) Disabled |
| user | Absent Enabled |
| sysmaint | Locked (Absent) Enabled |
+----------+--------------------------------------+
* bug: user | Locked (Absent) versus user | Absent?
* bug: why do some Locked (Absent) entries get green color and others orange?
* bug: why are some accounts locked while others are not?
* new design
* refuse screen lock because the password is locked
* refuse logout because the password is locked
* when booted in user mode:
** prevent logging into accounts that are passwordless and members of group sudo, root, or sysmaint
** prevent logging into account sysmaint
* when booted in sysmaint session:
** prevent logging into any accounts other than sysmaint
* stop locking account sysmaint in user sessions since we now rely on a PAM module
* remove special handling of account sysmaint in login security table of systemcheck
* Aaron: Implemented, commits pushed to security-misc, user-sysmaint-split, and systemcheck.
* Patrick: bug:
** Kicksecure, 512 MB RAM, user session:
*** can no longer login. Account false-positive detected as sensitive passwordless account.
*** Perhaps because account user is a member of group sudo?
**** Aaron: Fixed, commit pushed to security-misc.
== trixie-port - default desktop icons ==
* Network: Seems useless. Please remove.
** Aaron: Removed, commits pushed to kicksecure-base-files, anon-gw-base-files, and anon-ws-base-files.
== trixie-port - environment variable VISUAL missing ==
* usability-misc
/etc/profile.d/50_default_editor.sh /etc/zprofile.d/50_default_editor.zsh
/etc/profile.d/50_default_editor.sh /etc/X11/Xsession.d/50_default_editor
* in non-Qubes, Wayland: env | grep VISUAL
* also other environment variables set through profile.d/ zprofile.d, Xsession.d mechanism might be missing
* Aaron: Issue was caused by a check for "$XDG_SESSION_TYPE" = "tty". Removed that conditional, now it works. (greetd appears to run the session start script in a TTY.)
** Did not find any other missing variables in /etc/profile.d that were being missed except for safe-rm's addition of its own path to $PATH (this file is not symlinked to /etc/zprofile.d so this is likely expected).
** Fixed 50_default_editor.sh, commit pushed to usability-misc.
== trixie-port - vm-config-dist - install on ISO by default ==
* vm-config-dist has vbox-guest-installer and wlr-resize-watcher, which both can be/are highly useful inside virtualbox
* Do you see anything that makes vm-config-dist incompatible with installed on the host operating system or inside Qubes?
* investigate /etc/dracut.conf.d/30-vm-config-dist.conf and if it seems safe for rm_conffile removal
* Please modify, if sane, to make it compatible with the host / Qubes. I.e. implement no-ops, if needed.
* Install by default everywhere non-Qubes, Qubes and host, if sane.
* Aaron: Next steps:
** Need to change the `shared` bookmark so it is saved in a system-wide location and only created on VMs.
** Keep wlr-resize-watcher from running on physical hardware
** OK to comment out power management disabling and VBox guest additions installation in the postinst?
* Aaron: Done, commits pushed to vm-config-dist.
* Patrick: Ready to installed by default on the ISO? If yes, please add.
** Aaron: Done, commits pushed to developer-meta-files and kicksecure-meta-packages.
== trixie-port - failed to mount /tmp ==
* seen in persistent mode user, briefly, during shutdown
* cosmetic issue only
* avoidable?
* Aaron: VBoxDRMClient bug. Report filed: https://github.com/VirtualBox/virtualbox/issues/375
** Possible security risks in /tmp remaining mounted during shutdown? Perhaps if shutdown hangs while /tmp is mounted, valuable data might be left in-memory that an attacker could access, but we have emerg-shutdown to deal with most situations where this would be a concern.
** As a stop-gap, we could use a service in usability-misc to kill VBoxDRMClient during shutdown if we want to ensure /tmp is properly unmounted.
*** Patrick: Please implement in security-misc? Seems security related. As a stop-gap until ensure-shutdown gets default and (more) reliable.
**** Aaron: Done, commits pushed to security-misc and user-sysmaint-split.
== comment on pdf reader and other packages suggestions ==
* https://forums.whonix.org/t/choosing-qt-wayland-compatible-software-for-lxqt/22332/9
* Read through, commented.
== trixie-port - sgdisk ==
* VirtualBox 7.24
* Kicksecure LXQt 18.0.5.8
* Can these warnings be fixed?
sudo sgdisk -v /dev/sda
Caution: Partition 3 doesn't end on a 2048-sector boundary. This may
result in problems with some disk encryption tools.
No problems found. 2021 free sectors (1010.5 KiB) available in 2
segments, the largest of which is 2014 (1007.0 KiB) in size.
* Aaron: May be difficult to fix. grml-debootstrap uses parted for partition creation, and according to parted, partition 3 is optimally aligned. I find it somewhat unlikely grml-debootstrap would want to port to sgdisk.
** Sent an email to the GPT fdisk mailing list to see if there's a good way to fix the discrepancy between the behavior of GPT fdisk and Parted. https://sourceforge.net/p/gptfdisk/mailman/message/59257231/
== trixie port - hibernation ==
* something has to be done about hibernation. even if deciding we're against it. then updating the wiki and removing the hibernation button (or breaking it).
* Create forum thread to determine demand before investing effort.
** Forum post: https://forums.kicksecure.com/t/support-for-hibernation/1349
== usbguard - test in Qubes ==
* Does usbguard and usbguard-notifier work for you in Qubes?
* Aaron: Mostly; notifications were not working because qubes-notification-agent and listing USB devices using the usbguard CLI was not working because list permissions were not present. Fixed both with pushes to developer-meta-files, kicksecure-meta-packages, and security-misc.
* Aaron: usbguard-notifier allows users to ad-hoc allow and deny USB devices when they are attached. Should we allow the qubes and sudo groups to have modify permissions in usbguard as well to allow this to work?
** https://forums.kicksecure.com/t/usbguard-what-should-we-allow-or-disallow-by-default/1248/49
** Patrick: Added modify permissions.
= ARCHIVED =
== trixie-port - fix shutdown slowdown bug ==
* todo
* slower since fixing unmount of /tmp?
* Aaron: Unable to reproduce. Timing measurements from screen recordings (all times and timestamps are measured in 1/30 of a second):
start end end minus start
before upgrade - bootup : 335 -> 736 | 401
before upgrade - shutdown : 914 -> 1156 | 242
after upgrade - bootup : 323 -> 728 | 405
after upgrade - shutdown : 869 -> 1058 | 189
before upgrade - sysmaint bootup : 247 -> 746 | 499
before upgrade - sysmaint shutdown : 1377 -> 1621 | 244
after upgrade - sysmaint bootup : 215 -> 616 | 401
after upgrade - sysmaint shutdown : 1195 -> 1410 | 215
* If slow shutdown is noticed again, will re-measure and compare to these values.
== stardict - investigate ==
* debian policy appliable?
* https://www.kicksecure.com/wiki/Dev/Debian#startdict
* Sent email to Debian.
* https://lists.debian.org/debian-devel/2025/10/msg00175.html
** Aaron: Conversation seems to have run its course, package is likely no longer unsafe and can be left. However, if a similar issue reoccurs, this can be referenced.
== trixie-port - user-sysmaint-split - improve error handling ==
* now: when booting into sysmaint session and user-sysmaint-split fails, one actually boots into a user session
* expected: better error handling
* todo: when user-sysmaint-split fails (such as read-only file system, either due to a live-hardner bug or filesystem corruption, disk hardware issues):
** show an error, wait, reboot or poweroff?
** offer to open a recovery console? conflicts with no recovery console by default goal. so settings should be honored. a recovery console however or even booting into "user session" may be helpful for debugging.
** need to have some way to debug the system
* Aaron: Suggested action: Make sysmaint-boot.service print stdout and stderr to journal+console (so messages are seen by the user). If an error is encountered and trapped, pause for five seconds so they can see or screenshot the error. Ensure that the user does not get dropped to a sysmaint session with a full LXQt desktop, or a user session, prefer dropping them to a login screen as worst-case scenario.
** This should allow easy-ish debugging (switch to a TTY and log in as account sysmaint) assuming the sysmaint account was unlocked before sysmaint-boot.service crashed. It also avoids the possible security risks of logging in as a standard user while the sysmaint account is unlocked.
** Maybe also block logging into a full graphical user session when booted in sysmaint session, to encourage the use of a TTY instead?
** Suggestions implemented, commits pushed to user-sysmaint-split and desktop-config-dist.
* Patrick: Merged.
== trixie-port - kloak - disable red crosshair by default ==
* todo discuss
* Aaron: Done, commits pushed to kloak and lxqt-wayland-session.
* Patrick: Merged.
== live-hardener - skip overlay of non-overlayable filesystems ==
* todo
* Aaron: Added requested feature, also greatly improved regression test coverage, added better comments, and fixed some bugs with finding submounts.
* Patrick: Merged.
* Patrick: please review https://github.com/assisted-by-ai/grub-live/pull/1
** Aaron: Merged.
== security-misc /etc/systemd/system/ review ==
* Do /etc/systemd/system folder contents still make sense nowadays?
* https://github.com/Kicksecure/security-misc/tree/master/etc/systemd/system
** Aaron: In my opinion, yes. The contents of these files prevent a locked root account from denying access to emergency mode, which IMO is very useful so that someone with physical access to the machine and the disk passphrase (and bootloader password) can fix a broken system even if the root account is locked for security. I also think that these should remain in /etc as they are now, because that allows users who want to disable this behavior to do so easily.
== LXQt - ISO - move task bar to the top ==
* https://forums.kicksecure.com/t/make-the-taskbar-on-the-bottom-not-at-the-top/1338
* if sensible
* new images:
** VM images: Taskbar at the top by default. - keep as is
** ISO / hardware: Taskbar at the bottom by default. - new default
* existing images: No need to change the setting for existing users.
* Patrick: Not doing this for now. Could run a poll if this comes up again.
== Whonix-Starter - please fork on github and nothing ==
* https://github.com/Whonix/Whonix-Starter
* 1. please fork
* 2. done
* (this is just to be able to git fetch from github using dm-packaging-helper-script without errors, exceptions, the only not yet forked repository)
* 3. please move to archived when done
** Aaron: Repo was already forked. Made sure the master and work branches of all my repos were updated just in case that would help the issue.
== bookworm - disk lost after initial upgrade-nonroot ==
* occurs for users running Whonix KVM under Fedora, Manjaro
** Debugged, was only able to reproduce the issue once (using Manjaro KDE). Partition table was corrupted after first boot, the partition table field indicating the end of the partition had been changed to a larger value, but integrity checking info was not updated, thus Linux wasn't detecting any partitions on the device. Interestingly, in a later working VM, the same larger value was seen in the partition table, but there were no boot issues.
** The most likely culprit is systemd-repart.
** Unable to reproduce with Whonix 18 on Manjaro KDE. Documented possible workaround here: https://www.whonix.org/wiki/KVM#VM_disk_corruption_after_first_boot
== trixie-port - power saving ==
* todo: discuss
* Aaron: Discussion thread created: https://forums.kicksecure.com/t/power-management-for-physical-hardware-in-kicksecure-18/1344
* Patrick: Please report LXQt issue upstream
** Aaron: Done.
* Aaron: Implemented new power savings settings, commits pushed to desktop-config-dist and vm-config-dist.
* Patrick: Merged.
== trixie-port - livecheck - avoid multiple popups ==
* if pressing the livecheck button multiple times, and an active popup window is already open, don't open additional popups
** Aaron: Implemented in desktop-config-dist.
* Patrick: Merged.
== trixie-port - set-system-keymap ==
* bug: Whonix-Gateway - no user-sysmaint-split - sudo set-system-keymap de
* expected: runs labwc --reconfigure
* actual: does not run labwc --reconfigure
* todo: look at $SUDO_USER and run sudo --non-interactive -u $SUDO_USER labwc --reconfigure
* todo: run sudo --non-interactive -u $user_name_item labwc --reconfigure for all users?
* todo: set-system-keymap / set-console-keymap: run loadkeys to apply changes without reboot? (not possible)
* Aaron: Implemented, however this does not fully work due to a labwc bug: https://github.com/labwc/labwc/issues/3184
* Patrick: Merged.
== trixie-port - text encoding issues ==
* todo
* Aaron: Fixed for new VM image builds: https://github.com/ArrayBolt3/derivative-maker/commit/095d4dfadf57cfa291fd123c7320e559fc78b802
** Does not affect ISO builds.
** Patrick: Merged.
** Worth adding code to legacy-dist to fix this on upgrade for existing Kicksecure/Whonix 17 users?
== trixie port - sdwdate-gui icon under Qubes gets stuck in "broken" mode ==
* Steps to reproduce:
** Set anon-whonix NetVM to "none"
** Boot sys-whonix
** Boot anon-whonix
** Observe sdwdate-gui icon changes to a "broken" icon (this is intentional, as sdwdate in anon-whonix is broken due to the NetVM being "none"
** Shutdown anon-whonix
** Expected result: sdwdate-gui icon changes back to what it was previously
** Actual result: sdwdate-gui icon is stuck "broken"
* Fixed: https://github.com/ArrayBolt3/sdwdate-gui/commit/deffa5039800d1eac28d83ed5cb9dc7dc9cb1f19
* Patrick: Merged.
== trixie-port - sdwdate-gui-broken when sys-whonix is booted in sysmaint session ==
* bug: starts sdwdate-gui instead of sdwdate-gui-qubes?
* bug: /usr/libexec/sdwdate-gui/sdwdate-gui-qubes-proxy-helper is broken because UID 1000 is hardcoded
* this results in other App Qubes (such as anon-whonix) frequent sdwdate-gui systemd journal errors
* Aaron: Fixed, pushed commit to sdwdate-gui.
* Patrick: Merged.
== trixie-port - iso broken in Qubes ==
* could be related to above issue
* https://www.kicksecure.com/wiki/Qubes#HVM
broken units:
* systemd-networkd-persistent-storoge.service
* greetd-config-build.service
* live-mode-apparmor.service
* sdwdate-pre.service
* cold-boot-attack-defense-status
* tor@default.service
* usbguard.service
* Maybe just insufficient RAM? -> todo: fail more obvious, stop boot?
* failed units can mess up sysmaint session?
* Aaron: Reproduced with slightly different symptoms (had a VM crash during bootup once and boot into CLI mode another time), increasing RAM did appear to fix the issue. Could possibly use a oneshot unit very early in startup that would print a message to the TTY if RAM was below a certain "safe" threshold.
** Pushed a commit to rads that should result in a warning message and fallback to CLI-only mode if RAM is insufficient.
* same issue as trixie-port - live mode - sysmaint session - broken
== trixie-port - live mode - user session - broken ==
* many systemd units failing during boot
* could be related to above
* Aaron: Could not reproduce, tried multiple scenarios after discussion in chat.
* same issue as trixie-port - live mode - sysmaint session - broken
== trixie-port - live mode - sysmaint session - broken ==
* to debug, use "leaprun sudo" (as documented on https://www.kicksecure.com/wiki/Sysmaint#enable_sudo_access_in_USER_session)
* bug: boots into user session, presumably due to read-only file system
* bug: sudo touch /etc/testfile show "read-only file system"
* bug: live-hardener: INFO: Non-zero exit code. - Should be ERROR or at least WARNING?
** Patrick: Fixed.
* bug: live-hardener detect grub-live-semi-persistent-unsafe but livecheck does not point that out
* bug: live hardener attempts to remount /boot/efi but fails
* bug: live-hardener runs a mount code that has a non-zero exit code but yet live-hardener exits zero rather than non-zero
* Aaron: Could not reproduce, tried multiple scenarios after discussion in chat.
* Patrick: live-hardener log: removed since not caused by live-hardener.
* Patrick: Probably not caused by live-hardener. sudo systemctl mask live-hardener.service - did not solve the issue
* Patrick: Also not a VirtualBox green turtle issue as this was also resolved on my system.
* lots of overlayfs related issues: https://github.com/dracut-ng/dracut-ng/issues?q=overlayfs
* user session mode - persistent mode - no issue - for comparison only
mount
/dev/sda3 on / type ext4 (rw,relatime,errors=remount-ro)
devtmpfs on /dev type devtmpfs (rw,nosuid,size=4096k,nr_inodes=246855,mode=755,inode64)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,inode64)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=600,ptmxmode=000)
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,nsdelegate,memory_recursiveprot)
pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime)
bpf on /sys/fs/bpf type bpf (rw,nosuid,nodev,noexec,relatime,mode=700)
proc on /proc type proc (rw,relatime)
tmpfs on /run type tmpfs (rw,nosuid,nodev,size=403684k,nr_inodes=819200,mode=755,inode64)
systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=36,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=4308)
mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime)
hugetlbfs on /dev/hugepages type hugetlbfs (rw,nosuid,nodev,relatime,pagesize=2M)
tracefs on /sys/kernel/tracing type tracefs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k,inode64)
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,nr_inodes=1048576,inode64)
tmpfs on /run/credentials/systemd-journald.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,inode64,noswap)
fusectl on /sys/fs/fuse/connections type fusectl (rw,nosuid,nodev,noexec,relatime)
configfs on /sys/kernel/config type configfs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /run/credentials/systemd-networkd.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,inode64,noswap)
/dev/sda1 on /boot/efi type vfat (rw,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro)
binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,nosuid,nodev,noexec,relatime)
tmpfs on /run/user/1000 type tmpfs (rw,nosuid,nodev,relatime,size=201840k,nr_inodes=50460,mode=700,uid=1000,gid=1000,inode64)
tmpfs on /run/credentials/getty@tty1.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,inode64,noswap)
portal on /run/user/1000/doc type fuse.portal (rw,nosuid,nodev,relatime,user_id=1000,group_id=1000)
shared on /mnt/shared type vboxsf (rw,nodev,relatime)
* user session - live mode - broken read-only filesystem
/dev/sda3 on / type ext4 (ro,relatime)
devtmpfs on /dev type devtmpfs (rw,nosuid,size=4096k,nr_inodes=246855,mode=755,inode64)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,inode64)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=600,ptmxmode=000)
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,nsdelegate,memory_recursiveprot)
pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime)
bpf on /sys/fs/bpf type bpf (rw,nosuid,nodev,noexec,relatime,mode=700)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
tmpfs on /run type tmpfs (rw,nosuid,nodev,size=403684k,nr_inodes=819200,mode=755,inode64)
systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=36,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=4451)
tracefs on /sys/kernel/tracing type tracefs (rw,nosuid,nodev,noexec,relatime)
hugetlbfs on /dev/hugepages type hugetlbfs (rw,nosuid,nodev,relatime,pagesize=2M)
tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k,inode64)
mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime)
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,nr_inodes=1048576,inode64)
tmpfs on /run/credentials/systemd-journald.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,inode64,noswap)
fusectl on /sys/fs/fuse/connections type fusectl (rw,nosuid,nodev,noexec,relatime)
configfs on /sys/kernel/config type configfs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /run/credentials/systemd-networkd.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,inode64,noswap)
/dev/sda1 on /boot/efi type vfat (rw,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro)
binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,nosuid,nodev,noexec,relatime)
tmpfs on /run/user/1000 type tmpfs (rw,nosuid,nodev,relatime,size=201840k,nr_inodes=50460,mode=700,uid=1000,gid=1000,inode64)
tmpfs on /run/credentials/getty@tty1.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,inode64,noswap)
portal on /run/user/1000/doc type fuse.portal (rw,nosuid,nodev,relatime,user_id=1000,group_id=1000)
* user session: same output for both, persistent mode and live mode
sudo sgdisk -v /dev/sda
Caution: Partition 3 doesn't end on a 2048-sector boundary. This may
result in problems with some disk encryption tools.
No problems found. 2021 free sectors (1010.5 KiB) available in 2
segments, the largest of which is 2014 (1007.0 KiB) in size.
* Patrick: For debugging, removed error=remount-ro from /etc/fstab. No effect.
* Aaron: Issue spotted, your system is still using the Debian-specific module for mounting an overlayfs, and thus is looking for rootovl rather than rd.live.overlay.overlayfs=1.
* Patrick: Merged.
== trixie-port - sysmaint - lock screen - black screen ==
* probably minor bug: boot into sysmaint session -> lock screen -> black screen
** note: this bug was only observed prior reboot. after reboot, screen locking was refused with popup. as expected. (because no password set)
*** after setting a password and locking the screen, everything worked as expected.
* we might be able to ignore this bug since unreleased
* xtrace of /usr/libexec/user-sysmaint-split/sysmaint-session-wayland
** (ticket below for unrelated error messages found)
* Aaron: Cannot reproduce. Asked for more info in chat.
* Aaron: Possibly transient, symptoms did not match any screen locking utility in Kicksecure. Archiving for now.
== trixie port - possibly broken systemcheck disallowed-test ==
* Aaron saw the AppArmor "disallowed-test" fail in KVM. Investigate.
** Issue does not occur in a freshly built KVM VM. Archiving.
== trixie-port - user-sysmaint-split versus flatpak ==
* flatpak install flathub org.mozilla.firefox
* functional in user session
* also functional
** flatpak --user remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo
** flatpak --user install flathub org.mozilla.firefox
* please investigate security impact
* Aaron: Users were indeed able to install applications system-wide, so that account user could install an app in a location where account sysmaint could run it later.
** Added a commit to security-misc to lock down Flatpak's polkit controls, requiring authorization for most things. Installing software with flatpak install --user is still functional as account user even with user-sysmaint-split installed.
* Patrick: Does it belong into security-misc or user-sysmaint-split?
** Aaron: security-misc seems preferable. Might prevent deployment of a system-wide malicious flatpak.
* Patrick: Please update debian/control and readme.
** Aaron: Updated README.md. debian/control didn't look like it had anything that needed updated.
* Patrick: Merged.
== trixie-port - kloak - compilation warning ==
In file included from src/kloak.c:47:
src/xdg-output-protocol.h: In function 'zxdg_output_v1_add_listener':
src/xdg-output-protocol.h:347:38: warning: cast discards 'const' qualifier from pointer target type [-Wcast-qual]
347 | (void (**)(void)) listener, data);
| ^
In file included from src/kloak.c:48:
src/wlr-layer-shell.h: In function 'zwlr_layer_surface_v1_add_listener':
src/wlr-layer-shell.h:434:38: warning: cast discards 'const' qualifier from pointer target type [-Wcast-qual]
434 | (void (**)(void)) listener, data);
| ^
make[1]
* Aaron: Warnings are in headers autogenerated by wayland-scanner. The way in which the code is used that leads to these warnings appears to be correct use of the Wayland protocols and libraries, thus this should be safe to ignore.
* Patrick: Merged.
== trixie-port - qubes update ==
* privleap systemctl workaround
* no stream isolation warnings injected by uwt
** Aaron: Both done, new commits in uwt.
* Patrick: Merged.
== mediawiki-shell review and merge ==
* https://github.com/Kicksecure/mediawiki-shell/pull/1
* please review, merge and commit any fixes on top if any new bugs were introduced or obvious bugs spotted
* branch: trixie (primarily used internally)
** Aaron: Reviewed, fixed many small issues, pushed to my fork of mediawiki-shell. Code is untested as of yet, can come back to test this if/when desirable.
* Patrick: Merged.
== trixie-port - /etc/profile.d environment variables missing ==
* Kicksecure 18, ISO with vm-config-dist installed
* /etc/profile.d/20_software_rendering_in_vms.sh - script executes correctly if executed using sh -x /etc/profile.d/20_software_rendering_in_vms.sh
* when typing env | grep -i QML the environment variable is missing under Wayland
* Aaron: Found bug, glxinfo is not directly compatible with Wayland and can be misleading when using Xwayland.
** Fix, switch to eglinfo: https://github.com/ArrayBolt3/vm-config-dist/commit/36aa33c0e64a9a73a83db4753ee4005af5007ceb
* Patrick: Merged.
== tor-control-panel - anon-connection-wizard - review contributions ==
* please discuss, review
* https://forums.whonix.org/t/tor-controller-gui-tor-control-panel/5444/99
** Aaron: Briefly reviewed, commented. This looks like it increases code duplication, which is undesirable.
== trixie port - dom0 updates over Whonix-Gateway ==
* downloads failing because curl proxy is not set
* Fix in progress: https://github.com/QubesOS/qubes-core-agent-linux/pull/614
** Merged, test locally.
** Seems to work in testing. Will keep sys-whonix as the dom0 update proxy for a few more days to see what happens.
* Patrick: Please document. https://www.whonix.org/wiki/Qubes/UpdatesProxy
** Aaron: Added documentation, did some more testing of the dom0 update system to ensure it actually was working.
* Patrick: If possible, please revert upstream in Qubes and implement a uwt wrapper for dnf that injects the required option.
** https://github.com/QubesOS/qubes-core-agent-linux/pull/614#issuecomment-3449884150
*** Aaron: Done, pushed commits to uwt, helper-scripts, and qubes-whonix. The new code works both with and without the Qubes-side proxy argument injection in place, so migration should be smooth.
* Patrick: Merged.
== trixie port - sysmaint - sys-whonix - missing systemd units ==
* Please check if any systemd units are missing in sysmaint.target.
sudo systemctl list-units --all | grep "loaded inactive dead"
* Aaron: Compared the units running in a user session with the units running in a sysmaint session, rather than using --all; this approach should be more accurate.
** Added some missing units to user-sysmaint-split (sysmaint-boot.service).
** Also sent an email to Qubes to see if we should just blanket whitelist all qubes units going forward (this should be done with automation of some sort most likely to avoid units introduced in the future ending up missed). https://www.mail-archive.com/qubes-devel@googlegroups.com/msg05673.html
== trixie-port - qubes-bind-dirs bug ==
* uses has privately shared a log where /var/lib/sdwdate/time-replay-protection-utc-unixtime was not writeable by sdwdate
* /usr/lib/tmpfiles.d/sdwdate.conf looks fine
* therefore this is a qubes-bind-dirs issue?
* https://github.com/QubesOS/qubes-issues/issues/8466
** if possible during R4.3 RC. otherwise priority can be lowered.
** otherwise, non-ideal workaround otherwise for all bind-dirs:
## https://github.com/QubesOS/qubes-issues/issues/8466
ExecStartPre=chown --recursive canary:canary /var/lib/canary
* Aaron: Issue already known, fix is at https://github.com/QubesOS/qubes-core-agent-linux/pull/615 but is pending merge by Qubes. Link to PR already in WAITING ON.
== trixie-port - lock-screen improvements ==
* move from /usr/libexec/helper-scripts/lock-screen to /usr/bin/lock-screen since it might be useful to lock the screen using the command line
* bug: unhandled swaylock issues. If swaylock exits non-zero, there would currently be no error popup. (Theoretical issue only at this time.)
* disable screen lock by default inside VMs, if sane?
** Versus security on servers with wayland installed?
** Versus vm-config-dist? (Which says it disables screen locks for VMs but does not yet for Wayland.)
* use a different background image that simply states "screen lock" all over the place?
* use a swaylack theme?
** https://github.com/dracula/swaylock/blob/main/swaylock/config
** looks better: https://github.com/dracula/swaylock/blob/main/screenshot.png
** no need for a different background image, but the style, the clock might help the user to identify that this is a screen locker
* there is not really a swaylock alternative where the password prompt is more obvious? (was discussed before, i think)
* automatically lock screen in sysmaint session. Currently does not seem to happen.
* Aaron: All implemented in appropriate packages (anon-gw-base-files, anon-ws-base-files, desktop-config-dist, helper-scripts, kicksecure-base-files, sysmaint-panel, user-sysmaint-split, vm-config-dist)
* Patrick: Merged.
== trixie port - multiple wayland sessions or wayland session restarts ==
* excerpt from above log file from task trixie-port - sysmaint - lock screen - black screen
* steps to reproduce:
** 1) from a virtual console.
** 2) while a wayland session is already running
** 3) sudo systemctl restart greetd
* Multiple sessions? Not important. Most important is to handle or fail better:
** The usual thing would be to kill the old session and start a new one?
** If not, can we fail with a better error message?
* Aaron: Implemented the "kill the old session and start a new one" solution. Commits pushed to user-sysmaint-split, helper-scripts, and kloak (since code from kloak ended up being reused in user-sysmaint-split and was split into a new library in helper-scripts).
* Patrick: Merged.
== trixie port - backlight-tool ==
* excerpt from above log file from task trixie-port - sysmaint - lock screen - black screen
** i did not use backlight-tool because testing inside a VM
** yet, journal will probably pick up an issue such as the following
/usr/bin/backlight-tool-dist-agent: ERROR: Cannot read target file!
* bug: backlight-tool shows errors inside VMs where it is expected that there is no backlight kernel driver
* question:
** related to calc_bl_brightness=$(( (bl_max_brightness * bl_pct) / 100 )) || true (split by Patrick into two lines)
** action: bash -x usr/bin/backlight-tool-dist-agent set 100
*** result: overwrite /home/user/.config/backlight-tool-dist-last-bright-pct 50
*** always "50" is written to that file
* some changes by Patrick. Please review.
** Aaron: Reviewed, made some string changes and added a better info message when no saved brightness value is present for restoring.
* Patrick: Merged.
== trixie-port - vm-config-dist - disable power savings by default in wayland ==
* needed?
* Aaron: Done as part of disabling screen locking in VMs on Wayland.
== trixie-port - don't offer on-screen keyboard in sysmaint-panel on Qubes ==
* The on-screen keyboard button does nothing under Qubes because Wayland is not in use. Even if Wayland was in use, this would be confusing.
** Hid this and the system keymap button under Qubes OS at the same time.
* Patrick: Merged.
== trixie-port - apparmor-info - fix ==
* bug: apparmor-info is no longer functional on trixie. It fails to show denied (or any) apparmor messages.
* Aaron: Fixed, commits pushed to security-misc and helper-scripts.
** '''WARNING:''' apparmor-info and apparmor-watch moved from helper-scripts to security-misc, thus please add to security-misc Breaks/Replaces against helper-scripts versions older than the next uploaded version.
*** Patrick: Merged, reverted to avoid breaks, replaced. Instead added the journal auditd socket activation to usability-misc.
== trixie-port - system keymap script improvements #2 ==
* separate set-console-keymap
** Aaron: Implemented in helper-scripts.
* sysmaint-panel: do not show keymap change in Qubes
** Aaron: Implemented. Notes about UI design left in chat.
* Patrick: Merged.
== automate detection of new tor and tor-browser versions ==
* We currently ship Tor in the Kicksecure repository, taking packages from deb.torproject.org for this.
* We also hardcode a Tor Browser version number in tb-updater.
* Create scripts for finding the latest versions of Tor and Tor Browser, and taking the necessary actions to update them
## developer-meta-files
/usr/bin/dm-virtualbox-update-local-and-wiki-links
make_cross_build_platform_list="i386 amd64 arm64" ./build-steps.d/*_create-debian-packages --flavor internal --target root --function download_tpo_packages
./build-steps.d/*_create-debian-packages --flavor internal --target virtualbox --function download_packages_from_debian_sid
* Aaron: Implemented Tor package update script as dm-tor-update-repository, added wrapper in dm-packaging-helper-script.
* Aaron: Tor Browser version updater is already implemented as pkg_tor_browser_version_update in dm-packaging-helper-script.
* Aaron: Unsure where to add master wrapper to update Tor, Tor Browser, and VirtualBox all at once. Perhaps create a new shell script, dm-update-third-party-software-references or similar?
* Patrick: Merged.
* Patrick: dm-maintenance created
== trixie-port - default screen resolution ==
* vm-config-dist: debian/control
Set screen resolution 1920x1080 by default for VM in VirtualBox and KVM.
Workaround for low screen resolution 1024x768 at first boot. When using lower
screen resolutions, Xfce will automatically scale down.
`/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/displays.xml` TODO: This
may no longer be the case with Wayland.
* please re-implement for Wayland, if sane.
* Aaron: Doing this exactly as described may be hard on Wayland, because there is no location where the display configuration is saved any longer, it is always generated dynamically and must be fixed manually by the user if desired. However, what we can do is set the resolution of all displays to 1920x1080 if the appropriate hypervisor helpers (VBoxDRMClient, spice-vdagentd) are not active when wlr_resize_helper launches.
** Implemented this in vm-config-dist.
* Patrick: Merged.
== trixie port - forcing reinstallation of alternative /usr/libexec/user-sysmaint-split/policy-rc.d because link group policy-rc.d is broken ==
* bug?
Setting up systemcheck (3:43.6-1) ...
warn: The user `canary' is already a member of `debian-tor'.
warn: The user `systemcheck' is already a member of `debian-tor'.
warn: The user `systemcheck' is already a member of `systemd-journal'.
Processing triggers for qubes-core-agent (4.3.34-1+deb13u1) ...
Setting up user-sysmaint-split (3:9.1-1) ...
update-alternatives: warning: forcing reinstallation of alternative /usr/libexec/user-sysmaint-split/policy-rc.d because link group policy-rc.d is broken
Synchronizing state of openvpn.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.
Executing: /usr/lib/systemd/systemd-sysv-install enable openvpn
Generating grub configuration file ...
Found theme: /boot/grub/themes/kicksecure/theme.txt
Adding boot menu entry for UEFI Firmware Settings ...
done
Setting up security-misc-desktop (3:48.8-1) ...
* Aaron: Qubes OS bug, fix submitted: https://github.com/QubesOS/qubes-builder-debian/pull/95
== trixie port - remove volume widget from Whonix-Gateway sysmaint panel ==
* Waybar is showing an empty volume widget on Whonix-Gateway
* Move config files to remove this.
** Likely need to handle migration of the files from desktop-config-dist to the appropriate base-files packages to prevent breaking Qubes OS R4.3 rc3. See qubes-public Matrix room for context.
** Done, commits pushed to kicksecure-base-files, anon-ws-base-files, anon-gw-base-files, and desktop-config-dist for this.
*** '''WARNING:''' After desktop-config-dist's version is bumped, all three *-base-files packages MUST have a Breaks/Replaces against desktop-config-dist (<< LATEST_VERSION) added.
* Patrick: Note to self:
myfind . | grep base-files | grep --invert-match dist-base-files | grep --invert-match whonix-base-files | grep control
./whonix/anon-gw-base-files/debian/control
./whonix/anon-ws-base-files/debian/control
./kicksecure/kicksecure-base-files/debian/control
* Patrick: Done.
* Patrick: Please check if functional on your side. If so, please move to archived.
** Aaron: Upgrades worked, however due to an oversight the volume widget in Whonix-Gateway wasn't fully removed. Pushed a commit to anon-gw-base-files to fix.
** Also noticed a preinst script header was missing in usability-misc, and pushed a commit to fix that too.
* Patrick: Merged.
== trixie port - virtualbox / kvm - dynamic resolution resizing with labwc ==
* Automatic display resizing is no longer working under VirtualBox with Wayland. It actually does work, but it requires the user to manually set the resolution to the "native" resolution after every window resize.
* Possible solutions listed for discussion at https://github.com/labwc/labwc/discussions/3109
* Discussion ongoing, currently waiting on upstream to reply. I might attempt to do further development work on this if we consider it a priority.
* Discussed with Patrick, we should probably solve this ourselves via a daemon that watches udev messages, as not having this feature may result in serious usability issues with VirtualBox.
* Discovered that a missing binary, VBoxDRMClient, was needed to even try to implement resize support. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=968390#15
** Found and tested a fix, sent it to the VirtualBox Debian maintainers. Awaiting a response from them. I can still work on implementing the resizing code in the mean time.
*** This was accepted in Debian.
* Implemented the helper tools for actually changing the display resolution.
** vm-config-dist: https://github.com/ArrayBolt3/vm-config-dist/commit/bbc2633fe329229465ac7ab87bc08eef0e01e6a3
** user-sysmaint-split: https://github.com/ArrayBolt3/user-sysmaint-split/commit/abc9f58a0d8e800a3a2b3754b3243ce94dad9c0d
* Patrick: Merged.
* Patrick: Tested in VirtualBox. Working great!
* Patrick: TODO: Please error out if vbox drm client is missing or fails.
** Aaron: Implemented, along with similar code for KVM: https://github.com/ArrayBolt3/vm-config-dist/commit/166a3e13a2ad1369265aed7f23e3a7ae21cdea89
*** Patrick: Merged.
*** Patrick: Maybe better don't exit non-zero in case and keep running? Because there is no (systemd) supervisor to restart the script.
*** Patrick: Before: Forgiving in case dependencies are missing but installed later.
*** Patrick: Now: Non-forgiving, more brittle?
**** Aaron: Fixed, pushed a new commit to vm-config-dist for this.
*** TODO: Start wlr-resize-watcher as a systemd user unit, if sensible. Would be useful if the process gets randomly killed (some sort of user space OOM management).
**** Aaron: Undesirable, as this would prevent wlr-randr from finding the appropriate Wayland compositor. Having the session start the process makes sure the right WAYLAND_DISPLAY variable is set, which means wlr-randr should always access the correct compositor.
== Qubes Kicksecure - sdwdate-gui qrexec denied messages ==
* Qubes R4.3
* 1) Kicksecure 17 Template installed
* 2) qubes-core-admin-addon-kicksecure installed
* 3) release-upgraded to Kicksecure 18
* 4) created App Qube based on Kicksecure Template
* bug: sdwdate-gui qrexec denied messages
* debugging information:
** running "sudo qvm-features-request kicksecure=1" shows nothing in dom0 journal (i would expect that to show something)
** running in dom0 "qvm-features kicksecure-17 | grep kicksecure" shows that qvm-feature "kicksecure" is missing
* Aaron: Reproduced, but the issue can be fixed by doing the following:
** Ensure qubes-core-admin-addon-kicksecure is installed in dom0, if it isn't, install it (sudo qubes-dom0-update --action=install qubes-core-admin-addon-kicksecure) and then restart qubesd (sudo systemctl restart qubesd)
*** Patrick: Qubes bug? sudo systemctl restart qubesd should be automated? Perhaps the postinst script can do that?
** Boot the upgraded Kicksecure 18 qube
** Run cd /etc/qubes/post-install.d; for i in *.sh; do source $i; done
** Reboot dom0 or restart qubesd again
* Aaron: Why are the post-install.d scripts not being properly called after a release upgrade? Shouldn't apt do this for us? We could probably work around this issue by making release-upgrade source all scripts in post-install.d after the upgrade.
*** Patrick: Please report at Qubes to find a solution for this, if still an issue.
*** Patrick: Possible to add some echo informational debug output so we can see what is run?
** Aaron: After another test, I believe these scripts are being run. Most likely the reason I ran into this issue was because I failed to restart qubesd or dom0 before running the release upgrade. After reinstalling Kicksecure 17 again and upgrading it to Kicksecure 18 again, the feature is properly set and a new AppVM based on the template is able to connect to sys-whonix's sdwdate_gui_server.
**** Patrick: Probably same solution as above: Automate restart of qubesdb?
* Aaron: What's a good way to inform users that they need to install qubes-core-admin-addon-kicksecure and reboot before installing Kicksecure templates?
** Patrick: No idea. Could you discuss at Qubes please? I guess also applies to qubes-core-admin-addon-whonix to a lesser degree. Meanwhile, please document.
* Patrick: Can qubes-core-admin-addon-kicksecure be made functional if installed too late (after Kicksecure Template installation)?
** Aaron: Qubes OS R4.3 will have qubes-core-admin-addon-kicksecure preinstalled, so this likely won't happen to anyone using the final release. Sourcing all scripts in /etc/qubes/post-install.d will resolve the issue if it somehow shows up in the wild.
* Aaron: Anything left to do here? Our last conversation on Matrix ended with the conclusion that we could not re-evaluate the in-vm post-install.d scripts when dom0's qubes-core-admin-addon-kicksecure was installed or updated, but I'm not sure if we came to a conclusion about what to do with this, if anything. Maybe just document that users can do something like export LC_ALL=C; cd /etc/qubes/post-install.d; for i in *.sh; do source "$i"; done if necessary?
** Patrick: Please document.
*** Aaron: Documented at https://www.kicksecure.com/wiki/Qubes#Known_Issues.
** Patrick: Please discuss upstream if restarting qubesdb is a possibility.
*** Aaron: Created thread on qubes-devel: https://www.mail-archive.com/qubes-devel@googlegroups.com/msg05669.html
== trixie-port - system keymap script improvements ==
* more changes were added by Patrick
* 1) always show a success message such as the following even if run manually (currently only in interactive mode)
** Aaron: Implemented in helper-scripts.
printf '%s\n' "$0: INFO: Keyboard layout change successful." >&2
* 2) port live-config-dist to set-all-keymap, if sensible
** Aaron: Implemented in helper-scripts and live-config-dist.
* 3) sysmaint-panel: add an option to start set-all-keymap
** Aaron: Implemented in sysmaint-panel.
* Patrick: Merged.
== systemcheck - garbage configuration should result in non-zero exit code ==
* bug: systemcheck with garbage configuration file does not error out
* reported by Marek in qubes-public
* Aaron: Fixed: https://github.com/ArrayBolt3/systemcheck/commit/91f272912d5e35939298c0d075dd711b9597fd03
* Patrick: Merged.
== trixie port - Kicksecure template build failure due to firmware-nonfreedom ==
* https://github.com/QubesOS/updates-status/issues/6127
* Aaron: Fix: https://github.com/ArrayBolt3/qubes-template-kicksecure/commit/1008e40ce5f82cab25703ea942603e70e4054bdf
* Patrick: Merged.
== trixie-port - Warning: ignoring exit-on-service-eof=true for executable service /etc/qubes-rpc/qubes.UpdatesProxy ==
Warning: ignoring exit-on-service-eof=true for executable service /etc/qubes-rpc/qubes.UpdatesProxy
* Patrick: Is this a known Qubes bug?
* Marek in qubes-public: This is related to whonix replacing qubes.UpdatesProxy service. Those options are valid only for socket based service, but whonix replace it with a script. I'd recommend replacing service config too to avoid the warnings
* Aaron: Should be fixed by https://github.com/ArrayBolt3/qubes-whonix/commit/a8dfbfb3acd5ef5c506ea3b52132fac2be3239ed
* Patrick: Merged.
== install fewer firmware-nonfreedom packages by default in Qubes ==
* install firmware-nonfreedom by default in Qubes. Done by Patrick.
* purpose: useful for sys-net (non-free wifi controller)
* we might want a smaller collection of packages to save disk space since for example microcode is irrelevant? can we rely on a Qubes package for the non-free firmware package selection?
* Aaron: Qubes does not appear to have a package we can use for this.
* Aaron: Split packages containing networking firmware (wireless or wired) from firmware-nonfreedom into firmware-nonfreedom-network, and switched kicksecure-qubes-cli to use firmware-nonfreedom-network. Commits in developer-meta-files, kicksecure-meta-packages.
* Patrick: Merged.
== rename sdwdate.ConnectCheck to sdwdate-gui.ConnectCheck etc ==
* we might have sdwdate.ConnectCheck issues from time to time. this implies broken sdwdate while actually only sdwdate-gui is broken.
* if still possible and sane, please rename.
** Aaron: Asked for permission to do the rename: https://github.com/QubesOS/qubes-issues/issues/10346#issue-3547291374 Permission was granted.
*** Qubes-side PR: https://github.com/QubesOS/qubes-core-admin-addon-whonix/pull/26
*** sdwdate-gui commit: https://github.com/ArrayBolt3/sdwdate-gui/commit/2dc019a1e6967d55ca8a8cfd8e24a35e269bab10
* Patrick: Merged.
== trixie port - Whonix Qubes template issues ==
* reported by Marek on Matrix:
** "in Whonix 18 workstation, opening "file manager" via domains widget opens "Catfish", not "pcmanfm-qt". Looks like some default apps are not set correctly (qubes calls xdg-open $HOME, which should open default app for inode/directory type)."
** "something doesn't work with pcmanfm-qt actions - I see only "QubesOS Edit in DisposableVM" action, not any of copy/move, or view in disposable; on top of that, looks like file names are swapped (action for viewing in dispvm is in file named edit, and action for editing is in file named open); and I have no idea from "QubesOS" prefix comes"
*** Aaron: Fixed, required changes both on our side and on the Qubes side:
**** usability-misc: https://github.com/ArrayBolt3/usability-misc/commit/0a8c2d7d97345d78aa7cd58199b5b67925ab93cf
**** qubes-gui-agent-linux: https://github.com/QubesOS/qubes-gui-agent-linux/pull/246
*** Aaron: Fixed:
**** kicksecure-meta-packages https://github.com/ArrayBolt3/kicksecure-meta-packages/commit/ab29e2a064404b7462dca7e3956712e86799e30f
**** developer-meta-files: https://github.com/ArrayBolt3/developer-meta-files/commit/36056e1856cd37b2f57b573a029dfa427f23f41c
* Patrick: Merged.
* Aaron: Still working on the Qubes PR.
** Merged.
== kloak - Qubes OS input anonymization flicker bug ==
* https://github.com/QubesOS/qubes-issues/issues/10286
* Fix submitted: https://github.com/QubesOS/qubes-gui-daemon/pull/172
** Merged.
== trixie-port - browser-choice - do not Depends on tb-updater ==
* should be installed only on demand
* this is to avoid Kicksecure Qubes Templates downloading Tor Browser
* Patrick: Implemented. Needs to be tested.
** Aaron: Notes shared in chat.
* Patrick: Simple solution. Install tb-updater and tb-starter only. Instruct user to run Tor Browser Downloader in user session.
** Aaron: Implemented, commits pushed to browser-choice.
* Patrick: Merged.
== ipv6 sleep 10 improvements ==
* as discussed
* skip sleep when IPv6 is disabled in kernel
* event-based if possible
* re-check every 0.1 - 1 second
* commentary why this is necessary
* Aaron: Pushed commits to anon-gw-anonymizer-config, reimplementing tor-wait-for-network in Python for speed and ease of working with files, and adding the requested functionality.
* Patrick: Merged.
== trixie-port - port Whonix-Gateway to privleap ==
* currently broken: anon connection wizard, tor control panel
* Aaron: Pushed new commits to anon-connection-wizard and tor-control-panel to fix issues in both. Untested (yet).
* Patrick: Merged.
== trixie port - sysmaint session occasional black screen ==
* Environment: Kicksecure 17 upgraded to Kicksecure 18
* After some period of inactivity in the sysmaint session, the screen goes black
* A mouse click or keypress is enough to make it come back
* XScreenSaver is the likely culprit, find a way to disable on Wayland sessions
** Aaron: Added code to legacy-dist to remove xscreensaver on upgrades. https://github.com/ArrayBolt3/legacy-dist/commit/7f91838b8878ded1f45479d4d9ecc7b01414c454
* Patrick: Merged.
== trixie-port - keyboard layout change usability improvements ==
* user story: I am a VM using and in user session, CLI. How do I change my keymap? "sudo loadkeys de"? Doesn't work. No sudo.
* todo:
** refuse running set-labwc-keymap as root
** set-console-keymap: CLI tool that can be used to configure the virtual terminal
** set-multi-keymap: CLI tool that can set the keymap for currently logged-in account (most likely user), sysmaint and root. It should run, is a wrapper around set-console-keymap and set-labwc-keymap. A tool that sets the keymap for all places relevant to the user.
*** sysmaint GUI: set-labwc-keymap --persist keymap
*** user GUI: sudo --non-interactive -u user set-labwc-keymap --no-reload --persist keymap
*** sysmaint CLI: set-console-keymap de
*** user CLI: sudo --non-interactive -u user set-console-keymap de
** not sure about --non-interactive
* Aaron: Implementation ended up being via two wrapper scripts, set-labwc-keymap and set-system-keymap, the former of which configures labwc for the current user, the latter of which configures labwc and the console for all users (with labwc settings being overridable by user-specific settings). The main reason for this is that there is no user-specific console keyboard layout, only a system-wide one. Both scripts wrap a library, set-keyboard-layout.sh. Changes pushed to helper-scripts.
** Test plan completed, some fixes made during testing.
* Patrick: Merged.
== trixie port - greetd only provides one chance to log in ==
* Aaron: if wrong username or password is provided, wlgreet exits and does not restart, user is left at a black screen
** Fixed: https://github.com/ArrayBolt3/desktop-config-dist/commit/490b6833915f95ae66ce72c02aca6df23e9d13f2
* Patrick: Merged.
== trixie-port - desktop environment broken after release upgrade ==
* Kicksecure Xfce 17.4.4.6 (for VirtualBox)
* sudo apt update && sudo apt dist-upgrade
* sudo release upgrade
* reboot
* bug: desktop environment no longer starting
* debugging:
** in sysmaint session, CLI:
systemctl is-enabled greetd
disabled
sudo journalctl --boot -u sysmaint-boot
...
INFO: Wayland session: 'no'
...
* in sysmaint-boot we can probably safely change the default from sysmaint_session_wayland='no' to sysmaint_session_wayland='yes'. Done.
** Aaron: Reviewed, looks good.
* file /etc/greetd/config.toml.d/30_desktop-config-dist.conf looks messed up. Something has apparently removed all newlines. sudo debsums -ce shows that the file has been modified. This is unexpected.
** Aaron: autologinchange bug, fixed by https://github.com/ArrayBolt3/helper-scripts/commit/1e7fc0e26cb761189f744cd1ca3b2491d46d6135
* Aaron: greetd being disabled is likely the result of lightdm being enabled at installation time. Should be fixed by https://github.com/ArrayBolt3/legacy-dist/commit/2ced60ca2f41f310a70e0af5b88202c432b78cb3
* Patrick: Merged.
== trixie port - display brightness ==
* https://forums.kicksecure.com/t/display-brightness/1271/2
* Aaron: See notes in chat.
* Previous plan: wrap pkexec and the backlight helper in lxqt to insert a validating shim, allowing safe(r) access to the backlight subsystem
** Problem: this will probably interact poorly with user-sysmaint-split unless we place the pkexec wrapper in helper-scripts, and the pkexec wrapper may be too invasive to put in helper-scripts.
* Current plan: create a dedicated backlight management utility in Python, integrate with LXQt's config system, hide the existing (broken) backlight config, integrate with brightness keyboard shortcuts in labwc
* Aaron: Implemented:
** desktop-config-dist: https://github.com/ArrayBolt3/desktop-config-dist/commit/673dd505ddfc2683c56fabcc9b35801f3a5926c6
** user-sysmaint-split: https://github.com/ArrayBolt3/user-sysmaint-split/commit/36aa0d32b93f3332d232fbe898ef11073dd32669
* Patrick: Merged.
== curl dns ticket reply ==
* https://github.com/QubesOS/qubes-core-agent-linux/pull/614
** I thought my reply was productive. But apparently not. Please discuss, comment.
*** Aaron: Can't comment, discussion has been locked to limited collaborators there. However I don't see anything non-productive about the comment at https://github.com/curl/curl/discussions/11125#discussioncomment-7498491. If a Tor developer went out of their way to say the library shouldn't block onion resolution, and they do anyway because a Tor spec supposedly says they should, that's a strange decision and one they arguably shouldn't have made. Not sure much else can be done there other than work around the issue as we do now.
== misc review ==
* https://github.com/Kicksecure/security-misc/issues/199#issuecomment-3345059129 - opinion?
** Aaron: Reviewed, did some testing and commented.
* https://github.com/Kicksecure/security-misc/pull/323
** Aaron: Reviewed, looks good, merged and fixed.
* https://github.com/Kicksecure/security-misc/pull/322
** Aaron: Reviewed, looks good, merged and fixed.
* https://github.com/KSPP/kspp.github.io/issues/9
** Aaron: Replied.
* https://github.com/QubesOS/qubes-core-admin-addon-whonix/pull/25
** Aaron: Reviewed and left change suggestions.
* https://github.com/QubesOS/qubes-core-agent-linux/pull/613
** Aaron: Left some notes.
*** Patrick: Please re-review as changes have been applied.
* Aaron: Also reviewed, left notes on https://github.com/Kicksecure/security-misc/issues/328
== qubes - kernel boot mode for Template shows user session instead of sysmaint session ==
* todo
* Aaron: Cannot reproduce.
** Freshly installed Kicksecure 17 template:
*** Boot mode: PERSISTENT Mode - SYSMAINT Session
*** AppVM default boot mode: PERSISTENT Mode - USER Session
** After upgrading from Kicksecure 17 to Kicksecure 18:
*** Boot mode: PERSISTENT Mode - SYSMAINT Session
*** AppVM default boot mode: PERSISTENT Mode - USER Session
** Freshly installed Whonix-Workstation 17 template:
*** Boot mode: PERSISTENT Mode - SYSMAINT Session
*** AppVM default boot mode: PERSISTENT Mode - USER Session
** After upgrading from Whonix-Workstation 17 to Whonix-Workstation 18:
*** Boot mode: PERSISTENT Mode - SYSMAINT Session
*** AppVM default boot mode: PERSISTENT Mode - USER Session
** Freshly installed Whonix-Gateway 17 template:
*** Boot mode: PERSISTENT Mode - USER Session
**** Expected, since Whonix-Gateway does not have user-sysmaint-split installed on it.
*** AppVM default boot mode: PERSISTENT Mode - USER Session
** After upgrading from Whonix-Gateway 17 to Whonix-Gateway 18:
*** Boot mode: PERSISTENT Mode - USER Session
*** AppVM default boot mode: PERSISTENT Mode - USER Session
** AppVMs for both Kicksecure 18 and Whonix-(Workstation/Gateway) 18 have the correct "PERSISTENT Mode - USER Session" boot mode
* Patrick: Whonix-Gateway - without user-sysmaint-split - shouldn't show PERSISTENT Mode - USER Session since not applicable?
* Aaron: After threat model discussion, choosing to install user-sysmaint-split in Whonix-Gateway.
** See chat notes, fixing a UX issue requires some files to move in a way that will either require a painful migration process or require Whonix 18 and Kicksecure 18 systems to be rebuild/reinstalled/repaired by the end user. Would suggest the latter, as Kicksecure/Whonix 18 doesn't have even testing releases out yet.
*** Patrick: Confusing fixed by installing user-sysmaint-split by default.
== systemcheck - dependencies version check broken ==
[INFO] [systemcheck] kicksecure-dependencies-cli: Could not detect derivative kicksecure-dependencies-cli version. (Code: 2) Please report this bug!
* Fix should be added to usr/libexec/systemcheck/preparation.bsh:
if [ -f "/usr/share/anon-gw-base-files/gateway" ]; then
derivative_deb_package_name="whonix-gateway-packages-dependencies-cli"
elif [ -f "/usr/share/anon-ws-base-files/workstation" ]; then
derivative_deb_package_name="whonix-workstation-packages-dependencies-cli"
elif [ -f "/usr/share/kicksecure/marker" ]; then
derivative_deb_package_name="kicksecure-dependencies-cli"
fi
* Patrick: Fixed.
== Qubes Kicksecure Template - unrestricted session - requires sudo password bug ==
* Qubes Kicksecure 18 Template
* unrestricted session
* bug: asks for sudo password
* perhaps run: passwordless-root
* Aaron: Reproduced issue. Fix: https://github.com/ArrayBolt3/user-sysmaint-split/commit/acdf596affe8c40232863a83f19f4101607600c9
** This fix is insufficient on its own because passwordless-root is persistent even in AppVMs. Need to make it ephemeral in AppVMs by default, persistent only if explicitly requested.
*** Done, commits pushed to helper-scripts and usability-misc. '''NOTE:''' This includes moving passwordless-root from usability-misc to helper-scripts (done to avoid needing to add usability-misc as a dependency of user-sysmaint-split), so this will require the Breaks/Replaces in helper-scripts to be bumped.
*** Patrick: Merged.
== install extrepo-offline-data by default ==
* todo
* Patrick: Done.
== repository-dist-wizard gui broken in Qubes R4.3 ==
* input by keyboard functional
* input by mouse clicks broken
* if not easily reproducible then please ignore
* Aaron: Reproduced, I can select the "No..." radio button with the mouse, but not the "Yes..." radio button.
** Moving the radio button group box down so that it isn't partially overlapped by the text above resolves the problem.
** Short-term solution, move the box down.
** Long-term solution, this should be using layouts so that the window can be resized freely and overlap bugs of this sort don't occur. This will also make the wizard compatible with non-default Qt themes which may have differently sized elements.
** Implemented long-term solution: https://github.com/ArrayBolt3/repository-dist/commit/9c9feff070470b4494520c8a5d16699f6185a04c Tested on Whonix-Gateway, works.
*** Patrick: Merged.
== trixie port - Qubes R4.3 Templates ==
* Kicksecure, Whonix: Please bump Qubes R4.3 upstream to Kicksecure, Whonix 18
* Aaron: Waiting on input on upgrade plan.
* https://github.com/QubesOS/qubes-issues/issues/10253
* Aaron: Marek seems to be doing this so far. Will watch and assist where possible.
** This appears to have been completed.
== /etc/apt/sources.list.d/debian.soures not readable by user only readable by root ==
* is this intended?
* Aaron: Not intended. I'm unable to reproduce this issue though - neither a fresh ISO installation of Kicksecure nor Whonix-Gateway or Whonix-Workstation VirtualBox VMs have this issue. Also not seeing this issue in a Whonix-Gateway 18 sys-whonix on Qubes R4.3.
** I believe I've seen this issue occur in the past, but haven't seen it in a while. I'm happy to build new VM images and check them for this issue if desirable.
** Patrick: No longer reproducible.
== sysmaint-panel - sysmaint session - add display settings shortcut ==
* add open display settings
* rationale: When booting for the first time and into sysmaint session inside a VM, the display is too big.
* Aaron: Implemented in sysmaint-panel. Also pushed commits to developer-meta-files and kicksecure-meta-packages for adding kanshi.
** Patrick: Merged.
== ISO - virtualbox guest additions missing ==
* virtualbox guest additions missing on the Kicksecure ISO
** Aaron: Fixed: https://github.com/ArrayBolt3/derivative-maker/commit/c0d7bf7a24483d5984142b8c274f1b66597935c1
*** Patrick: Merged.
== browser-choice - better notification when action such as installation is complete ==
* todo
* once there is a exit code of zero or non-zero, show a passive popup? change window color? animation?
* Aaron: Implemented in browser-choice. Also found and fixed an unrelated bug with dist-virtual-keyboard in helper-scripts.
** Decided to use a notify-send popup because that will work in both sysmaint and user sessions and has a good chance of getting the user's attention even if the browser-choice window is hiding behind another window or is minimized. Considered using QWindow::alert but this would probably have not worked in a sysmaint session.
*** Patrick: Merged.
== volume setting in sysmaint systray ==
* usability bug: when hovering over volume changes in sysmaint session, the color gets darker, which implies it being clickable, but actually is not clickable
* Aaron: Fixed with a commit to desktop-config-dist.
** Patrick: Merged.
== sysmaint - restart of greetd allows login into regular desktop ssession ==
* sudo systemctl restart greetd
* login as sysmaint
* bug: expected: sysmaint session. actual: normal desktop session
* Aaron: Fixed this and a bunch of related issues that popped up when the sysmaint session had autologin disabled. Changes pushed to helper-scripts, user-sysmaint-split, and desktop-config-dist.
** Patrick: Merged.
== browser-choice - brave installation broken ==
* Kicksecure 17 release upgraded to Kicksecure 18
+ pkexec bash -c -- 'extrepo enable brave_release && apt-get update && apt-get-noninteractive --no-install-recommends --yes install brave-browser'
500 Can't connect to extrepo-team.pages.debian.net:443 (Temporary failure in name resolution) at /usr/share/perl5/Debian/ExtRepo/Data.pm line 34.
Could not download index YAML file:
Done, but operation failed!
* to fix, add env var: https_proxy=http://127.0.0.1:8082/
* Aaron: Should be fixed by https://github.com/ArrayBolt3/browser-choice/commit/83e33a2f604ffc8e670914dd8b09e74c55fdff9f
** Patrick: Merged.
== Qubes Kicksecure Template Upgrade in R4.3 ==
* todo
* Aaron: Cannot reproduce issues mentioned in chat. Successfully updated Kicksecure, Whonix-Gateway, and Whonix-Workstation 17 to 18 on Qubes R4.3 with no special configuration changes required.
== systemcheck - split log parsing code ==
* https://github.com/Kicksecure/security-misc/issues/253#issuecomment-3379301931
* Aaron: Implemented: https://github.com/ArrayBolt3/systemcheck/commit/b1ed7254e51423466efcdee07c8fad9839818e73
** Patrick: Merged.
== setxkbmap replacement too for wayland ==
* "setxkbmap de" used to be handy.
* implement
* add to helper-scripts
* Aaron: Implemented: https://github.com/ArrayBolt3/helper-scripts/commit/41ae1e120672b94351a4c3889181bb9be2991eb0
** Patrick: Merged.
== calamares - language setup ==
* please set up for
** CLI user
** CLI sysmaint
** GUI user
** GUI sysmaint
* Aaron: Setting a non-English language in Calamares already sets the language for all of these scenarios in the installed system. Tested by doing an ISO installation of Kicksecure 18 with the langauge set to Spanish (Mexico). Spanish-translated strings were visible in all four session types. Admittedly, many strings were not translated, but that is likely simply a case of missing translations.
== trixie port - qubes-core-agent-pcmanfm-qt ==
* Aaron: Qubes templates are still referencing Xfce components, Xfce won't be installed anymore
* PRs:
** https://github.com/QubesOS/qubes-core-agent-linux/pull/608
** https://github.com/QubesOS/qubes-app-linux-img-converter/pull/24
** https://github.com/QubesOS/qubes-app-linux-pdf-converter/pull/36
* Filed, passes CI, works on my Qubes machine. Awaiting review from upstream.
** Reviewed, merged upstream.
== kloak - systemd ordering cycle ==
* host: trixie (non-Kicksecure)
[SKIP} kloak.service to stop ordering cycle loop
graphical.target: Found ordering cycle on multi-user.target/start
graphical.target: Found dependency on kloak.service/start
graphical.target: Found dependency on graphical.target/start
graphical.target: Job kloak.service/start deleted to break ordering cycle starting with graphical.target/start
* wild guess: related to removal of symlinks?
* no more information available. Will hopefully be posted in the forums.
* Aaron: Cannot reproduce on Debian 13 with GNOME Desktop, using the pre-v2 version of kloak. User may have added a configuration rule that attempted to require kloak to start before multi-user.service. Waiting on more info.
* https://forums.whonix.org/t/kloak-latest-update-is-broken/22244
== ESP - EFI system partition versus dracut generic ==
* we're now using /etc/dracut.conf.d/30-dist-base-files.conf
compress="xz"
hostonly="yes"
hostonly_mode="sloppy"
* Should we therefore increase the size of the ESP?
* grml
** https://github.com/grml/grml-debootstrap/issues/221
* calamares
* Aaron: No changes needed to EFI partition size, dracut initramfs files are stored in /boot, not /boot/efi.
** As discussed, boot partition doesn't need to be larger, it's 4 GB with Calamares and is integrated into the root partition on VM images.
** grml-debootstrap is not interested in increasing the EFI partition size at this time, so I don't believe there's any reason to do this.
* Patrick: Should have said /boot partition.
** VMs: We are not using a separate /boot partition.
** Host: [https://www.phoronix.com/news/Fedora-43-Bigger-Boot-Firmware Fedora increased /boot to 2 GB] We're already using 4 GB for /boot when installing using calamares.
** This issue does not exist.
== bindp - compilation warning - _GNU_SOURCE redefined ==
Setting up bindp (3:4.2-1) ...
/usr/lib/bindp.c:48:9: warning: "_GNU_SOURCE" redefined
48 | #define _GNU_SOURCE
| ^~~~~~~~~~~
* : note: this is the location of the previous definition
** Aaron: This is because we have the compilation of bindp being done via a direct gcc call in the postinst. This is wrong, we should be using the Makefile in the postinst to build the library at runtime but without having to duplicate code in two locations. Will adjust postinst as appropriate to resolve this.
** Aaron: Fixed: https://github.com/ArrayBolt3/bindp/commit/c0592d2e284c7a0a6e825279c5ace87bb9a1f566
* Patrick: Merged.
== install an onscreen keyboard by default ==
* todo
* purpose: configuration a keyboard layout when not knowing how to enter some special character such as "=" on the keyboard using the local keyboard
* related: [[Software#On-Screen_Keyboard|On-Screen Keyboard]]
* Aaron: Done, new commits pushed to developer-meta-files, kicksecure-meta-packages, and usability-misc for this.
* Patrick: Merged.
== trixie port - Whonix update failure if sys-whonix isn't already running ==
* https://github.com/QubesOS/qubes-issues/issues/4096 has come back
* Probably related to delaying Tor's startup to accomodate IPv6 changes
* Possible ways of fixing the issue listed at https://github.com/QubesOS/qubes-issues/issues/4096#issuecomment-3383779544.
* Marek suggested a good fix, which works in testing. Implementation: https://github.com/ArrayBolt3/qubes-whonix/commit/34418e335c6ea8d09d018ebda871a2ead4f392c1
== change keyboard layout versus ISO ==
* currently, change keyboard layout required reboot but that is a contradiction on the ISO which cannot be rebooted
** Aaron: I don't think keyboard layout changes require a reboot - if kloak isn't running, they take effect immediately after running labwc --reconfigure (which is automatically done by the newly created set-labwc-keymap script). If kloak is running, they take effect after kloak is restarted (which can be done even from a user session with Right Shift + Escape).
** In the event a full compositor restart was needed to make a settings change take effect, logging out and logging back in would be sufficient to restart the compositor, even on the ISO.
* https://github.com/labwc/labwc/issues/1407
** Aaron: This bug appears fixed in Trixie.
== sysmaint-panel - new shortcuts ==
* add onscreen keyboard shortcut
* add open display settings or open lxqt settings shortcut
* Aaron: Implemented, pushed commits to usability-misc, helper-scripts, sysmaint-panel.
** LXQt settings button will only appear in non-sysmaint sessions, as it is not useful and possibly misleading in sysmaint sessions.
* Patrick: Merged.
== sdwdate-gui - add left click menu ==
* usability bug: currently left click on sdwdate-gui does nothing
** Aaron: Unfixable or at least extremely difficult to fix due to a combination of Wayland and Qt limitations.
** Qt does not expose any API for popping up the menu the way a right-click pops it up. The only way to pop up a menu on a left-click is by using one of the exec() or popup() functions on the menu itself, which causes them to appear as a window in the middle of the screen under Wayland rather than them appearing as a popup menu.
** Both Qt5 and Qt6 behave in the same way.
** ChatGPT recommended using Gtk to create the context menu instead. A quick test revealed that Gtk has similar issues as Qt in this regard. I did not discover how to get a left-click to be registered by Gtk, documentation appears to be sparse and ChatGPT was not able to offer a functional suggestion.
** I tried to see if it would be possible to use D-Bus to trigger the StatusNotifierItem associated with the QSystemTrayIcon to pop up a menu. The closest I was able to get to making this work simply popped up a window containing the menu in the middle of the screen.
** The removable media and sound application icons seem to be left-clickable, but these are LXQt Panel plugins, not system tray icons. I suspect that's why they work, in which case that isn't a suitable solution for us.
** It might be possible in the future to create an LXQt panel plugin for sdwdate_gui_server, but this would most likely require rewriting sdwdate_gui_server in C++, which I do not believe is practical at the moment.
** For now, probably best to live with the issue, and make the time synchronization monitor popup specify "Right-click for menu" rather than "Click for menu".
** Commit pushed to sdwdate-gui to change wording as described above.
== labwc environment default configuration file ==
* if file ~/.config/labwc/environment does not exist, pre populate it with XKB_DEFAULT_LAYOUT= (and other useful settings?)
* might not be needed if the tool below gets implemented
* Aaron: Ignoring in favor of setxkbmap replacement tool, as suggested.
== compiled code - remove unsafe sanitizers ==
* All sanitizers except minimal UBSan are unsafe to use in production, they may result in security vulnerabilities.
* LSan is causing sclockadj to go into an infinite loop on exit for Marek.
* Leave minimal UBSan runtime enabled, remove full UBSan and ASan from all code.
** As it turns out, only Clang supports the minimal UBSan runtime, but we use GCC, so this is not possible. Just disable all sanitizers.
* Adjust sanitizer flags in compiler flags wiki page.
* Done, changed sdwdate, bindp, kloak, and security-misc to remove all sanitizers.
== trixie port - misc remaining issues ==
* Aaron:
** swaylock is configured to show a solid black screen. We may want to show something else so that the user knows the system isn't broken and is awaiting a password.
*** Turns out telling the user that the system is awaiting a password is impossible with Swaylock's current feature set. See https://github.com/swaywm/swaylock/issues/100.
*** Asked Debian if they would be interested in us providing a patch to them, will likely contact the swaylock maintainer if that is confirmed as the correct next step.
*** Added background color / image configuration for now.
*** Swaylock has rejected further requests to allow displaying user-defined text on the lock screen, because they consider it an aesthetic feature and do not target a userbase that needs to be told that the lockscreen is waiting for them to type their password.
*** Debian has rejected an offer of a patch because the maintainer wants to stick with Swaylock upstream.
*** For now, we will likely just document how to unlock the screen and hope users don't get confused.
*** Documented: https://www.kicksecure.com/wiki/Protection_Against_Physical_Attacks#Screen_Lock
** some systemcheck gripes need to be silenced, mostly just journal check stuff, but also the virtualizer check is "failing" on physical hardware because systemd-detect-virt returns non-zero if running on physical hardware. We probably shouldn't interpret that as failure.
*** Silenced a lot of these, but still have to build new VBox and KVM VMs to ensure all of them are silenced if possible.
*** Also fixed the virtualizer check.
** Need to build the Qubes templates and make sure they actually work. I haven't tried to build a Qubes template even once so far. That's probably what I'm going to do now.
*** Kicksecure template built after some effort.
**** Need to submit changes to qubes-builderv2 so this works out of the box.
***** Somewhat done; Marek has changes in-flight that will do this for us.
**** Need to modify qubes-template-kicksecure to point to kicksecure-qubes-gui-lxqt package.
***** Done.
**** Need to modify qubes-template-kicksecure to point to trixie-developers repository.
***** Done.
**** Need to update template build documentation.
***** Done.
*** Whonix templates still need built.
**** Whonix-Workstation cannot be built due to curl being unable to resolve www.torproject.org. Most likely an issue with our uwt curl wrapper. Created a commit that should fix this: https://github.com/ArrayBolt3/uwt/commit/13984371a370ec330c25b721a48c24f25034ddc2
**** Got Whonix-Workstation to build. Both it and the Whonix-Gateway template seem to work well so far.
** Might be good to launch Flameshot on login, make it not show a "welcome" message when launched, and bind the Print Screen key so that it triggers the screenshot UI when pressed.
*** We've decided to simply document this for now, since Flameshot consumes 80+ MB memory at idle. TODO: Where should we document this?
**** Patrick: [[Software]]?
**** Aaron: Good, let's just stick with the existing documentation there.
** We should be configuring PCManFM-Qt to not show graphical thumbnails. (PCManFM-Qt is also missing some of our distribution-specific configuration because of some odd behavior with configuration profiles, a symlink should be enough to solve that.)
*** Done, tested, works on physical hardware and Qubes OS.
** In the sysmaint session, the battery status notification takes a long time to notice if AC power is plugged in or unplugged. Should be pretty easy to solve by just shortening the check interval to 5 seconds rather than the default of 60.
*** Done, tested, works on physical hardware.
** We need to document how to configure the keyboard layout using labwc. At some point we may want to write a tool for this, it's just a matter of modifying a configuration file written in XML, and Python has built-in XML manipulation capabilities. They can't be used on untrusted XML, but the labwc configuration won't be untrusted.
*** Done.
** CLI builds don't have enhanced zsh configuration yet. Not sure if we figured out what to do with that, I think we wanted to create a new package for this but haven't actually done so yet.
*** Fixed by Patrick.
== browser-choice - consider using --no-install-recommends ==
* bug: Installing chromium from Debian package sources results in installing avahi and cups. Better sudo apt install --no-install-recommends chromium chromium-sandbox?
* use --no-install-recommends whenever applicable
* Patrick: Done.
== kloak - core versus adapter split ==
* https://forums.whonix.org/t/better-mouse-obfuscation/21445/18
* Aaron: Abandoned for the time being, rationale documented at https://forums.whonix.org/t/better-mouse-obfuscation/21445/19
== screenlocker backdoors ==
* https://forums.whonix.org/t/screen-locker-in-security-can-we-disable-these-at-least-4-backdoors/8128
* please check, confirm, reply if this issue is now resolved thanks to Wayland (and our disabling of SysRq by default)
* Aaron: Replied, there a hardening option we might consider enabling (panic_on_oom).
== trixie port - anon-ws-disable-stacked-tor apparmor issues ==
* apparmor fails to start if /etc/apparmor.d/abstractions/tor does not exist, but shipping this file in anon-ws-disable-stacked-tor results in upgrade problems because Tor is being installed by default on Whonix-Workstation 17
** Fix: https://github.com/ArrayBolt3/anon-ws-disable-stacked-tor/commit/a9a0ac9db25fa1f00985a585193e109dc51fb5b4
* Patrick: Merged.
* Aaron: Ended up removing this fix and replacing it with an if exists fix instead as discussed. Commits pushed to helper-scripts, systemcheck, and anon-ws-disable-stacked-tor for this.
* Patrick: Merged.
== privleap comment ==
* https://forums.whonix.org/t/replace-sudo-with-doas/17482/35
* Aaron: Replied while waiting for Whonix templates to build.
== kloak - natural scrolling ==
* https://github.com/Whonix/kloak/issues/8
* Aaron: To enable natural scrolling: https://wayland.freedesktop.org/libinput/doc/latest/api/group__config.html#ga958b67193c3948b59add719a68f1b948 This will need to be a configurable option within kloak itself.
* Aaron: Implemented: https://github.com/ArrayBolt3/kloak/commit/c881c666ac8af47fbc334dd41acec12323c1bcfe
* Patrick: Merged.
== trixie port - browser-choice versus user-sysmaint-split ==
* user-sysmaint-split installed
* Qubes Template
* Kicksecure trixie based
* Qubes R4.2
** This may not be applicable to Qubes R4.3.
* Also reproducible in Qubes R4.2 + bookworm based Kicksecure.
* The following error message is not applicable:
You are currently running Browser Choice inside a user session. You will be unable to install most browsers from here; only browsers that install into the current user account will be installable. To install a browser, reboot, select PERSISTENT Mode| SYSMAINT Session | system maintenance tasks from the boot menu, and click Install a Browser in the System Maintenance Panel. See Sysmaint for more information.
* What should the user do?
** Aaron: Open a Qubes Root Console, then run browser-choice as root. Ugly, but should work. Will work on messaging for Qubes.
** Aaron: Fix created, untested: https://github.com/ArrayBolt3/browser-choice/commit/41ced11b9a77abfb58d2d7f616563625d70d9363
* Patrick:
** Qubes R4.2 + trixie: Opened a root terminal. Bug: No installation (such as chromium from Debian) possible.
You are currently running Browser Choice as a normal user. You will be unable to install most browsers from here; only browsers that install into the current user account will be installable. To install a browser, open a terminal in dom0, run qvm-run -u root VMNAME xfce4-terminal, then run browser-choice from that terminal. See Sysmaint for more information.
* Aaron: Second attempted fix, untested: https://github.com/ArrayBolt3/browser-choice/commit/f1331432b649fb636f7516617fc3df98692e90af
* Patrick: Merged.
== trixie port - adjust Qubes templates for LXQt ==
* Aaron: Attempted to fix https://github.com/QubesOS/qubes-issues/issues/10253#issuecomment-3333503493
** qubes-template-kicksecure: https://github.com/ArrayBolt3/qubes-template-kicksecure/commit/36a2bd4ad9d0648650fdc50df71fc30384dc350e
*** Patrick: Merged.
** qubes-template-whonix: https://github.com/ArrayBolt3/qubes-template-whonix/commit/db004332a67a82e2b956174fbc76678c9f1ddc98
*** Patrick: Merged.
* Aaron: Also make a fix for a Qt theming issue: https://github.com/ArrayBolt3/desktop-config-dist/commit/e37430be671458e7fb6f61eb306e3d5e032eb3aa
** Patrick: Merged. As a side effect, the default font in KDE konsole now looks weird. There is too much space between letters. But probably not important as there are other terminal emulators to choose from.
*** Aaron: The default terminal in LXQt is QTerminal, so this should be fine. Might be worth adding support for components of other desktops as a future task?
* Aaron: Please move to "WAITING ON" if this looks good. Feedback on qubes-core-agent-pcmanfm-qt would also be appreciated.
** Patrick: Looks good.
* Patrick: Best to split this ticket into general Qubes build issues for trixie and qubes-core-agent-pcmanfm-qt?
** Aaron: Sure.
== unshare vs. ptrace ==
* https://github.com/Kicksecure/security-misc/issues/321
* Can unshare be used to bypass ptrace restrictions? Create sample code and test.
** Aaron: Tested, could not circumvent ptrace restrictions by leveraging unshare. Unshare actually made the restrictions tighter.
== trixie port - FDE systemcheck test passing incorrectly ==
* freshly installed Kicksecure 18 system on physical hardware:
** INFO: Full Disk Encryption (FDE): Enabled.
** This is incorrect, the system has other operating systems on it that do use FDE, but the Kicksecure installation is not one of them.
** Only report FDE enabled if root (/) and home (/home) are both located on encrypted volumes
** Done: https://github.com/ArrayBolt3/systemcheck/commit/488aabfd69e039eb89a3a7d66e89f5400d2992d2
*** Patrick: Merged.
== trixie port - wl-clipboard ==
* install by default, if sensible
** Aaron: Would recommend against it for now, it's not critical and most users should likely not be using clipboard sharing anyway.
* document usage
* {{whonix_wiki
|wikipage=KVM#Clipboard_Sharing
|text=KVM, Clipboard Sharing
}}
* [[VirtualBox/Guest_Additions#Clipboard_Sharing|Clipboard Sharing]] (Mention it does not work.)
** Aaron: Documented in both places.
* https://forums.whonix.org/t/whonix-18-wayland-based-virtualbox-clipboard-sharing-broken/22213
* https://forums.whonix.org/t/whonix-18-wayland-based-kvm-clipboard-sharing-broken/22212
== browser-choice - inside Qubes Template - prohibit starting browsers ==
* if file /var/run/qubes/this-is-templatevm exists, do not allow to start browsers
** Aaron: Done: https://github.com/ArrayBolt3/browser-choice/commit/845946c344c4917afbb765a7c322e6ac3e955e28
*** Patrick: Merged. Tested.
== tirdad - improvements ==
* review, discuss upstream: https://github.com/assisted-by-ai/tirdad/pulls
* https://github.com/0xsirus/tirdad/issues/29
* Aaron: Done, see Github comments on PRs and the compiler hardening flags issue.
== trixie port - usbguard - IPC connection failure ==
* Happening inside Qubes (R4.2) Template
IPC connection failure!IPC connect: service=usbguard: Operation not permitted
* Aaron: Reproduced on R4.3. Added additional USBGuard configuration to allow members of the qubes group access to USBGuard IPC.
** security-misc: https://github.com/ArrayBolt3/security-misc/commit/7e016b563239e31c650aece115bb19af0395ec52
* Patrick: Merged.
== trixie port - KVM shared clipboard ==
* Requires clipboard sync between X11 and Wayland clipboards
* Make spice-vdagent start properly and ensure clipboard sync allows two-way clipboard transfer
* spice-vdagent: Upstream is waiting for Wayland support to be contributed. See https://gitlab.freedesktop.org/spice/linux/vd_agent/-/issues/26.
** Worth attempting to contribute?
* Virtual Machine Manager (virt-manager): https://github.com/virt-manager/virt-manager/issues/918
* Patrick has documented using a shared folder as a workaround for now: [[KVM#Clipboard_Sharing|KVM, Clipboard Sharing]]
* We might not want clipboard sharing anyway to prevent a compromised VM from sniffing secrets that are present in the host clipboard.
== trixie port - VirtualBox shared clipboard ==
* Broken with Wayland upstream: https://github.com/VirtualBox/virtualbox/issues/33
* Oracle apparently intends to fix this: https://github.com/VirtualBox/virtualbox/issues/33#issuecomment-3253257020
* Aaron: Probably better to leave alone for now, document the issue and let Oracle fix it eventually? If so, this should be moved to "WAITING ON".
* We might not want clipboard sharing anyway to prevent a compromised VM from sniffing secrets that are present in the host clipboard.
* Patrick has documented using a shared folder as a workaround for now: [[VirtualBox/Guest_Additions#Clipboard_Sharing|VirtualBox Clipboard Sharing]]
== remove unnecessary dependencies from arc-theme ==
* https://github.com/UbuntuBudgie/arc-theme/pull/2
* since upstream is unlikely to react, could you please send a patch to Debian instead if that seems possible/useful?
* or perhaps a different, better theme? separate ticket: [[#desktop theme improvements]]
* Aaron: Pinged Ubuntu Budgie upstream via Matrix, got a response, waiting to see how (or if) that develops. Debian is likely not the right place to override this unless we absolutely have to do that. In either event, the dependencies won't be removed until Forky at best.
* Cancelled, we are not using the arc theme any longer.
== qubes boot modes - GRUB in-vm kernel support ==
* todo
* Submitted to Qubes: https://github.com/QubesOS/qubes-linux-pvgrub2/pull/16
* Submitted to FSF: https://lists.gnu.org/archive/html/grub-devel/2025-04/msg00050.html
** Attempt to get attention for the patch again on April 11, try to smooth out some of the possible issues with the patch before sending if at all possible.
** If a second attempt at submitting the patch results in complete silence, return to Qubes and explain that attempts to upstream the patch weren't acknowledged.
* Aaron: Accepted by FSF, merged by Qubes. Will resume work on this for Qubes R4.4/R5.0.
== trixie port - desktop theme improvements ==
* suggestions from https://forums.whonix.org/t/xfce-theming-a-few-suggestions/7205/82 valid?
* useful to change the desktop theme?
* Might be useful to postpone after port to trixie. After the first trixie based release. Because by that time, desktop environment choice (Xfce vs LXqt) and wayland should be settled. No point in improving Xfce based style in case of porting to LXQt.
* Provided suggestions for improving Xfce theming and attempted to port the theming to LXQt. Should defer to Trixie.
* Can be postponed after the first trixie based release.
* Aaron: Mostly implemented as part of the port to LXQt, but we should entirely remote MATE's notification daemon in favor of LXQt's (this hasn't been done yet).
* Aaron: This is now done and has been merged for a while.
== trixie port - check compiled code ==
* does our compiled code still compile on trixie?
* and compile time warnings to fix?
* any new compile time hardening flags that should be used?
** Perhaps our own compilation hardening wrapper would be useful?
* this is mostly about kloak but may affect other compiled code
* use -fanalyzer, where sensible.
* For high effort, lower gain items, please create lower priority follow-up issues for post trixie.
** Aaron: Documented compilation flags at [[Dev/compiler hardening]]
*** I seem to have messed up the page title... it says "compiler_hardening" rather than "compiler hardening" in the navbar. Is there a way to fix it?
**** Patrick: Fixed.
** Aaron: Hardened sclockadj, bindp, and emerg-shutdown. kloak was hardened in earlier tasks. Did not harden tirdad yet, unsure if it's possible / safe to do so.
*** Patrick: Follow-up ticket created.
* Patrick: All merged.
* Patrick: Please try hardening-check and address, if applicable.
hardening-check /usr/libexec/sdwdate/sclockadj
/usr/libexec/sdwdate/sclockadj:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: unknown, no protectable libc functions used
Read-only relocations: yes
Immediate binding: yes
Stack clash protection: unknown, no -fstack-clash-protection instructions found
Control flow integrity: no, not found!
Branch Protection: no, not found!
== trixie port - switch image viewer to loupe ==
* current default image viewer is Tor Browser, which is non-ideal
* lximage-qt is potentially dangerous
* loupe uses Glycin to load images, which is sandboxed and written in Rust, thus likely less vulnerable
* Done, made changes to tb-starter, developer-meta-files, kicksecure-meta-packages, and anon-meta-packages to change this.
* Patrick: Merged.
== trixie port - physical hardware installation uses /dev path in grub.cfg ==
* in boot menu, if pressing e on a boot entry:
** linux ... root=/dev/nvme1n1p6
** this should be something like linux ... root=UUID=...
* Aaron: Discovered we were explicitly turning UUIDs off. Fixes:
** dist-base-files: https://github.com/ArrayBolt3/dist-base-files/commit/50405851087c08a5ec60fe83944fa1298266613b
** user-sysmaint-split: https://github.com/ArrayBolt3/user-sysmaint-split/commit/4d453cda101d40536ab3831ee222a5057fc025f0
* Patrick: Merged.
== trixie port - wlgreet autologin for sysmaint session broken on ISO ==
* Booting into a sysmaint session from a Kicksecure 18 ISO results in a login screen rather than an automatic sysmaint session. Logging in at this screen as "sysmaint" presents a full desktop, not a normal sysmaint session.
* Manually executing /usr/libexec/user-sysmaint-split/sysmaint-session-wayland works fine
* Aaron: Found root cause and fixed it: https://github.com/ArrayBolt3/user-sysmaint-split/commit/8a9586f5cf4a3977e6ee06b78738cad322bd066b
* Patrick: Merged.
== trixie port - Kicksecure Qubes test ==
* install firmware-nonfree in Kicksecure Qubes. It's also default in Debian Qubes default Template.
** Aaron: Package wpasupplicant also had to be installed to get Wi-Fi to work.
* Does DNS work when using a Kicksecure 18 based sys-net?
** Aaron: Yes, DNS seems fine. Was able to reach Google, Bing, Reddit, speedtest.net, and qubes-os.org at least.
* sys-firewall ok?
** Aaron: Yes, all connectivity from the AppVM used for testing went through sys-firewall and encountered no issues. Reconfiguring sys-firewall to block connections to everything except Wikipedia resulted in Wikipedia working but all other outgoing connectivity breaking, as expected. Undoing that configuration restored outgoing connectivity, as expected. Works both with WiFi and Ethernet.
* Kicksecure Qubes internet speed versus Debian Internet speed?
** Aaron: WiFi test results (using a Fedora 42 AppVM with Firefox):
*** With sys-net based on Kicksecure 18:
**** Test 1: 55.58 Mbps down, 2.08 Mbps up
**** Test 2: 54.86 Mbps down, 2.20 Mbps up
**** Test 3: 62.13 Mbps down, 2.25 Mbps up
*** With sys-net based on Debian 13:
**** Test 1: 51.89 Mbps down, 2.61 Mbps up
**** Test 2: 50.06 Mbps down, 2.68 Mbps up
**** Test 3: 45.32 Mbps down, 2.11 Mbps up
*** Conclusion: Likely no difference. Debian 13 appears slower than Kicksecure 18 in testing, but that is most likely due to speed fluctuations with my cellular Internet connectivity. Speeds seem coherent with the speeds I usually see with Ubuntu.
** Aaron: Ethernet test results (using a Fedora 42 AppVM with Firefox):
*** With sys-net based on Kicksecure 18:
**** 18.59 Mbps down, 1.89 Mbps up
**** 19.91 Mbps down, 2.07 Mbps up
**** 18.39 Mbps down, 1.97 Mbps up
*** With sys-net based on Debian 13:
**** 20.58 Mbps down, 2.01 Mbps up
**** 20.95 Mbps down, 1.83 Mbps up
**** 20.29 Mbps down, 1.90 Mbps up
*** Conclusion: Likely no or relatively negligible difference. Debian 13 appears faster than Kicksecure 18 in testing, but again, this is probably because of network speed fluctuations on my end, and this is as good or better than speeds I was seeing using this link previously. (Note that because my hotspot's Ethernet support is buggy, I used NetworkManager internet connection sharing from another laptop with Ethernet, which is probably why this is so much slower than WiFi.)
* Aaron: Should we be pre-installing wpasupplicant in some instances? It appears to be preinstalled in the Debian 13 template.
** Patrick: Please install.
* Patrick: Please look for other missing packages.
* Aaron: Added wpasupplicant to Kicksecure for Qubes and baremetal.
* Aaron: No additional packages were needed for wired networking to function properly.
== trixie port - decrease touchpad sensitivity ==
* on Aaron's test laptop, the mouse pointer moves far too quickly when using the built-in touchpad.
* same issue as https://github.com/Whonix/kloak/issues/8
= Footnotes =
{{Footer}}