Whonix Xfce Development

Yeah I checked it again. Seems to be an error on my side.

Great. I can only speak for a recently build cli workstation image which booted without any problems.

Btw, is there something going on with Xfce builds from anyone else? Double work would be pointless. To get some impressions from the Workstation:

xfce11440×900 155 KB

xfce21440×900 202 KB

xfce31440×900 272 KB

xfce41440×900 309 KB

First post: Hello, I have had XFCE on Whonix for some time, but I can only run 32 bit images here. I am interested in working out the kinks too. I may have to build a Whonix from scratch, since I need 32 bit though.
There are a few strange things about my workstation, but it works fine. The old GUI updater was a problem for me. I disabled it in Whonix13, but it never went away. After the update, I have had no more update reminders or Tor checks, so it is working fine. It would be simple to write a quick updater though (shell script with shortcut). My gateway image is CLI only, which I would like to keep that way, but there are probably things on it I don’t need, since no GUI. I never bothered to look at slimming the gateway down other than removing the desktop. I tried to remove KGPG from the workstation so I could use GPA instead (can’t uninstall KGPG without taking out Whonix packages) and since I took KDE off guncat stopped working for me (CLI decryption). Just minor things wrong, but would be nice to fix them.

There are some non-functional .desktop files on the Whonix gateway. They are more obvious on Xfce since you now actually see the icons. These are: gateway-firewall30default, gateway-firewall50user, gateway-reloadfirewall and whonix_setup. Can they be removed?

@eyez
Yes, for 32 bit you need to build them yourself. There is also already a CLI meta package so you could build a CLI gateway yourself. You could also build a custom Desktop of the Workstation starting from its CLI image or wait until the official XFCE metapackage is finished.

Algernon:

There are some non-functional .desktop files on the Whonix gateway. They are more obvious on Xfce since you now actually see the icons. These are: gateway-firewall30default, gateway-firewall50user, gateway-reloadfirewall and whonix_setup. Can they be removed?

I guess
https://github.com/Whonix/anon-shared-helper-scripts/blob/master/usr/lib/anon-shared-helper-scripts/terminal-wrapper
needs to be adjusted.

Let’s fix them instead please. Works in Whonix KDE and Qubes-Whonix version.

Has hard dependency on KDE konsole in deb.whonix.org version. xterm
support recently added in git version.

Do you think you could add xfce4-terminal support to
https://github.com/Whonix/anon-shared-helper-scripts/blob/master/usr/lib/anon-shared-helper-scripts/terminal-wrapper?

32 bit: build from source possible. (As per
https://www.whonix.org/wiki/Template:Build_Configuration) In short, just
add:

--arch i386

eyez-Observe:

The old GUI updater was a problem for me.

Which GUI updater?

Negative here as I can only run 32 bit in VB, in the first place. TY though, but I will have to create my own Whonix from a 32 bit Debian source. I can probably get away with cloning my own gateway and changing the password. I have made very few changes, other than that . Workstation, I will have to build.

Can’t you just add this to the if statement?
elif command -v xfce4-terminal_ >/dev/null 2>&1; then
terminal_emulator_app=“xfce4-terminal”
I’m probably assuming too much. I haven’t seen the rest of the scripts. The “_” after xfce4-terminal, is throwing me off. I’m obviously missing something.

(I didn’t check link yet, but will)

That won’t help me, IDT, cause I can’t start a 64 bit image to begin with. If Whonix has a CD/DVD install image, then maybe there is a way with your switch. I probably wouldn’t need it though. I think it would pick up 32 bit limitations and install accordingly. I also had to uninstall PAE here. After update I couldn’t boot into it, but the other non=PAE kernels worked great, in case it helps anyone else.

Whonixcheck in GUI never acted right and took a very long time. I think I remember reading about a bug (maybe in 32 bit?). It never bothered me though. I just run whonixcheck and update/upgrades from terminal. It would be easy enough for me to add a notification/zenity thing, just stating what is running.

I don’t see a contradiction here.

More specifically:

“There is also already a CLI meta package so you could build a 32 bit CLI gateway yourself.”

Possibly enough. Untested. That’s why it needs development.

Building 32 bit has no dependency on:

• existing Whonix downloadable images
• existing Whonix 32 bit binary downloadable
• existing Whonix 64 bit binary downloadable
• 64 bit anything

To build Whonix 32 bit you only need to start with Debian 32 bit. Nothing 64 bit required.

Is Whonix XFCE in your experience more responsive (faster) / less resource hungry than Whonix KDE?

Default RAM can be reduced?

I guess it will also result in reduced image sizes.

Not the final numbers but generally it looks like Xfce uses 100-200 MB less RAM, also less CPU resources, boots around 10 seconds faster and needs around 500 MB less disk space. I still have to test it under real conditions and look if there are some missing essential packages and if RAM can be reduced. Also I’m not 100% sure on which number to use for estimating RAM and CPU usage.

We’ll also be migrating from KDE-ish applications to XFCE-ish default applications? ie. dolphin -> thunar etc.?

I.e. hardened-desktop-applications-kde gets dropped from XFCE build and replaced by XFCE equivalents?

We’ll need to disable (image) file previews in thunar, adding the settings file to GitHub - Kicksecure/security-misc: Kernel Hardening; Protect Linux User Accounts against Brute Force Attacks; Improve Entropy Collection; Strong Linux User Account Separation; Enhances Misc Security Settings - https://www.kicksecure.com/wiki/Security-misc.

Wondering which settings we need to tweak. Certainly avoid “create default panel” startup question - needlessly confusing for users.

This might be the right folder for it:

/etc/skel/.config/xfce4

xfce4 dot files (for pre-configuration as linux distribution), maybe we find something useful for us there:

• https://github.com/Grafikart/dotfiles/tree/master/config/xfce4/.config/xfce4
• dotfiles/xfce4/.config/xfce4 at master · TomasTomecek/dotfiles · GitHub
• https://github.com/fikovnik/dotfiles/tree/master/.config/xfce4
• dotfiles-xfce4-terminal/terminal at master · gasull/dotfiles-xfce4-terminal · GitHub
• dotfiles/home/.config/xfce4 at master · ErikBjare/dotfiles · GitHub
• fedora_config/.config/xfce4 at master · bsnux/fedora_config · GitHub
• we might be able to learn more from other XFCE based distributions

Yes.

Yes.

iirc there is no preview without some image viewer installed. I added ristretto for this but I can remove it again, but there is also an option somewhere to disable preview with ristretto.

Yeah, I already have a xfce config package which puts stuff in there. End result after a build is a desktop like in the images above. Will post code soon™

I suggest we disable previews / thumbnails for better security.

That aspect of thunar config now good (doubt there is much more to configure?):

I opened some pull requests. I’m not sure about the actual purpose of the terminal wrapper. The original file also did not really work.
The Xfce desktop config lives here: GitHub - Algernon-01/whonix-xfce-desktop-config: Configuration for Whonix Xfce desktop.
In there I also disabled the preview for Thunar since it contains the xml file anyways. So I guess the file in security misc can be removed. I’m also not sure what file would take precedence in case there are two in /etc/skel.
It also seems to be possible to decrease the RAM to 350 MB for the gateway and the desktop still works fine.

Most merged.

Purpose: not having to hardcode konsole or any other terminal emulator.

~/Whonix $ mygrep -r terminal-wrapper
+ exec grep --exclude=README.md --exclude=GPLv2 --exclude=GPLv3 --exclude=COPYING --exclude=changelog.upstream-old1 --exclude-dir=mnt --exclude-dir=qubes-src/linux-template-builder/mnt --exclude=changelog.upstream --exclude-dir=.git --exclude-dir=chroot-debian --exclude-dir=chroot-jessie -r terminal-wrapper
packages/whonix-firewall/usr/share/applications/whonix-reloadfirewall.desktop:Exec=/usr/lib/anon-shared-helper-scripts/terminal-wrapper /usr/lib/whonix-firewall/reloadfirewall

packages/anon-gw-anonymizer-config/usr/share/applications/gateway-restarttor.desktop:Exec=/usr/lib/anon-shared-helper-scripts/terminal-wrapper /usr/lib/gateway-shortcuts/restarttor
packages/anon-gw-anonymizer-config/usr/share/applications/gateway-reloadtor.desktop:Exec=/usr/lib/anon-shared-helper-scripts/terminal-wrapper /usr/lib/gateway-shortcuts/reloadtor
packages/anon-gw-anonymizer-config/usr/share/applications/gateway-stoptor.desktop:Exec=/usr/lib/anon-shared-helper-scripts/terminal-wrapper /usr/lib/gateway-shortcuts/stoptor
packages/anon-gw-anonymizer-config/usr/share/applications/gateway-arm.desktop:Exec=/usr/lib/anon-shared-helper-scripts/terminal-wrapper /usr/lib/gateway-shortcuts/arm
packages/anon-gw-anonymizer-config/usr/share/lintian/overrides/anon-gw-anonymizer-config:## usr/lib/anon-shared-helper-scripts/terminal-wrapper gets by anon-shared-helper-scripts
packages/sdwdate-gui/usr/lib/sdwdate-gui/log-viewer:/usr/lib/anon-shared-helper-scripts/terminal-wrapper "tail -f -n 100 /var/log/sdwdate.log"

Not well tested yet.

I’d rather keep it there since it would benefit Non-XFCE users as well (those using Thunar).

Even Qubes is interested in the security-misc package.

Not possible. Leads to package conflict. A file cannot be owned by two packages at the same time. Breaks apt-get (possible to repair but non-obvious for most users, not pretty to have support requests for that).

Yay! (Quite likely XFCE will become Non-Qubes-Whonix default download.)

Even apt-get / kernel upgrade does not freeze the VM?

https://github.com/Whonix/Whonix/pull/423

https://github.com/Whonix/whonix-ws-desktop-shortcuts/pull/1

https://github.com/Whonix/whonix-gw-desktop-shortcuts/pull/2

https://github.com/Whonix/anon-meta-packages/pull/15

Could you please remove any settings (if removeable) which you don’t explicitly intent to change?

For example in https://github.com/Algernon-01/whonix-xfce-desktop-config/blob/master/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml

I doubt <property name="last-separator-position" type="int" value="170"/> is intended?

Reason: any extraneous settings we’re not sure why we are changing / not sure what they are doing can cause issues now or later; obsolete code; generating follow up questions.

In case of thunar disabling thumbnails security-misc/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml at master · Kicksecure/security-misc · GitHub is more minimal, better.

Can we add comments to these xml files?

• licensing
• documenting rationale for changing settings?

For example in whonix-xfce-desktop-config/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-desktop.xml at master · Algernon-01/whonix-xfce-desktop-config · GitHub I am wondering about the rationale of:

• <property name=“show-trash” type=“bool” value=“false”/>
• <property name=“show-removable” type=“bool” value=“false”/>
• <property name=“window-width” type=“int” value=“634”/>
• <property name=“window-height” type=“int” value=“460”/>

and more in other files. We shouldn’t preconfigure to our liking and then just share the ~/.config folder. Much better to keep it minimal.

https://github.com/Whonix/anon-shared-helper-scripts/blob/master/usr/lib/anon-shared-helper-scripts/terminal-wrapper should be working nicely now.