adding non-free packages by default is it safe?


is it safe to allow non-free packages from source.list ?

u can find that it is allowed by default if u go for example in whonix-workstation-template then:-

nano /etc/apt/sources.list.d/debian.list

non-free added there by default (this is also by default in debian template)

apt-get upgrading security issue CVE-2016-1252

Good day,

“Non-Free Packages” simply are packages which, for one reason or another can’t complie with the Debian Free Software Guidelines. That though doesn’t comment in any way on their safety. DFSG compliant applications may be unsafe and non DFSG compliant applications may be safe. “non-free” just comments on the respective licensing, not on anything else.

Have a nice day,



Well, nothing immediately explodes as soon as you do, but generally:

That’s a usability feature. Just by having the non-free repository enabled by default, nonfree software does not automagically install itself.

whonixcheck will report any nonfree software. Except for some hardly avoidable packages which are in the whonixcheck_expected_nonfree_package list.


I don’t know if it’s a good idea to disable the nonfree repository by default. It would be more Libre Software advocacy hardcore than Debian itself (which has these enabled by default). Users failing to install their nonfree package then would submit support requests. On the other hand, advocacy of avoidance of installation of nonfree packages may be better. I guess we have a quite balanced approach to this with whonixcheck currently.


debian by default does not enable non-free or contrib , just main. (i should ask the same question to Qubes-debian maintainer , why hes adding contrib and non-free to debian-template)

but since whonixcheck need it , then we need to enable it by default unless there will be a replacement/shift to our software dependencies located inside whonix


yeah i know but im talking about safety-awareness inside anonymous OS , because security through obsecurity is not a choice anymore in anonymity field.


Whonix VirtualBox needs nonfree packages for VirtualBox guest additions.

Qubes(-Whonix) needs it for firmware-linux, firmware-linux-nonfree. For Qubes-Whonix that should be fixed by now. ( https://github.com/QubesOS/qubes-issues/issues/1177 ) Perhaps by removing these two packages from whonixcheck whonixcheck_expected_nonfree_package we’ll get the remaining users (who always upgraded Whonix) to purge these unnecessary packages.

Qubes Debian templates would still keep nonfree enabled by default for firmware-linux, firmware-linux-nonfree. ( https://github.com/QubesOS/qubes-issues/issues/1177 )

So yes, it may be possible to disable nonfree in /etc/apt/sources.list in Qubes-Whonix by default. It would be somewhat messy because Whonix VirtualBox would still require it.


but virtualbox doesnt need non-free packages , it need just contrib.

firmware-linux-nonfree is the real problem and i wonder if we can get ride of it or replace it with alternative.


Good day,

Has been explained here: https://www.whonix.org/blog/installing-virtualbox-guest-addition-by-default

What is the problem with it? It contains somewhat important drivers for a variety of systems.

Have a nice day,



still cant c where is the part which is talking about allowing non-free packages for the sake of vbox guest

by saying “non-free” is a problem by itself. allowing it by DEFAULT is even worse. yes we give the user the right to edit the sources.list in order if he like to install something which in the category of “accessories” . but as anon-system the least rational security must be that we use fully open-source OS , with 0 dote of closed-source package/program…etc.


If you don’t want non-free, you also don’t want contrib.

VirtualBox contrib mess references are here:


yeah that explain alot regarding vbox issue. (but still no need for non-free to be there tho …)

how about the actual subject which is qubes-whonix ?

unless this issue get solved ( https://github.com/QubesOS/qubes-issues/issues/1177 ) then we can delete non-free ?


contrib contains flashplugin-nonfree. This is as bad as it can get. The difference between non-free and contrib is “rather technical”. So either we remove both contrib and non-free or we leave it as is. A half solution is worse than what we have now.

It won’t be solved for Qubes Debian templates.

For Whonix you can use sudo apt-get purge linux-firmware linux-firmware-nonfree. That only applies to old installations. New installations don’t have it.


Qubes-Whonix / Whonix KVM: We can go for main only, i.e. drop
contrib and nonfree by default.

Whonix VirtualBox: However, it wrecks Whonix VirtualBox. Some solution
needs to be found for virtualbox-guest-additions. A VirtualBox specific
file /etc/apt/sources.list.d/debian_contrib.list or so. There is not
really a Whonix package that fits. Or keep uploading it to Whonix
repository which would also increase maintenance overhead. Messy either way.


Also messy, because then VirtualBox and KVM builds would have to be build separately, i.e. not sharing the raw image before converting to virtualizer specific images, which would also increase maintenance overhead.

Perhaps anon-apt-sources-list could conditionally in VirtualBox only at boot time create /etc/apt/sources.list.d/debian_contrib.list, but that’s also not great.


For Debian stretch:

  • torbrowser-launcher is in contrib - we don’t directly need this package in Whonix (it’s in contrib because it’s an installer?)
  • onionshare is in contrib - because onionshare depends on torbrowser-launcher

Adding to what was said in earlier posts… It’s either enable contrib by default or not install onionshare by default.


is this the only reason why we r enabling contrib ? or there r others tools needing it? (inside stretch)


All information in this thread are still current.


virtualbox now considered for debian stretch as third-party , and been removed from debian 9 repos because of oracle policies. (read Virtualbox might not be suitable for Stretch)

i think if anyone want whonix inside the vbox he should self customize it otherwise it shouldnt be by default supporting it. (trusting in third parties is a security risk and blind trusting).

so we have now a good reason to not add “non-free” and “contrib” repos to the new whonix.


Gotta be installed from Debian sid or VirtualBox Debian repository then. And we need instructions on how to do that. //cc @JasonJAyalaP @joysn

VirtualBox is probably the most popular way to use Whonix. Unfortunately, that even on Linux Windows. Nevertheless, a great way to get people in touch with Linux. Therefore, VirtualBox support won’t be deprecated.


Instructions at the place “install virtualbox”?

Or somewhere else?