Avoid pulling in unwanted packages during security updates

digitalcourage · November 5, 2015, 8:14pm

Last week I installed Qubes 3.0 with Whonix templates. After I installed security updates, whonixcheck alerted me to the fact that unwanted packages had been pulled in by the updates, namely [tt]ntpdate[/tt] and [tt]chrony[/tt]. So I purged them as recommended by whonixcheck.

In order to avoid pulling in undesired packages, it might be wise to modify the apt configuration as recommended by Zwiebelfreunde for Tor Exit servers https://www.torservers.net/wiki/setup/server:

# disable debian default that pulls in recommended packages:
cat > /etc/apt/apt.conf.d/06norecommends <<EOS
APT
{
        Install-Recommends "false";
        Install-Suggests "false";
};
EOS

Patrick · November 5, 2015, 9:08pm

These unwanted packages weren’t installed because this settings are not set. It was a Qubes packaging bug:

github.com/QubesOS/qubes-issues

qubes-core-agent-linux remove `Recommends:` `chrony`

opened 04:03PM - 05 Aug 15 UTC

closed 09:23PM - 08 Aug 15 UTC

adrelanos

C: core P: minor

qubes-core-agent-linux `Recommends:` `ntpdate` and `chrony`. What's that good fo…r? VMs are being synchronized by dom0 qubes.SyncNtpClock anyhow. Having `ntpdate` or `chrony` running in the VM would only interfere with it. The simplest solution would just to remove these `Recommends:`. Can we do this? This is also useful for Whonix. We don't want `ntpdate` and `chrony` installed there. Those only conflict with sdwdate. Those won't work by default because they are using UDP. Those would start working though as soon as the user sets up a VPN or similar capable of tunneling UDP.

Install-Suggests is disabled by Debian default anyhow.

Install-Recommends is enabled by Debian default. Disabling would generate a lot user confusion.

These unwanted packages are unlikely to be installed during upgrades. Because Debian [stable] (currently: jessie) won’t change dependencies/recommends for an already released suite (jessie…).

The source of having these unwanted packages installed is having them installed in older builds that are now upgraded.

I also haven’t seen cases, where unwanted packages were pulled as recommends during usual package installation by the user.

You can find the current list of unwanted package in this file:
https://github.com/Whonix/whonixcheck/blob/master/etc/whonix.d/30_whonixcheck_default

Search it for:

whonixcheck_unwanted_package

These are not installed by accident. And if they are installed manually, the user gets warned by whonixcheck.

digitalcourage · November 8, 2015, 7:10pm

Hi Patrick,

thank you for pointing me to that bug report. I was not aware of it.

Another thing that caught my attention during a recent security update: Both whonix-gw and whonix-ws installed iceweasel.
Although TorBrowser is based on Firefox, I do not think it depends on having a Firefox installed.
Would it not be better to install only TorBrowser on whonix-ws, and no web browser on whonix-gw?

user@host:~$ dpkg -l iceweasel 
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version      Architecture Description
+++-==============-============-============-=================================
ii  iceweasel      38.4.0esr-1~ amd64        Web browser based on Firefox

Patrick · November 8, 2015, 7:20pm

On the gateway, that’s a bug. Not supposed to be installed there. Also no harm when installed expect waste of disk space. Fixed in Whonix 12.

On the workstation, it’s safe to uninstall also. It’s a recommended package in case Tor Browser no longer works, so the user has a browser to manually download Tor Browser. Uninstalling it on the workstation however is unfortunately difficult, see:

Patrick · November 8, 2015, 7:21pm

There are more packages you are free to uninstall. Just added this yesterday: