Avoid pulling in unwanted packages during security updates

Last week I installed Qubes 3.0 with Whonix templates. After I installed security updates, whonixcheck alerted me to the fact that unwanted packages had been pulled in by the updates, namely [tt]ntpdate[/tt] and [tt]chrony[/tt]. So I purged them as recommended by whonixcheck.

In order to avoid pulling in undesired packages, it might be wise to modify the apt configuration as recommended by Zwiebelfreunde for Tor Exit servers https://www.torservers.net/wiki/setup/server:

# disable debian default that pulls in recommended packages:
cat > /etc/apt/apt.conf.d/06norecommends <<EOS
        Install-Recommends "false";
        Install-Suggests "false";

These unwanted packages weren’t installed because this settings are not set. It was a Qubes packaging bug:

Install-Suggests is disabled by Debian default anyhow.

Install-Recommends is enabled by Debian default. Disabling would generate a lot user confusion.

These unwanted packages are unlikely to be installed during upgrades. Because Debian [stable] (currently: jessie) won’t change dependencies/recommends for an already released suite (jessie…).

The source of having these unwanted packages installed is having them installed in older builds that are now upgraded.

I also haven’t seen cases, where unwanted packages were pulled as recommends during usual package installation by the user.

You can find the current list of unwanted package in this file:

Search it for:


These are not installed by accident. And if they are installed manually, the user gets warned by whonixcheck.

Hi Patrick,

thank you for pointing me to that bug report. I was not aware of it.

Another thing that caught my attention during a recent security update: Both whonix-gw and whonix-ws installed iceweasel.
Although TorBrowser is based on Firefox, I do not think it depends on having a Firefox installed.
Would it not be better to install only TorBrowser on whonix-ws, and no web browser on whonix-gw?

user@host:~$ dpkg -l iceweasel 
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version      Architecture Description
ii  iceweasel      38.4.0esr-1~ amd64        Web browser based on Firefox

On the gateway, that’s a bug. Not supposed to be installed there. Also no harm when installed expect waste of disk space. Fixed in Whonix 12.

On the workstation, it’s safe to uninstall also. It’s a recommended package in case Tor Browser no longer works, so the user has a browser to manually download Tor Browser. Uninstalling it on the workstation however is unfortunately difficult, see:

There are more packages you are free to uninstall. Just added this yesterday: