Last week I installed Qubes 3.0 with Whonix templates. After I installed security updates, whonixcheck alerted me to the fact that unwanted packages had been pulled in by the updates, namely [tt]ntpdate[/tt] and [tt]chrony[/tt]. So I purged them as recommended by whonixcheck.
In order to avoid pulling in undesired packages, it might be wise to modify the apt configuration as recommended by Zwiebelfreunde for Tor Exit servers https://www.torservers.net/wiki/setup/server:
# disable debian default that pulls in recommended packages:
cat > /etc/apt/apt.conf.d/06norecommends <<EOS
APT
{
Install-Recommends "false";
Install-Suggests "false";
};
EOS
These unwanted packages weren’t installed because this settings are not set. It was a Qubes packaging bug:
Install-Suggests is disabled by Debian default anyhow.
Install-Recommends is enabled by Debian default. Disabling would generate a lot user confusion.
These unwanted packages are unlikely to be installed during upgrades. Because Debian [stable] (currently: jessie) won’t change dependencies/recommends for an already released suite (jessie…).
The source of having these unwanted packages installed is having them installed in older builds that are now upgraded.
I also haven’t seen cases, where unwanted packages were pulled as recommends during usual package installation by the user.
thank you for pointing me to that bug report. I was not aware of it.
Another thing that caught my attention during a recent security update: Both whonix-gw and whonix-ws installed iceweasel.
Although TorBrowser is based on Firefox, I do not think it depends on having a Firefox installed.
Would it not be better to install only TorBrowser on whonix-ws, and no web browser on whonix-gw?
user@host:~$ dpkg -l iceweasel
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-============-============-=================================
ii iceweasel 38.4.0esr-1~ amd64 Web browser based on Firefox
On the gateway, that’s a bug. Not supposed to be installed there. Also no harm when installed expect waste of disk space. Fixed in Whonix 12.
On the workstation, it’s safe to uninstall also. It’s a recommended package in case Tor Browser no longer works, so the user has a browser to manually download Tor Browser. Uninstalling it on the workstation however is unfortunately difficult, see: