New versions come out often and it’s great. I have a question for the future. To get the new stable version of Whonix, the best way is to download the image and install or upgrade the old version using sudo apt-get-update-plus dist-upgrade
?
When can I just upgrade?
When is it better to download the image and make a new installation?
Always except if a Whonix News says otherwise.
Both has pros and cons.
Keeping Tor entry guards when migrating to a new image is possible it is a cumbersome process usability wise. Good for Tor but more risky for security if Tor state files were previously compromised in ways they could re-compromise on a new image. Also transferring files out of VMs is a security risk for the host. There’s no perfect answer. It depends on what risks one thinks is more likely.
Upgrading in-place is more comfortable.
New builds come with less legacy so will always be of higher out of the box quality and less likely to have bugs related to upgrading.
New builds might be slightly less a target for sneaking in backdoors through hypothetical malicious upgrades.
See also:
Maybe a good compromise would be to get a new image at when there is a release upgrade.
You didn’t ask for the following option but I am mentioning it here for sake of completeness and since it is related anyhow. The option which is better than both is upgrading from source code and or creating Whonix images from source code. This is documented here:
I will migrate/move/moderate this question to its own forum thread later.
I am ashamed to admit it, but I tried several times.
You might think that this person cannot create image for VirtualBox, which means that he is not able to understand the code. This is not true.
Maybe someday you can make a video of the process and add it to the Whonix channel on YouTube.
No, I don’t think that.
Also understanding of the source code is a bonus but not a requirement for building Whonix images from source code to benefit from the security advantages of doing so.
Don’t hold your breath for that. You’ll probably run into the same issues as before anyhow.
For that feel free to create a new thread. This might be solvable.
I often wondered about this point. Could you explain why building from source, without going through the code, is more secure than using the already built images (provided we verify the images with your signature)?
I am speaking generally, since this is not a Whonix specific problem. Most if not all operating system, even any software download is concerned.
It’s easier to sneak in a backdoor into binary builds than sneaking in a backdoor into the source code.
For almost no software project there is yet an easy mechanism to verify that a binary was produced from a given source code. See verifiable builds / deterministic builds / reproducible builds.
For a developer a adversary who compromised a developer computer is easy to build from a different source code which contains malware and not from the one which was claimed to have been used to produce the binary.
It’s conceivable that
- a developer build machine, or
- a developer signing key, or
- the signing mechanism cryptography
has been compromised by an adversary and/or due to server compromise, that
- malicious binaries are shipped to select users
- malicious signing keys and binaries are shipped to select users.
By building from source code (and checking the software signature of the source code), the user is using something where backdoors are much more difficult to hide, and more likely to be spotted.
By downloading anonymously / using different identities (a few times) it is getting less likely to receive a maliciously altered version. (That could be argued for binary builds too, though.)
There are more/other information on the same subject here:
I assume nobody goes over all of the code periodically, so is the way code is managed in github assists to spot unauthorized changes?
And if we do build from source, would you recommend to download the image as well and then
compare the two? after all it may also be possible some local malware is compromising the build on user’s side?
Possibly so.
github doesn’t assist in anything. I doubt, I would wonder github does anything manual related to most of its projects it hosts. Not sure that’s even their task besides keeping their systems secure.
Malicious source code changes on github are checked for by signing all git commits and by using signed git tags. The Whonix main project https://github.com/Whonix/Whonix signs also all commits which links to git commits of all sub projects (packages).
By fetching Whonix source code as documented as per Build and Update Whonix from Source Code git tags are verified. I periodically do that myself and never saw any corrupt git sources from github yet at the time of writing.
By git tag verification against developer signing key, users should have the same source as developer signed earlier.
If developer computer, signing key or cryptography was broken it is conceivable that source code on github has malicious modifications. But these could be seen by anyone who’s not compromised and looking at the source code. Possibly such a malicious modification is hiding in the open but I think this is less likely than malicious binary builds.
Source code be maliciously modified on in case github gets hacked again in case SSL CA’s get hacked again. Such breaches would be spotted by git tag verification.
Source code be maliciously modified in case of developer computer or signing key compromise or broken cryptography. Such modifications would only be spotted if someone is reading the source code.
That would be ideal but very difficult. That’s the idea of:
Possibly but that can’t be spotted by verifiable / reproducible / deterministic builds / building from source whatsoever. Once user machine is compromised all outputs in user’s screen could be maliciously altered showing a false reality.
Perhaps the question will sound silly. Have you noticed attempts?
I wonder how you combine Whonix development with your personal life, work. What do you do besides developing Whonix?
In my country, a person developing such a system will automatically become a target for pressure.
No, and I doubt any advanced adversary would be detectable.
As for indicator of compromise, see:
Malware, Computer Viruses, Firmware Trojans and Antivirus Scanners