Excellent!
Feature requests:
CWTCH_TAILS CWTCH_RESTRICT_PORTS and CWTCH_BIND_EXTERNAL_WHONIX automatically if Whonix was detected. That could be based by testing if file /usr/share/anon-ws-base-files/workstation exists.What’s the point of LD_LIBRARY_PATH?
Will do once it is improved. It is not hardened, it is just “working” as of now.
What I don’t like about the profile:
commands:
GETINFO:
- '.*'
SETCONF:
- 'DisableNetwork.*'
I see all those variables as necessary on Whonix, not optional, so system detection would be nice. They are already doing that with CWTCH_BIND_EXTERNAL_WHONIX, by blocking it if Whonix is not detected.
Tails installation:
Tails onion-grater profile:
Forgot to change Whonix onion-grater profile…
But will wait to get a definitive profile.
Also, because the profile is repeated on the documentation an another file, I think it should not be in the docs, code duplication will be forgotten.
Thank you! Merged.
This is now in the testers repository.
This is become strange because there is no reasons for Cwtch to have extra information on the profile, like Whonix packaging ## meta start for example.
In the future, we may ask for them to simply mention Whonix already has the profile that only needs to be loaded, therefore no code duplication to keep in sync with files that don’t completely match.
Merged.
This is now in the testers repository.
Cwtch now has a stable release candidate, which includes Whonix support (thanks @nyxnor !!).
I’m running Qubes-Whonix (Whonix 16, waiting for Qubes OS 4.2 to be stable to upgrade to Whonix 17). I followed the install instructions.
Upon launching, I get the error output:
cwtch-autobindings/lib.go [ERR ] Error connecting to Tor replacing with ErrorACN: write tcp 127.0.0.1:57352->127.0.0.1:9051: write: broken pipe
Within the UI, a similar message is under “Tor Status”.
Others in the Cwtch Testers group have had the same issue.
Note sure if this is relevant, but additionally the first two lines of output are:
(cwtch:5927): dbind-WARNING **: 15:32:42.325: AT-SPI: Error retrieving accessibility bus address: org.freedesktop.DBus.Error.ServiceUnknown: The name org.a11y.Bus was not provided by any .service files
(cwtch:5927): Gdk-CRITICAL **: 15:32:42.388: gdk_window_get_state: assertion 'GDK_IS_WINDOW (window)' failed
Any thoughts on what is causing this? Discussion in the Cwtch Testers group did not resolve the issue.
I’m not sure whether this is expected behaviour, but even after “Reload Firewall”, the Whonix User Firewall Settings File /etc/whonix_firewall.d/50_user.conf still appears empty. The Whonix docs imply that it would not be empty if a change to the firewall settings was made.
This could use some documentation to be written:
https://www.whonix.org/wiki/Chat#Cwtch
Any git changes are in the stable repository for a while now.
If it’s empty then you didn’t make a change to the firewall configuration file.
The upstream documentation is terse but mentions, quote:
The Whonix-Workstation Firewall needs to have the possible Cwtch binding port open. Follow the upstream firewall guide.
But it seems to me that many users ignore links, take it as optional, don’t click it. Without that it can be indeed hard to edit that file.
Unfortunately upstream replied won't fix.
Debian request for packaging:
RFP: cwtch – Privacy Preserving Infrastructure for Asynchronous, Decentralized, Multi-Party, and Metadata Resistant Applications
Cwtch upstream feature request:
But that’s a non-issue because there’s a install-whonix.sh script provided by upstream.
Documentation now exists. Testers welcome.
remaining imperfections:
/home/user/.local/bin/cwtch is a bit cumbersomeinstall-whonix.sh by default installs to the home folder. In the future this will cause a conflict with Enhanced Security via Mount Options and Compiler Restrictions. This would be a non-issue if installed to the system. That would happen if a .deb was available.A .deb is planned, mentioned in a comment here by upstream:
Tested the instructions. It works for me.