Even just net.ipv4.tcp_sack=0 causes grave issues with my clearnet connectivity. A usually 2 seconds page load time goes up to 10 seconds or so.
The problem is out style of development is rather early stage. We don’t have a testing farm of various computers in various configurations such as in globally distributed locations using different ISPs, different hardware, different routers, different configurations, running various automated connectivity and performance tests.
I am not calling it amateur because not even commercial operating systems might have that level of testing. However, without that level of testing we are flipping settings with very limited testing. Mostly just in our own configuration. With our computer, our ISP, our setup, etc. We’re kinda walking blind so to speak.
Therefore this change is too experimental to be applied by default for all users. Note: security-misc is a general, non-Whonix specific page.
I will merge this change to have it inside the git history and then undo it by deleting file /etc/sysctl.d/tcp_sack.conf.
If you like, this could be implemented on an opt-in basis. I.e. all files by default and the user only has to pull the trigger (run some command) to enable all of this.
Another alternative could be creating a package security-extra or so which I am happy to maintain in sense of hosting on github, adding to Whonix repository, review/merge etc. but not installed by default in Whonix or Kicksecure. This would however allow easy activation of this using sudo apt install security-extra or so and may also get installed by default when using some opt-in Whonix custom build parameter.