Docker Container that builds Whonix Images

Patrick · May 24, 2025, 11:52am

Pull request is optional. It would allow maybe easier line by line discussion.

It needs to become more minimal. What I mean by that…

This:

Patrick:

Anything else such as:
sed -i "s|http|https|g" /etc/apt/sources.list.d/debian.sources && \
A feature request could be posted to do this in derivative-maker always for all builds, not only docker.

APT_CACHER_NG_CACHE_DIR=/var/cache/apt-cacher-ng

Removable now thanks to systemd usage?

||apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y -t bookworm \|
|---|---|
||systemd systemd-sysv dbus dbus-user-session git time curl lsb-release fakeroot dpkg-dev \|
||fasttrack-archive-keyring apt-utils wget procps gpg gpg-agent debian-keyring sudo adduser \|
||apt-transport-https ca-certificates torsocks tor apt-transport-tor dmsetup apt-cacher-ng && \|

Could you reduce please to the same packages as listed here? Host Preparation Steps

At time of writing:

sudo apt install git time curl apt-cacher-ng lsb-release fakeroot dpkg-dev fasttrack-archive-keyring safe-rm

Plus of course any packages absolutely required by docker.

Any packages you think are missing, should either be added to the wiki or preferably to derivative-maker.

Rationale: I want to keep the delta (difference) between docker and non-docker as small as possible for simplicity. So any improvements should be upstreamed to derivative-maker generally (unspecific to docker).

For instance: apt-utils procps gpg gpg-agent debian-keyring

These packages should either:

A) not be needed
B) already a dependency of derivative-maker
C) if missing and needed, that’s a bug that should be fixed in derivative-maker directly (not inside docker)

DNS related changes should not be done without defining the way forward for the upstream ticket: Use DNSCrypt by default in Kicksecure? (not Whonix!)
(related wiki page: DNS Security)

||rm -rf /var/lib/apt/lists/* /var/cache/apt/* /tmp/* /var/tmp/* && \|
|---|---|
||rm -f /lib/systemd/system/multi-user.target.wants/* && \|
||rm -f /etc/systemd/system/*.wants/* && \|
||rm -f /lib/systemd/system/local-fs.target.wants/* && \|
||rm -f /lib/systemd/system/sockets.target.wants/*udev* && \|
||rm -f /lib/systemd/system/sockets.target.wants/*initctl* && \|
||rm -f /lib/systemd/system/basic.target.wants/* && \|
||rm -f /lib/systemd/system/anaconda.target.wants/* && \|
||rm -f /lib/systemd/system/plymouth* && \|
||rm -f /lib/systemd/system/systemd-update-utmp*|

I don’t understand why that would be needed.