expand systemcheck unwanted packages list

HulaHoop · February 26, 2016, 1:09am

Until Whonix switches DEs there are some packages that should be banned if not already. The geolocation module is part of base KDE.

https://packages.debian.org/jessie/libs/libplasma-geolocation-interface4
https://packages.debian.org/jessie/libweather-ion6

EDIT by Patrick:

This forum thread is only about packages that should be added to systemcheck’s systemcheck_unwanted_package list. systemcheck/30_default.conf at master · Kicksecure/systemcheck · GitHub

Patrick · February 26, 2016, 10:12am

Unrelated to DE (desktop environment) switching since one could always
install such applications.

Unwanted packages list is implemented here:
~~https://github.com/Whonix/whonixcheck/blob/c6649dce555cba6b895de51f4cdfdd7e339d22f3/etc/whonix.d/30_whonixcheck_default.conf#L64-L72~~

github.com

Kicksecure/systemcheck/blob/master/etc/systemcheck.d/30_default.conf#L33


      
          
          
## Delete temporary files by systemcheck on exit.
          ## true: enabled
          ## false: disabled
          #DEL_TMP="true"
          
          
## How long systemcheck should wait at maximum until Tor bootstrap finished.
          ## Defaults to: 120
          #systemcheck_tor_bootstrap_wait_max="120"
          
          
## Unwanted packages systemcheck will warn against.
          systemcheck_unwanted_package+=" popularity-contest " ## privacy issues
          systemcheck_unwanted_package+=" canonical-census " ## privacy issues
          systemcheck_unwanted_package+=" unity-lens-shopping " ## privacy issues
          systemcheck_unwanted_package+=" unity-scope-video-remote " ## privacy issues
          systemcheck_unwanted_package+=" unity-scope-musicstores " ## privacy issues
          systemcheck_unwanted_package+=" bts " ## privacy issues
          systemcheck_unwanted_package+=" wnpp-check " ## privacy issues
          
          
## https://forums.whonix.org/t/more-unwanted-packages/2155/20
          ## https://github.com/marmarek/openqa-tests-qubesos/blob/master/extra-files/system-tests/whonix-test.conf

Please check reverse-depends (which packages are depending on that
package) and outline what these would be doing.

HulaHoop · February 26, 2016, 5:33pm

$ sudo apt-cache rdepends libplasma-geolocation-interface4
libplasma-geolocation-interface4
Reverse Depends:
plasma-dataengines-workspace
kde-workspace-dev

$ sudo apt-cache rdepends libweather-ion6
libweather-ion6
Reverse Depends:
plasma-dataengines-yawp

libweather-ion6 seems is just an interface for plugins to use for fetching weather data. The name of the first package suggests something similar. Maybe this functionality is not used without activating the geolocation/weather widgets?

Patrick · February 27, 2016, 11:01am

Possibly. Please try going further up by checking reverse-depends of reverse depends.

HulaHoop · February 27, 2016, 4:39pm

user@host:~$ sudo apt-cache rdepends plasma-dataengines-workspace
plasma-dataengines-workspace
Reverse Depends:
plasma-widget-yawp
plasma-widgets-addons
plasma-widgets-workspace

user@host:~$ sudo apt-cache rdepends plasma-dataengines-yawp
plasma-dataengines-yawp
Reverse Depends:
plasma-widget-yawp-dbg
plasma-widget-yawp

plasma-widget-yawp = yaWP (Yet Another Weather Plasmoid) - a KDE weather widget. Since its not enabled by default its ok.

HulaHoop · March 1, 2016, 6:11pm

A GNOME package for managing “cloud” accounts of PRISM partners. I think this should be banned to prevent newbie users from using them by mistake.

https://packages.debian.org/jessie/gnome-online-accounts

nurmagoz · March 8, 2016, 1:31am

do we need KDE wallet system (KWallet) in whonix (saw it in vbox version)?

Patrick · March 8, 2016, 12:33pm

I find this KWallet stuff very annoying outside and unrelated to Whonix. WiFi passwords are not simply stored and it no longer auto connects - each time it asks the wallet password. So I must figure out how to disable the wallet stuff. Usability issue.

Patrick · April 2, 2016, 3:09pm

2 posts were split to a new topic: How to get rid of insecure rpcbind?

nurmagoz · June 7, 2016, 6:56am

@HulaHoop there r vbox guest stuff installed inside whonix-kvm , i wonder why u dont remove them.

HulaHoop · June 7, 2016, 1:37pm

The files are small and don’t interfere with the other hypervisor. For simplicity the build system output gives builds of both versions KVM and Vbox in one run.

Patrick · June 7, 2016, 6:43pm

For simplicity, time saving and better usability for me personally, official downloadable Non-Qubes-Whonix builds are created with --target virtualbox and --target qcow2 at the same time.

Patrick · June 7, 2016, 10:50pm

Could you process the following thread please wrt packages to be added?

Which Debian packages leak information to the network?
https://lists.debian.org/debian-security/2016/05/threads.html#00043

HulaHoop · June 8, 2016, 1:11am

Thanks for getting the ball rolling Patrick. Very useful discussion

python-requests: fixed upstream
pip: leaks info about system package versions.
gnome-calculator: sets cookie. Bug open upstream for 2 years but not fixed by devs. Workaround is being done with Flatpak restrictions.

weather applications: leak location data but none enabled by default

Notes:

Apparmor network filtering not supported by upstream stock kernels:
https://bugs.debian.org/712451

Some advocate using sandbox frameworks like flatpak for blocking leaky apps.

Debian probably needs a privacy team to audit all packages that send
data to the network and develop mitigation, configuration or patches
to counter these.

+10 I strongly support Paul’s plan to have a review team look through packages and engage upstream projects to clean up leaks. He is open to attending a brainstorm session at DebConf16 if someone organizes it.

Patrick · June 8, 2016, 3:26pm

Can you make the changes in git whonixcheck config please?

HulaHoop · June 8, 2016, 9:55pm

Added.

Some people may complain but no one needs a package manager (python-pip) that still doesn’t support GPG signed packages and never will. After years of arguing they implemented TLS downloads and enabled it by default but as anyone knows this is not enough.

Weather widgets I can’t touch because they are reverse dependencies of core DE packages. The good thing is the user has to go out of their way to shoot themselves in the foot.

Patrick · June 8, 2016, 10:02pm

https://github.com/Whonix/whonixcheck/pull/5

Merged.

Off-topic: Btw it has been worked on or may still be worked on [did not check the status for some time] to make PIP use TUF.

HulaHoop · June 8, 2016, 10:29pm

It seems TUF is production ready after all. Its been integrated in half a dozen major projects including pip and docker.

HulaHoop · June 8, 2016, 10:40pm

Off-topic:

AppImage is supposed to be distro agnostic packaging format recently supported by Firejail. With TUF to secure app integrity and delivery we have a good combination.

github.com/AppImage/AppImageKit

Support for The Update Framework (TUF)

opened 10:37PM - 08 Jun 16 UTC

HulaHoopWhonix

enhancement idea help-wanted

AppImage is really cool. I propose integrating it with [The Update Framework (TU…F)](https://theupdateframework.github.io/) to have a secure mechanism for delivering programs from developers to end users. Their project has been designed for many years to work under many threat models and work around shortcomings in other package managers. Ruby,pip and Docker are some projects using TUF.

Patrick · February 3, 2021, 12:32pm

Do we want to keep this?
If so, we should add python3-pip as well?