Whonix build NOT safe at the moment.
Build happens in chroot
but these aren’t safe against breakout. So building now could compromise a build machine.
Applies to Non-Qubes-Whonix only.
Qubes(-Whonix) build attempts to fix this.
Technical background:
Misery of Debian package repositories:
- Debian package repository: contains vulnerable apt version.
- security.debian.org Debian security fixes package repository: contains fixed apt version.
debootstrap
is a popular Debian tool.
- Also used by Whonix since Whonix uses grml-debootstrap which internally uses debootstrap to create base Debian images.
- Also used by Whonix since Whonix uses cowbuilder to create packages which internally uses debootstrap.
debootstrap limitations:
- It can only use the Debian package repository.
- It can not use security.debian.org Debian security fixes package repository because that only contains packages that have security fixes but not all packages. So that repository cannot be used
- debootstrap cannot use multiple repositories at once like apt-get can. It can only use one
--mirror
.
Build process usually:
Build Debian base image from Debian package repository and then upgrade from Debian package repository and Debian security repository.
Problem:
Exactly this upgrade is insecure.
Solution:
- a) securely update apt after debootstrap inside base image and inside cowbuilder image, OR
- b) multistrap
- make grml-debootstrap use multistrap with multiple repositories and,
- create cowbuilder image with multistrap with multiple repositories
Not exactly easy. So don’t hold your breath.