It worked!
Thank you 0brand.
More reasons to be cautious of third party package managers: a JS dependency used in many cryptocurrency wallets was used to inject malware, steal funds.
One positive outcome is that other projects are now reviewing their own policies and security practices regarding third party package managers.
2 Likes
Isn’t it better to follow @qubenix instructions above rather than to install from Debian testing? I think they are simpler as well.
packages in testing or unstable can have hidden bugs, security holes etc. Moreover, some packages in testing and unstable might not be working as intended.
sudo pip3 install Electrum-3.2.2.tar.gz
Security issue: At that stage electrum does tons of downloads of third >party libraries. I don’t think software signatures are verified.
-
https://whonix.org/wiki/Install_Software#Avoid_Manual_Software_Installation
-
https://whonix.org/wiki/Install_Software#Always_Verify_Signatures
-
https://whonix.org/wiki/Install_Software#Avoid_Third_Party_Package_Managers
More reasons to be cautious of third party package managers: a JS dependency used in many cryptocurrency wallets was used to inject malware, steal funds.
I don't know what to say. · Issue #116 · dominictarr/event-stream · GitHub
https://github.com/bitpay/copay/issues/9346One positive outcome is that other projects are now reviewing their own policies and security practices regarding third party package managers.
Dependencies may be an attack vector · Issue #4874 · spesmilo/electrum · GitHub
1 Like
Did you notice he revised his instructions? they do not include pip anymore.
Those revised instruction are preferable in my opinion to installing from Debian Testing. If I’m wrong I’d like to know why. The tar file is verified with the signature before used. Similar to verifying Whonix’s ova before importing them to VirtualBox.
https://whonix.org/wiki/Install_Software#Prefer_APT
You can install electrum any way you’d like. We believe the instructions in the wiki are the preferred method. If you prefer qubinix’s method thats fine. Or if you would like to help with wiki documentation that would be awesome to.
1 Like
This isn’t a question about the wiki or about personal preferences.
I am interested to understand, in this particular case (yes I get that in general APT is preferable), why is qubnix’s method less safe.
- Do we know for sure the file is authentic? yes, we verify with signature.
- Do we use third party packagers? no, we don’t.
- Do we use the latest version that is recommended by the developers? yes we do.
For most users it is hard to find out the real project page. Users are vulnerable to landing on phising websites. See:
Most users nowadays don’t even enter domain names into the browser bar. They don’t know the difference between url bar and search bar. Rather than entering urls, they enter stuff into search engines and then click links.
Giving this security non-awareness in big parts of the population… And…
Gpg verification is hard. For most users it’s hard to obtain the gpg signing key of the author making sure they’re not getting the public key of an impostor. Gpg signs files. Not file names. Even if users have the right key, they’re likely to overlook Signature made Mon 02 Jul 2018 07:12:08 AM UTC and to be affected by a version freeze attack.
So apt-get is still preferable. Doesn’t need to introduce external websites and/or new signing keys.
2 Likes
FWIW I totally agree with @Patrick and @0brand about apt being the preferable install method.
When I made those instructions I wasn’t aware that there was a current version of electrum in debian repos. Historically the debian packages have been outdated, but that has changed recently.
2 Likes
Thanks for the detailed explanation.
i am followed this instructions:How-to: Use Electrum Bitcoin Wallet in Whonix ™
The result message:
E: Release ‘buster’ for ‘electrum’ was not found
What is wrong?
Which are the right instructions?
electrum was removed from Debian testing. Please give me a little time to figure out the instructions.
Should we install from Debian sid?
Yes. tested electrum “sid” and everything look OK i.e. GUI, networking etc. I’ll fix the instruction a little later on (create Template:Install Testing and make any other needed changes)
1 Like
qubenix:
More reasons to be cautious of third party package managers: a JS dependency used in many cryptocurrency wallets was used to inject malware, steal funds.
- I don't know what to say. · Issue #116 · dominictarr/event-stream · GitHub
- https://github.com/bitpay/copay/issues/9346
One positive outcome is that other projects are now reviewing their own policies and security practices regarding third party package managers.
Great find!
Could you add this please to documentation under
and also mention from
Install Additional Software Safely?
The latter is affected by the same issue since users may often confuse
using a third party package manager vs manual software installation.
It’s separate things but very related since manual software installation
instructions may include instructions using third party package managers
or have scripts which act similar. (In result one could be victim of a
malicious dependency like in above case.)
Yes, I meant Template:Install_Unstable 
Edit:
Will also need.
https://whonix.org/wiki/Install_Software#Install_from_Debian_unstable
1 Like
Thank you for reporting this. Instructions have been updated.
1 Like
Followed the instructions @ https://www.whonix.org/wiki/Electrum, the install didn’t succeed cause of unmet dependency “python3-electrum”, I also seem to be unable to follow the qubenix’s instructions from above where I’m getting
File “./electrum”, line 53
sys.exit(f"Error: {str(e)}. Try ‘sudo python3 -m pip install ’")
^
SyntaxError: invalid syntax
user@host:~/Electrum-3.3.2/electrum$
Any chance someone could help a noob out. Thanks in advance!
Hi sinbrkatetete
This works for me.
Can you please post steps to reproduce. Meaning copy and paste all commands and output from your konsole please.
Also, are you using an Other Operating System (aka a custom workstation other than the default Whonix-Workstation VM)?
1 Like