Installer contradiction and lite RAM configuration

Installing Whonix on Kicksecure host with conflicting error messages

sudo apt-get update --yes --error-on=any
The user is advised to attempt to debug this with the following steps:

  1. Run above command as root (with sudo).

Do as instructed and this error message contradicts the first:

[ERROR]: Non-Root Check: Running as root detected.

  • You are currently running this installer with root privileges.
  • This installer should not be run as root.
  • Please run as normal user.

the command
apt-get update --allow-unauthenticated
is like the above command with argument
--yes error-on=any
E: The update command takes no arguments

I believe the error has to do with package signing since ‘apt update’ successfully updates over tor with onionized repositories so ‘–onion’ installer should also work. However, sometimes SOCKS timesout.

Lite RAM install
Also, the system I am testing has a nuance that might be of interest. TAILS can run on practically any hardware, even with only 4GB RAM without issue. Qubes OS had a live USB (alpha) but stopped development. I am trying to run Whonix on a Kicksecure host with lite RAM. Like Qubes, the virtualizer is what requires the higher RAM. I had an .ova from version 16 Whonix but the signatures have been revoked as of 12 days ago. Nevertheless, initial tests confirm that Whonix is possible on systems with low RAM by reducing the graphics memory requirements in VirtualBox much like the KVM option is already configured. However, VirtualBox Whonix Gateway is not entering into a prompt mode like KVM. The initial boot message is displayed but no commands can be entered.

No contradiction. Run the installer as non-root.

Running apt manually requires root. Just the usual way to run apt. Just do it and fix any errors, which have nothing to do with Whonix.

Unnecessary and insecure. Fix expired signing keys, remove broken repositories. Don’t resort to unauthenticated.

What’s that?

1 Like


does not contradict

is inscrutable to me.

And, besides, the installer refuses to run either way.

As for the question about ‘–allow-unauthenticated’
I only bring this up because I encounter expiration of Debian keys frequently. For, example, I already have an .ova of Whonix 16.0.9 but ‘upgrade-nonroot’ returns with unable to upgrade because of expired signature. What other option is there?

Furthermore, I don’t think an answer that doesn’t answer anything (yet) means that the question is a bad question just because an “answer” follows a question like a last laugh.

https:// www

I had a nice computer with an Intel Alder Lake 12 generation and 24 GB RAM that was closer to flawless with Qubes OS R4.2. However, no consumer computer on the market is TEMPEST shielded and up to Spectrum Dominance environmental effects standards. So, cheap “burner” computers with low RAM might be the only solution in my case. Hence, why I even bother with lite hardware.

https:// www

The one is the installer. Don’t run it as root/sudo.

The other thing is your system package manager which you should know some very basics about it. It requires root/sudo.

The installer is giving you advice. Talking about it.

Two different things.

Because your system has issues which aren’t caused by the installer. Read the messages. Use a translator if you need. More productive than asking here.

Do run the command. Seriously. Do it.

sudo apt-get update --yes --error-on=any

Or at least run.

sudo apt-get update

Use a search engine to learn more about it. Really just a normal command. We’re in the age of search engines, youtube and AI. Use it. No need to debate it here.

Any errors you see there are your system issues. Fix them. Not caused by Whonix or the installer.

Stop sleeping, read the news, upgrade in time before the old version is deprecated, perform a release upgrade or install a new version.


I have a Kicksecure host. The system is exactly like every other Kicksecure system. sha512sum checks out fine. Verified with GPG key. ‘apt’ works just fine with onionized repositories.

The command

is run WITHIN THE INSTALLER which contradicts itself.

whonix-cli-installer-cli: [NOTICE]: Command executing: $ sudo -- apt-get update --yes --error-on=any --see, you are wrong. You don’t have a PhD in Information Warfare.

I will answer my own question. The installer can’t run this command within the installer because the installer is run nonroot. So, there shouldn’t be a “command executing” sudo within a non-sudo installer.

None of this is “basics.” You have a problem. Or, rather, you don’t know the answer which does not make me stupid.

What about this
Timed out while waiting to read 'first part of response' from proxy socks5h://
I have found no information about why these time outs happen and refreshing tor doesn’t help. I can try non-onion, but it would be good to know why these time outs happen. It is not my system. The network might be an obstacle or the onion server has an issue.

Not everything is user error. Do you know why, for instance, “shift” has an electromagnetic IRQ? There is no sign of physical intermittence in a bad keyboard that sometimes works and sometimes does not when in PAM. People will say youre just imagining but I have empirical repeatability. Oh, no! Not “low lang.” (They have “deprecated encephalus” which means “low head.”) No one has explanations for this!


The installer internally necessarily must use sudo to run apt-get.

I am the developer. I can guarantee this is working for most users most of the time.

We have automated CI testing. Here is an example:

You need a free github account to view the log (as per github policy). But that doesn’t matter. Here is the relevant excerpt.

2024-03-20T15:50:23.4376011Z dist-installer-cli: [e[1me[32mNOTICEe[0m]: Command executing: $ sudo -- apt-get update --yes --error-on=any
2024-03-20T15:50:23.4376902Z ++ sudo -- apt-get update --yes --error-on=any
2024-03-20T15:50:23.4377636Z Hit:1 stable InRelease
2024-03-20T15:50:23.4378260Z Hit:2 stable-updates InRelease
2024-03-20T15:50:23.4379047Z Hit:3 stable-security InRelease
2024-03-20T15:50:23.4379605Z Reading package lists...'
2024-03-20T15:50:23.4380672Z + true 'INFO: Exit code is zero but that does not guarantee in case of dnf that there is no error.'

The installer runs as non-root, right, but any script/program running as non-root can attempt to use sudo. The installer attempts to use sudo. And it’s working.

The installer tests if it is able to run sudo. Here is a demo.

whonix-installer-cli --non-interactive --log-level notice

Relevant excerpt:

dist-installer-cli: [NOTICE]: Version Detection: Setting dev software version.
dist-installer-cli: [NOTICE]: Command executing: $ sudo -- echo test

Please post the installer log. But probably not even need for it.

If the installer stops after sudo apt-get update --yes --error-on=any then it does that because of an error being detected.

That is why the installer is advising the user to run that command manually to see it for themselves and fix these issues.

Without log output I don’t think we can make meaningful progress here.


The installer without --onion argument progresses farther but exits after this error:

whonix-cli-installer-cli: [NOTICE]: Connectivity Test: Testing internet connection to 'rsync://'...
verify depth is 4
rsync: did not see server greeting
rsync error: error starting client-server protocol (code 5) at main.c(1863) [Receiver=3.2.7]

That looks like an interruption on the server side, as with the onion servers.

--non-interactive --log-level notice provides the same detail.

But this is the error from when --onion is appended with repos configured as needed

Err:4 tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bookworm-backports InRelease

Connection timed out [IP: 9050]

Err:5 tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bookworm InRelease

Timed out while waiting to read 'first part of response' from proxy socks5h:// [IP: 9050]

Reading package lists...

E: Failed to fetch tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian/dists/bookworm-backports/InRelease Connection timed out [IP: 9050]

E: Failed to fetch tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian/dists/bookworm/InRelease Timed out while waiting to read 'first part of response' from proxy socks5h:// [IP: 9050]

E: Some index files failed to download. They have been ignored, or old ones used instead.

Please post the output of:

sudo apt-get update --yes --error-on=any

Or don’t.

Because probably next thing I am going to say: The issue isn’t caused by the installer. You need to fix your system’s APT / Tor issues.

Such issues are not caused by the installer. Seems like a Tor connectivity issue.

I think it is a network obstacle issue because tor is working fine on my system.

tor transport infrastructure must have a defect on network because VPN is successful (and much faster)

With VPN (multi-node, provider-defined, quantum-resistant, wireguard):

whonix-cli-installer-cli: [NOTICE]: Connectivity Test: Testing internet connection to 'rsync://'...
verify depth is 4
whonix-cli-installer-cli: [NOTICE]: Connectivity Test Result: 'success'

How could tor transport be interfered with on Kicksecure? systemctl status tor.service shows tor is enabled and is “successful” and I can navigate to onion sites and apt can get most updates via onion. Nyx shows that tor is functioning as expected.

There is something deeper going on no one can explain or has yet.

But I have Whonix now and am interested to see if I can run it with minimal RAM requirements? Isn’t KVM about as minimal as VirtualBox with the memory adjustments?

whonix-cli-installer-cli: [NOTICE]: Installer Result: 'SUCCESS'