I had installed and been using Oracle VirtualBox to learn how to use virtual machines for privacy. I also tried GNOME Boxes and found that I generally prefer to use Boxes. I recently upgraded to Whonix on VirtualBox.
I had read this page at the time and determined that the “officially endorsed” method for using Whonix was using Oracle VirtualBox:
I had also read the counter argument for KVM:
Whonix for KVM?
I decided to use the officially supported option (VirtualBox) because technicalities over licensing, Oracle’s slowness to fix bugs, or the possibility of Oracle charging for the software in the future did not seem as important as:
- Official Whonix support
- The purported leak-proofness of VirtualBox: “Whonix VirtualBox has a higher leak-proofness than Whonix KVM.”
I am interested in getting the most solid privacy option and it seemed like VirtualBox was the way to go.
Then I came across an article that got my attention:
After reading that I realized that Oracle is pure evil. They are pushing for a full on social credit system surveillance society. They aim to destroy freedom.
Then I started to wonder, did the Whonix developers actually take a deep look into the VirtualBox code? I had presumed that they had and that the code was found to be clean.
I looked up VirtualBox on Wikipedia and found that there is some debate about whether or not the software is open source:
“The core package, since version 4 in December 2010, is free software under GNU General Public License version 2 (GPLv2). A supplementary package, under a proprietary license, adds support for USB 2.0 and 3.0 devices, Remote Desktop Protocol (RDP), disk encryption, NVMe, and Preboot Execution Environment (PXE). This package is called “VirtualBox Oracle VM VirtualBox extension pack”. It includes closed-source components, so it is not source-available.”
Some features require the installation of the closed-source “VirtualBox Extension Pack”:[2]
Support for a virtual USB 2.0/3.0 controller (EHCI/xHCI) (Starting with VirtualBox 7.0, this functionality was integrated into the GPL version instead.[73])
VirtualBox RDP: support for the proprietary remote connection protocol developed by Microsoft and Citrix Systems.
PXE boot for Intel cards.
VM disk image encryption
Webcam support[90]”
“Since version 4.2[citation needed], building the BIOS for VirtualBox requires the Open Watcom compiler,[31] which is released under the Sybase Open Watcom Public License. The Open Source Initiative has approved this as “Open Source”[32] but the Free Software Foundation and the Debian Free Software Guidelines do not consider it “free”.[31][33]”
I looked up and saw that the Extension Pack is downloaded separately:
https://www.virtualbox.org/wiki/Downloads
So I could avoid the Extension Pack.
But what if there is some backdoor in the core software?
Considering that Oracle is a ruthless data broker, it seems dubious to use anything that they put out. It is like getting kinda open-source privacy software from Microsoft, Facebook, or Google. That just seems like a bad idea.
How close was the VirtualBox code scrutinized?
Do you (Patrick and others) feel like it is truly safe?
I know that you are working on an ISO image and that would allow us to install Whonix as an OS or put it in the virtual machine program Boxes. This would be a nice option.
I am wanting to use Whonix on my computer. The live mode or USB versions are not interesting to me. USB sticks wear out and I don’t want to keep important information on a USB stick that I am using as a daily driver. Plus USB sticks are slower.
I am wondering if KVM would be the safer option? But I hear that it is more difficult to use.
Personally I would prefer a Flatpak. That would make Whonix much more accessible to non-techies.