Kernel versions and security / Debian backports

Patrick · November 28, 2019, 5:56pm

Not sure. Probably just ignored.

Yes. Try out.
That’s why all changes go through developers → testers → stable-proposed-updates → stable repository.

The problem here is, we cannot predict the future. If backport kernels will break VirtualBox guest additions.

Major things coming to mind:

Fixed screen resolution (too big, too small, scrolling, not using full window space, black border).
No shared folders.
No copy/paste from inside/outside VM.
Trapping of keyboard/mice inside VM until VirtualBox host key is pressed.
Performance?

more details here perhaps:
https://www.virtualbox.org/manual/ch04.html

HulaHoop · November 28, 2019, 5:58pm

The lesser evil. A packaging hack is the path of least resistance IMO.

HulaHoop · November 28, 2019, 6:02pm

Or if we are enabling backports, then simply omit setting this apt config in VBox builds to begin with while designating the stable kernel during the build process?

Patrick · November 29, 2019, 12:33am

Enabling backports is inappropriate for a distribution.
Enabling backports alone does nothing. Still required APT pinning, which again is inappropriate for a distribution.
References:

If not using virtualizer specific kernel versions: Would have to download the package from Debian backports and upload to Whonix stable.
If using virtualizer specific kernel versions: Would require some packaging hack. Perhaps require to recompile the kernel.
- If recompile on developer machine - perhaps for all architectures.
  - (related: issues to compiling for all architectures as per this very post Whonix for arm64 / Raspberry Pi ( RPi ) - duplicate forum topic - #143)
- Or recompile on user’s machine, which is also unsolved. See this very post kernel recompilation for better hardening - #77 by Patrick starting from However, there is one blocker.

I don’t like the idea of virtualizer specific kernel versions. That’s adding a lot complexity. Hard to develop / test since involving different tests on different virtualizers.

It would also only be effective for a platform that I don’t maintain, KVM.
(Qubes is not yet Qubes VM kernel by default.)

Patrick · February 18, 2020, 5:06pm

Debian bug linux-image-amd64 vs linux-headers-amd64 Debian buster-backports version mismatch bpo.2 vs bpo.3 shows that just enabling backports repository might lead to issues. In this example, breaking all kernel modules due to kernel image vs kernel headers version mismatch from backports packages.debian.org.

HulaHoop · February 18, 2020, 8:44pm

OK. That’s a good citation for the wiki on why we don’t enable backports.

Patrick · February 19, 2020, 5:42am

added here:
Dev/APT Pinning - Kicksecure