Kicksecure: Minimal version?

renice · May 6, 2021, 7:09am

Hi!
First of all: I am not very familiar with Whonix or Kicksecure; just found it the other day. I thought: Let’s harden my Debian-Server with Kicksecure. But looking at the Dependency-List, it feels like adding more attack surface (especially DRM on a CLI-Install).

Have there been considerations

to remove python3-pyqt5 from repository-dist?
to provide a minimal-version that only installs the packages absolutely necessary? (no OpenVPN, no LVM, … - everything that doesn’t automatically make the system more secure is out)

Thanks in advance!

Patrick · May 6, 2021, 8:46am

GUI version was in a different package before but in order to have fewer packages it was merged. Conflicting optimization goals. (Fewer packages vs more fine grained package split for more customization / minimal.)

Most minimal (therefore also most difficult use case, most support intensive) doesn’t have a dedicated maintainer. Even CLI as currently is hasn’t. Lack of manpower.

For custom selection, most minimal see kicksecure-meta-packages/debian/control at master · Kicksecure/kicksecure-meta-packages · GitHub and pick and choose desired packages.

Instead of kicksecure-cli consider kicksecure-dependencies-cli or pick and choose packages from that.

kicksecure-dependencies-cli certainly has room for improvement. For example openvpn could be moved to kicksecure-packages-recommended-cli. Not even “recommended”.

Package: kicksecure-packages-recommended-cli
Description: Recommended packages for Kicksecure CLI
A metapackage, which installs packages, which are useful for
command line interface (CLI) Kicksecure.,
.
Feel free to remove if you know what you are doing.

Just useful pre-installed for some users that don’t want / can’t to connect using clearnet / without VPN before for installation for that package. CLI could move towards more minimal / more difficult to use.

Will probably happen later.

There’s none. Perhaps mistaken a similar name?

Packages such as python3-pyqt5, openvpn don’t increase attack surface if not actively used unless suid (not the case) or invoking the threat model “trust as few Debian maintainers as possible”, which isn’t sustainable.

renice · May 6, 2021, 10:14am

Hi!
Thanks for the quick reply! And thanks for your work for this project! It seems like there has been huge effort put into Whonix!!!

python3-pyqt5 adds lot of DRM, XCB, … (indirect dependency of kicksecure-dependencies-cli)

apt install --no-install-recommends python3-pyqt5
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  fontconfig fontconfig-config fonts-dejavu-core libavahi-client3 libavahi-common-data libavahi-common3 libcups2 libdouble-conversion3 libdrm-amdgpu1 libdrm-intel1 libdrm-nouveau2 libdrm-radeon1
  libegl-mesa0 libegl1 libevdev2 libfontconfig1 libgbm1 libgl1 libgl1-mesa-dri libglapi-mesa libglvnd0 libglx-mesa0 libglx0 libgraphite2-3 libharfbuzz0b libice6 libinput-bin libinput10
  libjpeg-turbo8 libjpeg8 libllvm11 libmtdev1 libpciaccess0 libpcre2-16-0 libqt5core5a libqt5dbus5 libqt5designer5 libqt5gui5 libqt5help5 libqt5network5 libqt5printsupport5 libqt5sql5 libqt5test5
  libqt5widgets5 libqt5xml5 libsensors-config libsensors5 libsm6 libvulkan1 libwacom-common libwacom2 libwayland-client0 libwayland-server0 libx11-xcb1 libxcb-dri2-0 libxcb-dri3-0 libxcb-glx0
  libxcb-icccm4 libxcb-image0 libxcb-keysyms1 libxcb-present0 libxcb-randr0 libxcb-render-util0 libxcb-render0 libxcb-shape0 libxcb-shm0 libxcb-sync1 libxcb-util1 libxcb-xfixes0 libxcb-xinerama0
  libxcb-xinput0 libxcb-xkb1 libxdamage1 libxfixes3 libxkbcommon-x11-0 libxkbcommon0 libxrender1 libxshmfence1 libxxf86vm1 python3-sip x11-common
Suggested packages:
  cups-common libthai0 qt5-image-formats-plugins qtwayland5 lm-sensors python3-pyqt5-dbg
Recommended packages:
  qttranslations5-l10n libqt5svg5 qt5-gtk-platformtheme libqt5sql5-sqlite | libqt5sql5-mysql | libqt5sql5-odbc | libqt5sql5-psql | libqt5sql5-tds | libqt5sql5-ibase mesa-vulkan-drivers
  | vulkan-icd libwacom-bin

If someone is interested, this gives a nice Dependency view (had to search a long time for that):

apt install -s -o Debug::pkgDepCache::AutoInstall=true --no-install-recommends kicksecure-cli 2>&1 | less

I agree that OpenVPN for example is not much of a problem. But having it as a hard dependency fells like too much clutter for a Server. Is my assumption correct that nearly all effort is put into Whonix GUI (anonymitiy) and a Server is on the opposing side (Non-GUI, non-anonymity). Is there interest in seperating Kicksecure more? And having Servers as a Target for the OS? (I maybe do some one-time contribution if there is interest - my time management is bad so don’t count on that though)

Thanks for your work even though it feels not suitable for my usecase!

Patrick · May 6, 2021, 1:32pm

Not DRM. It has DRM in its name but it is unrelated to digital rights management (which I assume this is about). See package description on packages.debian.org.

Yes.

Patrick · May 7, 2021, 9:39am

Found an OK solution to keep GUI dependencies for repository-dist(-wizard) out of the CLI version.