Kicksecure: Minimal version?

Hi!
First of all: I am not very familiar with Whonix or Kicksecure; just found it the other day. I thought: Let’s harden my Debian-Server with Kicksecure. But looking at the Dependency-List, it feels like adding more attack surface (especially DRM on a CLI-Install).

Have there been considerations

  • to remove python3-pyqt5 from repository-dist?
  • to provide a minimal-version that only installs the packages absolutely necessary? (no OpenVPN, no LVM, … - everything that doesn’t automatically make the system more secure is out)

Thanks in advance!

GUI version was in a different package before but in order to have fewer packages it was merged. Conflicting optimization goals. (Fewer packages vs more fine grained package split for more customization / minimal.)

Most minimal (therefore also most difficult use case, most support intensive) doesn’t have a dedicated maintainer. Even CLI as currently is hasn’t. Lack of manpower.

For custom selection, most minimal see kicksecure-meta-packages/debian/control at master · Kicksecure/kicksecure-meta-packages · GitHub and pick and choose desired packages.

Instead of kicksecure-cli consider kicksecure-dependencies-cli or pick and choose packages from that.

kicksecure-dependencies-cli certainly has room for improvement. For example openvpn could be moved to kicksecure-packages-recommended-cli. Not even “recommended”.

Package: kicksecure-packages-recommended-cli
Description: Recommended packages for Kicksecure CLI
A metapackage, which installs packages, which are useful for
command line interface (CLI) Kicksecure.,
.
Feel free to remove if you know what you are doing.

Just useful pre-installed for some users that don’t want / can’t to connect using clearnet / without VPN before for installation for that package. CLI could move towards more minimal / more difficult to use.

Will probably happen later.

There’s none. Perhaps mistaken a similar name?

Packages such as python3-pyqt5, openvpn don’t increase attack surface if not actively used unless suid (not the case) or invoking the threat model “trust as few Debian maintainers as possible”, which isn’t sustainable.

Hi!
Thanks for the quick reply! And thanks for your work for this project! It seems like there has been huge effort put into Whonix!!!

python3-pyqt5 adds lot of DRM, XCB, … (indirect dependency of kicksecure-dependencies-cli)

apt install --no-install-recommends python3-pyqt5
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  fontconfig fontconfig-config fonts-dejavu-core libavahi-client3 libavahi-common-data libavahi-common3 libcups2 libdouble-conversion3 libdrm-amdgpu1 libdrm-intel1 libdrm-nouveau2 libdrm-radeon1
  libegl-mesa0 libegl1 libevdev2 libfontconfig1 libgbm1 libgl1 libgl1-mesa-dri libglapi-mesa libglvnd0 libglx-mesa0 libglx0 libgraphite2-3 libharfbuzz0b libice6 libinput-bin libinput10
  libjpeg-turbo8 libjpeg8 libllvm11 libmtdev1 libpciaccess0 libpcre2-16-0 libqt5core5a libqt5dbus5 libqt5designer5 libqt5gui5 libqt5help5 libqt5network5 libqt5printsupport5 libqt5sql5 libqt5test5
  libqt5widgets5 libqt5xml5 libsensors-config libsensors5 libsm6 libvulkan1 libwacom-common libwacom2 libwayland-client0 libwayland-server0 libx11-xcb1 libxcb-dri2-0 libxcb-dri3-0 libxcb-glx0
  libxcb-icccm4 libxcb-image0 libxcb-keysyms1 libxcb-present0 libxcb-randr0 libxcb-render-util0 libxcb-render0 libxcb-shape0 libxcb-shm0 libxcb-sync1 libxcb-util1 libxcb-xfixes0 libxcb-xinerama0
  libxcb-xinput0 libxcb-xkb1 libxdamage1 libxfixes3 libxkbcommon-x11-0 libxkbcommon0 libxrender1 libxshmfence1 libxxf86vm1 python3-sip x11-common
Suggested packages:
  cups-common libthai0 qt5-image-formats-plugins qtwayland5 lm-sensors python3-pyqt5-dbg
Recommended packages:
  qttranslations5-l10n libqt5svg5 qt5-gtk-platformtheme libqt5sql5-sqlite | libqt5sql5-mysql | libqt5sql5-odbc | libqt5sql5-psql | libqt5sql5-tds | libqt5sql5-ibase mesa-vulkan-drivers
  | vulkan-icd libwacom-bin

If someone is interested, this gives a nice Dependency view (had to search a long time for that):

apt install -s -o Debug::pkgDepCache::AutoInstall=true --no-install-recommends kicksecure-cli 2>&1 | less

I agree that OpenVPN for example is not much of a problem. But having it as a hard dependency fells like too much clutter for a Server. Is my assumption correct that nearly all effort is put into Whonix GUI (anonymitiy) and a Server is on the opposing side (Non-GUI, non-anonymity). Is there interest in seperating Kicksecure more? And having Servers as a Target for the OS? (I maybe do some one-time contribution if there is interest - my time management is bad so don’t count on that though)

Thanks for your work even though it feels not suitable for my usecase!

Not DRM. It has DRM in its name but it is unrelated to digital rights management (which I assume this is about). See package description on packages.debian.org.

Yes.

Found an OK solution to keep GUI dependencies for repository-dist(-wizard) out of the CLI version.

1 Like