[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [Priority Support]

Linux Foundation Craps , Whonix Anonymity Dilemma


#1

As we all know that Linux Foundation dont mind having nonfree software into linux code which is called “binary blobs”.

what does that mean is, any distro which is using normal linux kernel it will always contain a nonfree software. and what does that also mean:

  • Security bugs inside these nonfree codes (mostly firmwares) wont be discoverable (Zero day could take forever).
  • Any intentional malicious action from these nonfree software is also hidden with no one knowledge.
  • It can be used as backdoors.

Thats why we have ppl who came to rescue this situation by developing GNU Linux-Libre.

Linux Foundation is a total bullshit organization in the way they contribute to the society and freedom of software. one of their laughable things they accepted Microsoft company (the developers of windows malware) into their company ?!

Good news we have that Debian share the same thing by default with libre linux and they dont add any nonfree software into their distro by default unless the user going to add “non-free” packages into the distro repository.

Whonix Problem:

so this is by default we are selling non-sense regarding security and anonymity regardless what advantages could some gain from installing it by default. as we might installing backdoors into every whonix user who installed it without anyone knowledge and no body should trust any company (and oracle not very well user security interest) or any nonfree closed source product.

solution:

Remove all nonfree software/repo which is installed inside whonix as we dont need any support for any nonfree drivers (since whonix is installed inside virtualized platform, so this is done by host distro if the user want to install for e,g nonfree driver for his wireless or so…).

Note: vbox Guest should be left to the user needs , we CANT give pre-shipped threat to justify user satisfaction while using full-screen,sharing clipboard …etc. If the user wants these features then he either:

  • install the gues additions by himself
  • complain to Oracle to make it free software in order to be installed by default from us.
  • user contribute or pay and rise a developer to reverse engineering the Guest Addition and make it compatible with current vbox features/version.

for whonix organization and for taking care of their users we should stop doing it and we shouldnt doing it in the future.

Also this add an advantage to whonix-i2p , since its only for Qubes then we can remove these issues very easily.

Conclusion:-

  • Whonix is NOT secure distro unless its only contains libre/free software.

This should be added to the comparison with others table as:

contains nonfree software or purely free software


Why whonix is using contrib non-free ?
#2

II think its great that microsoft wants to contribute open-source software. I have no problem with Linux foundation accepting them if it benefits the community.

Has anything changed since the last time this was discussed?

So this would also indicate Whonix is not secure unless All hardware is libre/free. No?


#3

If you think Microsoft would benefits the community (Not itself) , then they totally got you with this joke.

Thats what should be changed. We should not subjugate users with adding nonfree software into their machines.

Hardware ? Whonix is a software program not a hardware. and we secure our side of development not developing an entire pc in a secure way because that is then not whonix we are talking about.

we change what is under our power and our responsible development. we must not install backdoors (nonfree software) by default due to whatever feature. because that go against what whonix concept of what is offering to the user which is anonymity. and that wont happen unless we have reasonable security, and reasonable security you wont have it unless your source code released and viewed by others or based totally on free software.


#4

Open-source software is neither good nor evil. Does microsoft benefit? Yes. Does the community also benefit? Yes

If a developer works for microsoft, then contributes code to Whonix, should that contribution be rejected because its somehow tainted? Of course not, because it benefits the community.

The reasons for keeping it like it is were stated in adding non-free packages by default is it safe?

Has anything changed that would convince Whonix developers to reconsider?

My point is just having non-free packages in itself does not make Whonix a non-secure distribution.

I would agree libre/free is safer and Whonix should use open-source if practical. Although just because its non-free doesn’t mean its back-doored.

There are reasons why VirtualBox has non-free. All of them legitimate. I don’t see that changing unless a reasonable alternative is found.


#5

Guest additions are in non-free repository because the virtualbox host
package is non-free.

“Virtualbox ships a BIOS that requires Watcom to compile from real
sources,precompiled copy they ship as well is free but is not the
preferred form for modification.”

http://lists.debian.org/debian-devel/2013/08/msg00106.html

From:

https://www.whonix.org/wiki/Dev/Virtualization_Platform#VirtualBox_no_longer_in_Debian_main

(More references there.)

Guest additions don’t contain non-free code. It’s a packaging error.

Quote:

I consider having the guest outside main to be a packaging error.

https://lists.debian.org/debian-devel/2013/08/msg00057.html

So there aren’t non-free packages in Whonix.

Arguments can be made against VirtualBox host software. As far as free
vs non-free, I think there are small issues with not being super
strictly Libre Software. Not worth going crazy about it.

On a broader view, if we would go that strict on that subject, we would
also have to go that strict on Debian. FSF complains about Debian.

https://www.gnu.org/distros/common-distros.en.html#Debian

See this list of packages in Debian that all have non-perfections why
FSF doesn’t like then.

https://libreplanet.org/wiki/List_of_software_that_does_not_respect_the_Free_System_Distribution_Guidelines

By that strictness, we would have to deprecate Whonix VirtualBox
version, and ditch Debian an use gNewSense instead.

Then Whonix should also become a GNU project, which is so strict and so
difficult, that it’s unrealistic.

https://www.gnu.org/help/evaluation.en.html

I arbitrarily choose being non-super strict on Libre Software, not
totally sacrificing productivity and fun, by using wget like RSM (kudos)
to view html code of websites to stay super strict on Libre Software.

It’s realistic to increase priority on super strict Libre Software but
then we’d use popularity, users, weaken security (gNewSense had some
issues… don’t remember.), and meanwhile not improve anonymity/security.


#6

The LF is a group of companies who sponsor Linux development to benefit their goals which is mainly to have it be great in the serverrooom. Microsoft has no overriding power in the Linux Foundation. The fact that they joined is a PR move to give people the impression they “love opensource”. Ultimately no one cares.

Debian does a great job segregating non-free firmware from the kernel. If you don’t want the former just uninstall the package but you won’t be able to control the backlight, operate wifi for laptops and other problems.

The fact that something is proprietary does not mean it can’t be checked for malware. It can be reversed and the suspicious code or bugs found.


Haha I read your title as “Linux Foundation craps itself” and I thought: Well if they decide to collectively shit themselves there is no amount of diapers that can save us.


#7

Thats not gonna , you speak like you dont know microsoft but anyhow allowing Microsoft to contribute for any part of free software its like allowing Satan to contribute good deeds for heaven.

nonfree software is nonfree software , and we have it by default = thats alone is horrible impact on whonix security claims.

Thats something from technical point view you cant prove it and you can never prove it, because if the non-free programs which are inside whonix are backdoors (vbox addition or whatever firmware) then we are secure from bullshit side not based on reality. so allowing this chance to happen in an anonymity area has nasty come out.


#8

we just remove “contrib” “non-free” from our distro with their insalled software = thats all.

FSF included PureOS which is based on Debian in their list.

not necessarily, we dont need to use for e.g GPL v3 … so these we dont mind about and doesnt affect privacy/anonymity/security of our product on users.

No, we dont want this level of strictness but we shouldnt include these nasty stuff non-free software into our code/distro by our hands.


or at least remove the bad programs inside Whonix-GW , so that if the user got compromised it will only effect the WS not both with the same vulnerability inside the virus of non-free software.


#9

yeah thats true , but whos going to reverse tons of code and changeable each time it gets upgraded ? thats not good way at all to represent good base security from that.

lol


#10

TNT BOM BOM:

we just remove “contrib” “non-free” from our distro with their insalled software = thats all.

Having these repositories enabled doesn’t accidentally install contrib
or non-free packages.

TNT BOM BOM:

[quote=“HulaHoop, post:6, topic:5279”]
The fact that something is proprietary does not mean it can’t be
checked for malware. It can be reversed and the suspicious code or bugs
found.
[/quote]

yeah thats true , but whos going to reverse tons of code and
changeable each time it gets upgraded ? thats not good way at all to
represent good base security from that.

That’s the problem here. You’re using theoretical research, logic,
deductions, arguments. So this sounds big.

But for practical considerations:
In case of the VirtualBox non-freeness the complaint is about a single
relatively small file that probably hasn’t been changed in years (just
the virtual BIOS).

(And it will probably become a non-issue once the virtual BIOS gets an
upgrade to EFI or so.)

No, we dont want this level of strictness but we shouldnt include these nasty stuff non-free software into our code/distro by our hands.

The complaint on VirtualBox non-freeness is on the same level like
https://libreplanet.org/wiki/List_of_software_that_does_not_respect_the_Free_System_Distribution_Guidelines
by strictness about freeness.


#19

Linux Foundation = Money Thats Corrupt Brain & Value

https://invidio.us/watch?v=TVHcdgrqbHE