Long Wiki Edits Thread

apparmor page needs an update as there is no more apparmor-profiles-whonix


1 Like

Please don’t alphabetically sort items on the Chat and perhaps some other pages. The rationale is: sort by highest order of recommendation.

The provider of the appimage (ideally same as developer of tox) could provide gpg signatures. People can gpg sign any kind of files.

Package doesn’t exist or just changed name? If it doesn’t exist, we just have to delete one section, easy.

OK. But we need to explicitly state that i.e. ranked in order.

Yes, but I was wondering about possibility with no advertised sig & key associated with that. Why don’t they put this on front page in an obvious place? Boggles the mind how uber-geeks lack common sense. No wonder their users are in the 100s or 1000s, because nobody can install it securely, 5 years after they started developing…

Anyway, this should work below and be easiest for Non-Qubes-Whonix? Reasonable?

Will not work in Qubes-Whonix due to blocks on downloading random stuff into TemplateVM at steps 2 & 3 ie “can’t load uri” etc. So another solution is required or one could just bypass it by downloading in non-TemplateVM and just shift it between qubes.

== Installation ==

| type = notice
| image = [[File:Ambox_notice.png|40px|alt=Info]]
| text = Non-Qubes-Whonix only.

As qTox is not currently available as a stand-alone Debian package, users have three choices in late-2018:

  • Build the package from source (difficult).
  • Rely on an unsigned, self-contained AppImage downloaded from the Tox homepage (insecure).
  • Install Flatpak from stretch-backports and then install Tox from the Flathub repository (easiest).

== Flatpak Method ==

Note: .flatpakrepo files generally include the base64-encoded version of the GPG key that was used to sign the repository.

Steps for the Flatpak method are outlined below.

‘’‘1.’‘’ Install Flatpak.

Note: It is recommended to create a separate Whonix-Workstation before installing addtional software. Also qTox is alpha software which has not been formally audited, therefore it is less trusted.

Flatpak must be installed in Whonix-Workstation from Debian backports.

{{Install Backport|package=

‘’‘2.’‘’ Add the Flathub repository.

Flathub is a common place to source Flatpak applications. To enable it, run.

flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo

‘’‘3.’‘’ Restart and install qTox.

A restart of Whonix-Workstation is necessary for flatpak to finish setting up.

To install qTox from flathub, open a terminal (Konsole) and run. Flathub—An app store and build service for Linux

flatpak install flathub io.github.qtox.qTox

‘’‘4.’‘’ Start qTox.

To launch qTox, run.

flatpak run io.github.qtox.qTox

1 Like

changed from apparmor-profiles-whonix to apparmor-profiles-hardened-debian.

also i dunno if these profiles are valid for whonix-gw , as i can see all of the profiles targeting the WS but i leave that answer to @Patrick

1 Like

Software signatures is a broken system that only at least somewhat-computer-geeks will get. At the same time these chase way regular users due to added complexity. They’d rather skip installing something with signatures available if they don’t know how and install something insecure instead that doesn’t mention it feeling more secure.

Fixing this mess could be metalink with OpenPGP support automating all of this:

Looks good.

Is that a secure system? @HulaHoop

1 Like

Point Release - Kicksecure - introduced this term for an upcoming Qubes-Whonix point release Qubes-Whonix 14 (4.0.1-201811040215) TemplateVMs Point Release for Qubes R4 -- Testers Wanted! and soon also Non-Qubes-Whonix 14 point release.

According to their lead dev, they do implement GPG signing (htough optional) of flatpak repos and code commits:


I want to suggest they adopt TUF for their software repo code because it has defense in depth against so many other attacks than basic download poisoning.


include keepassxc to the comparison


very important as i think now its the best one in use from high tech ppl like micahlee

But how does it link the creator of the package with the package itself? If someone replaced the package on the website and resigned it, no one would notice that?

Imagine one day of the month Whonix downloads were signed by someone other than me. Key/signatures delivered the same way. Looks like with flatpak no one would notice?

One would need to add the dev key to their keyring for this process to go thru. Much the same way as adding an outside apt repo to Whonix.



One would need to add the dev key to their keyring for this process to go thru. Much the same way as adding an outside apt repo to Whonix.

Then it sounds ok. I was missing that step in @torjunkie 's instructions
above or overlooked.

In any case, please proceed @torjunkie.

1 Like

Tox is also alpha software which has not been formally audited, therefore it is less trusted.

formally audited is a very high hoop to jump through. Not much software has been formally audited ever. And even formal audit isn’t a “replaced brakes” alike operation. It’s like a “medical checkup”. It can mean many things, can be superficial and cheap or it can be super throughly and cost hundreds of thousands.


OK - will fix that.

One question is where HexChat & RetroShare sit in the recs list. Now we have:

  1. Ricochet IM
  2. Gajim
  3. Tox

Also, the “Change the System or Tor Browser Language” page has Qubes-Whonix applicable stuff in it e.g. Tor Browser language changes, so it should also be moved up to where the Keyboard page went (and out of the Non-qubes-whonix Only section of ToC). Plus, Whonix has lots of non-English users, so it will be a Whonix 1st step for many users i.e. keyboard + language changes e.g. German in your case.


We can mark the System Language Changes section as Non-Qubes-Whonix only in that page (although some bits of that look like they would work in Qubes-Whonix e.g. Korean and Russian language changes i.e. if they would work in Debian-9 TemplateVM, they would work in Whonix-WS TemplateVM and propogate?)

In fact, only “System - All languages” looks non-qubes-whonix specific.

1 Like

All the (huge) Bitcoin stuff here:


Should be moved to a stand-alone page, and out of the Money page. And also listed as a stand-alone link on the main ToC with all the other crypto-currencies.

(Will also need a nice image then too @TNT_BOM_BOM if split off).

Then, the money page is a high-level overview. Of course, particular emphasis can be given to the reader reviewing the Bitcoin page in conjunction, since it is the most popular cryptocurrency by a wide margin.

1 Like

I guess:

  1. Ricochet IM
  2. Gajim
  3. HexChat
  4. RetroShare
  5. Tox

Is proper recommended order for recs?

Actually, much is KDE-specific or non-Qubes-Whonix only.

Some bits ‘kind of’ work in Qubes-Whonix. Russian instructions have Russian language appearing in all VM apps instead of English, just not Russian keyboard input even when set to default. Ditto Korean using dpkg-locales reconfig.

(e.g. keyboard input for Korean would require ibus-hangul or similar installed in TemplateVM, which allows easy switching. Proper presentation of all characters would also require fonts-unfonts-core. That seems to work in Debian 9, so would work in whonix-ws-14 templateVM. Russian would have similar steps).

So I guess leave it where it is and don’t bother with instructions for Qubes-Whonix i.e. user’s / Qubes OS documentation problem (“not our bug”). The Tor Browser page already has a link to changing Tor Browser language bit (which covers off Qubes-Whonix), so that’s fine.

I’m not sure there is actually a full language presentation change that is possible system-wide for Qubes i.e. every menu, every dropdown, dom0, Qubes Manager etc appearing in Japanese, or Russian or whatever? Probably they haven’t implemented full language features yet since it would be a huge task?

I don’t see any instructions for that on their wiki or docs - so maybe users are stuck with English, system-wide presentation at least.

1 Like
Ricochet IM

Gajim: better usability, more jabber users, offline messages.
Ricochet IM: lengthy setup
Tox: not packaged for Debian
RetroShare: Outdated keys.
HexChat: not really a messenger but I guess it is ok to be left there since it’s Chat.


Live Mode for Kicksecure ™ - Kicksecure instructions are still a bit “wild”. These are correct by the letter, technical, “method focused” but these are not unified blocks to be consumed by less-technical users who just want step by step instructions that just work.

Once that is fixed I agree, Whonix Live deserves to be promoted in much more popular places on our website.

1 Like

The formatting now should help.

HexChat, ZeroNet & IM messenger overview page → all fixed.

Just RetroShare, MixMaster and Signal to fix in that section.

1. I gather RetroShare works in (Qubes-)Whonix, but that just some of the security issues could be tighter? e.g.

Allow alternative proxy addresses · Issue #356 · RetroShare/RetroShare · GitHub


⚓ T560 finish RetroShare over Tor port redirection instructions

On the wiki page, it says:

“INCOMPLETE - Depends on unimplemented features for Whonix”

That makes it sound like it doesn’t work, instead of (the probable intended meaning) “It works, but not with the best possible anonymity/security settings”.

2. Signal stuff says “Incomplete”. If it doesn’t work with those steps and it is just a basic skeleton, then I think we remove it from the main ToC i.e. because it is non-functional and not up to wiki standard for users.

3. That MixMaster page needs major reworking the way all the content is across 2 pages (Nym Server stuff can stay separate). Right now the main page is less useful than some of the Dev stuff.

Could someone please write a call for testers news for Live Mode for Kicksecure ™ - Kicksecure?