1. The second, extra Whonix-WS firewall wiki info went MIA? Is it deprecated / no longer under development? If so, there are a few references to it here and there that need to be removed from wiki e.g.
Consider enabling the optional (extra) Whonix-Workstation ™ firewall.
2. Also this recommendation in the “Expert” section - what about Coreboot? Should we add it - did anyone ever get Whonix running on it? (never tried - way, way too hard ) cc: @madaidan
Libreboot is a free, opensource BIOS or UEFI replacement (firmware) that initializes the hardware and starts the bootloader for your OS.
I’ve never tried Coreboot/Libreboot as it’ll probably brick my motherboard. I would recommend against Libreboot though as
it allows no proprietary firmware at all. This means no microcode updates which are pretty important for security.
It doesn’t look like forcing onion with HTTPS Everywhere user rule sets is possible with the current version which is 2019.5.13. Or at least it can’t be done using these instructions.
I am able to copy over my user rule sets from an earlier Tor Browser/HTTPS Everywhere version. (works OK). However, unless someone has an idea, this part of the forcing onion docs should be deprecated imo.
Yeah please recommend against libreboot and the reason why (hopelessly impractical becuase firmware blacklisting), also keep a note on Coreboot for those who might want to buy systems that have it by default like Chromebooks or maybe they would want to research how to flash it onto the handful of refurbished boards out there that support it.
The only thing I couldn’t remember in those edits was whether it must be tor+http for whonix sources list, or just http.
(Or maybe you already modified the code block by default to have the onion available just by uncommenting - don’t remember, was a while since I played with whonix sources)
Thanks for pointing that out. Room for improvement here.
As a general rule:
When using apt-get and .onion one should always be using tor+http whether inside or outside of Whonix. Non-critical (as per footnotes in link below).
Onionizing Repositories: Difference between revisions - Whonix - template deprecation isn’t ideal. If tor+http doesn’t work on plain Debian, then we need to update the instructions for plain Debian. The fix would be “install apt-transport-tor beforehand” most likely. tor+http isn’t developed by Whonix, apt-transport-tor implements it. Could you revert that please?
In that apt-transport-tor stuff, I had also changed one of the weird onions (earth… .onion) to the proper Debian security one? Check that was correct also.
BTW Can Whonix builds etc. borrow any settings from this hardening list?
The compile time hardening stuff has to be implemented by Debian. It’s related to compiled code. Whonix can’t recompile all of Debian. In the few places where Whonix is using compiled code we enable all compile time hardening.
Well looks like I was wrong. Not sure why but the window to add user rule set now drops down when I click on “see more”. Previously this was now showing up.
Updated the page. They were relatively safe edits imo. So pushed to live wiki.
The period of when a project is new and lots of people suggesting all kinds of major changes (marry with Tails, why not use OpenBSD) is long over. Most geeks wanting all sorts of obscure things such as secondary DNS are onboarded already.
Moving most if not all of its contents to where these would fit better or even new pages if needed. Some under /Dev.
) cc: @madaidan