Long Wiki Edits Thread

@onion_knight

Fixed WS and GW size (in template) based on your forum thread i.e. around 50% reduction:

  • 850 MB (GW)
  • 1.1 GB (WS)

Let me know right away if that isn’t right. Also updated Whonix 14 release forum post, which had incorrect figures.

The Whonix-Gateway is reduced from 1.7 GB to 850 MB, while the Whonix-Workstation is reduced from 2 GB to 1.1 GB.

Fixed. Although I didn’t add HulaHoop’s step below (because I just saw it). Can add if you want:

Compare your microcode version number before and after updating to see if its applied:

sudo dmesg | grep “microcode updated early to”

If it succeeded it should say something like:

microcode: microcode updated early to revision X

Microcode - Debian Wiki

In the process of fixing… we should recommend for host AND Whonix VMs right? So add to “Host Security” page of Basic Security Guide - seems like a nice fit there and Whonix-WS and Whonix-GW security pages for VM kernel I suppose.

Good job 0brand. You are getting some very solid contributions under your belt, and I for one welcome it! More please :slight_smile:

3 Likes

Done!

2 Likes

Yes please.

2 Likes

@Patrick My bad. I thought that Debian had added a v3 onion repo but it was a Whonix url I was changing it to. Good catch.

Do you think we should recommend the onion address as a safer default, considering tht we will be transitioning to a fully onion repo list soon.

I don’t expect too soon. Waiting Debian onion v3 (to proof Tor onions can handle the load) and maybe for onionbalance v3:
Onionizing Qubes-Whonix Repositories - #23 by mig5

Onionizing Repositories could say “for better security, disable clearnet and leave onions only”. Added that but undocumented.

Onionizing Repositories has some imperfections.

  • sudo nano

    • nano vs graphical editor
    • do we have a wiki template for that?
    • we have Template:Open with root rights - Whonix but that is for Whonix only, not guaranteed to work outside of Whonix (actually fails in Qubes Debian templates since these don’t have kwrite installed by default)
  • /etc/apt/sources.list.d/debian.list

    • Whonix: correct
    • plain Debian hosts and Qubes Debian template: incorrect, it’s /etc/apt/sources.list
  • Maybe instructions shouldn’t be by Debian packages, Whonix packages, Tor packages, Fedora packages. Perhaps better instructions for:

    • Qubes dom0
    • Qubes-Whonix TemplateVMs
    • Qubes Debian TemplateVM
    • Qubes Fedora TemplateVM
    • Non-Qubes-Whonix
    • plain Debian hosts
  • Then each chapter could contain instructions to onionize it as much as possible.

    • Whonix: from onions/clearnet to exclusive onions
    • others: from clearnet to exclusive onions
1 Like

As discussed with Marek and adw.

As for future Whonix support timelines… To have something doable…

  • once a new stable Qubes version is released, shortly after, there might be a 1 month notice to upgrade to that newer version of Qubes if users wish to keep using Qubes-Whonix

  • once a new stable Qubes-Whonix version is released, shortly after, there might be a 1 month notice to upgrade Qubes-Whonix if users wish to keep using Qubes-Whonix

  • once a new stable Non-Qubes-Whonix, shortly after, there will be a 1 month notice to upgrade Whonix if users wish to keep using Whonix

  • once a new stable Debian is released, shortly after, there might be a 1 month notice to upgrade Debian, if users wish to keep using Whonix

<ref>This is to relieve Whonix developers from having to diagnose and support old-stable versions of Qubes/Debian/Whonix which results in a lot duplicate maintenance effort.</ref>

Where can we add this support policy?

1 Like

Whonixnews, sticky on the Qubes subforum and a notice at the top of the Qubes main wiki page?

2 Likes

Added info to the About page to pick this issue up.

Might clean up some more links before fixing up that kernel stuff, but I’ll get there soon enough

1 Like

corridor -> Fixed.

There is one TODO there i.e. non functional bridges config.

Also, there is one table in the FAQ wiki page saying “Ignore for now. Broken since shift” or similar (Tails vs Whonix comparison). Can we just get rid of that or update the links or whatever?

Also, that Browser Plugins page is very messy.

Based on technically capable 0brand not being able to get Flash working in Tor Browser by:

a) installing flash player (non-free) from Debian; or
b) manually installing it from Adobe

and Tor Project blocking all plug-ins by default (I gather some about:config changes etc maybe also needed?), then 90% of Whonix users are not going to be capable of this, if it is even possible at all?

Has anyone got Flash working in recent Tor Browser versions?

I recommend, based on Flash:

  • being phased out by most websites
  • also being a security nightmare
  • many other safe ways to access same media e.g. downloading tools etc.
  • plus that wiki page quoting 5 year old JonDos info that just doesn’t work.

That we deprecate all the Flash instructions and point any intrested users to deprecated section i.e. it’s their own problem to work it out.

Why work hard to help users shoot themselves in the foot and fail to learn proper (safe) practices? Waste of time.

1 Like

The likely scenario would be a user installing Firefox in Whonix-Workstation then installing flash. Both of which are recommended against.

At current time there isn’t much that is useful in that chapter. Cleaning up that page is on my TODO but how useful will it be even after that is done? Can’t install any plugins in TBB.

Think it would be better to put our efforts into documentation that strengthens security /anonymity IMHO.

1 Like

Should the wiki firejail instructions have users install from stretch-backports? They currently direct users to install from jessie-backports.

http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Security_Guide#Installing_Firejail

All the mega-size security guide, advanced security guide, and computer security education pages are deprecated since I split them all into separate pages.

So, the correct entry for that (updated & working) is now here:

http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Whonix-Workstation_Security#Install_Firejail

Make sure you don’t link to those old pages when you write up new content.

1 Like

MAC Address -> Fixed (and restructured)

Also, that Tor page which has a ton of information under “Advanced Topics” relating to guard fingerprinting -> all that should become it’s own Guard Fingerprinting wiki page IMO (too long to be in there).

If you agree, I’ll go ahead and create that.

Ok.

Sure. I also couldn’t motivate myself to fix that plugins. (Would entail
asking TPO how to make flash plugin work.)

Sure, why not Deprecate, wiki move page to

Deprecated/Browser Plugins

0brand:

Should the wiki firejail instructions have users install from stretch-backports? They currently direct users to install from jessie-backports.

http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Security_Guide#Installing_Firejail

backports only if needed. Needed for something?

can someone open in Design - Whonix new page with the name like:

Whonix Installed Packages Comparison

Working on firejail profiles for Whonix. firejail-profiles(utils) are available in stretch-backport, buster, sid…

Using those profiles for reference.

2 Likes

Comments to use Qubes .onion repositories was applied by Merak Marek. :slight_smile:

Edit: Will update onionizing Qubes repositories wiki.

2 Likes

My last post has been edited.

“Marek” is the correct spelling. :slight_smile:

Created this page for you:

http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Whonix_Installed_Packages_Comparison

When finished, just needs a link to the most appropriate Dev section.

Fixed.

Added large deprecation & out-of-date notice to each.

Fixed.

3 Likes