Ah okay - will fix that here and there in the wiki.
Could you please document
-
clock-random-manual-cli
(see manclock-random-manual-cli
) - and
clock-random-manual-gui
?
Itâs there since Whonix 14 already but never documented. It is supposed to be used in case sdwdate
is failing.
Iâve never tried Coreboot/Libreboot as itâll probably brick my motherboard. I would recommend against Libreboot though as
it allows no proprietary firmware at all. This means no microcode updates which are pretty important for security.
It doesnât look like forcing onion with HTTPS Everywhere user rule sets is possible with the current version which is 2019.5.13. Or at least it canât be done using these instructions.
https://whonix.org/wiki/Forcing_.onion_on_Whonix.org#Adding_User_Rules
I am able to copy over my user rule sets from an earlier Tor Browser/HTTPS Everywhere version. (works OK). However, unless someone has an idea, this part of the forcing onion docs should be deprecated imo.
Please do a mass find-replace for â->â and use the HTML right-hand arrow instead:
→
which looks much better.
What do you think @HulaHoop ? remove? (if mere mortals canât achieve it & no microcode updates available)
Yeah please recommend against libreboot and the reason why (hopelessly impractical becuase firmware blacklisting), also keep a note on Coreboot for those who might want to buy systems that have it by default like Chromebooks or maybe they would want to research how to flash it onto the handful of refurbished boards out there that support it.
Done.
Thanks, will fix that.
Thanks, looks much better
Confirmed that these instructions donât work (as you pointed out already):
(x2 on that page)
sudo whonix_repository --baseuri http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion --enable --repository stable
whonix_repository unknown option: --baseuri
The only thing I couldnât remember in those edits was whether it must be tor+http for whonix sources list, or just http.
(Or maybe you already modified the code block by default to have the onion available just by uncommenting - donât remember, was a while since I played with whonix sources)
Thanks for pointing that out. Room for improvement here.
As a general rule:
When using apt-get and .onion
one should always be using tor+http
whether inside or outside of Whonix. Non-critical (as per footnotes in link below).
I added that to https://www.whonix.org/wiki/General_Host_Security#apt-transport-tor but it may still not be clear enough.
Also https://www.whonix.org/wiki/General_Host_Security#apt-transport-tor might not be perfect placement and also interlinking with https://www.whonix.org/wiki/Onionizing_Repositories is missing.
Having learned that, pointing out tor+http
on https://www.whonix.org/wiki/Onionizing_Repositories might be useful too?
When using apt-get and
.onion
one should always be usingtor+http
whether inside or outside of Whonix. Non-critical (as per footnotes in link below).
That said, we might be missing tor+http
in various places on https://www.whonix.org/wiki/Onionizing_Repositories and even in (Qubes) source files?
https://www.whonix.org/w/index.php?title=Onionizing_Repositories&oldid=47712&diff=cur - template deprecation isnât ideal. If tor+http
doesnât work on plain Debian, then we need to update the instructions for plain Debian. The fix would be âinstall apt-transport-tor beforehandâ most likely. tor+http
isnât developed by Whonix, apt-transport-tor implements it. Could you revert that please?
Will fix that.
In that apt-transport-tor stuff, I had also changed one of the weird onions (earth⌠.onion) to the proper Debian security one? Check that was correct also.
BTW Can Whonix builds etc. borrow any settings from this hardening list?
The compile time hardening stuff has to be implemented by Debian. Itâs related to compiled code. Whonix canât recompile all of Debian. In the few places where Whonix is using compiled code we enable all compile time hardening.
Well looks like I was wrong. Not sure why but the window to add user rule set now drops down when I click on âsee moreâ. Previously this was now showing up.
Updated the page. They were relatively safe edits imo. So pushed to live wiki.
https://whonix.org/w/index.php?title=Forcing_.onion_on_Whonix.org&curid=966&diff=47758&oldid=46354
Another big task would be rebooting the FAQ.
The period of when a project is new and lots of people suggesting all kinds of major changes (marry with Tails, why not use OpenBSD) is long over. Most geeks wanting all sorts of obscure things such as secondary DNS are onboarded already.
Moving most if not all of its contents to where these would fit better or even new pages if needed. Some under /Dev
.
https://www.whonix.org/wiki/Dev/Operating_System
https://www.whonix.org/wiki/Post_Install_Advice
https://www.whonix.org/wiki/Secondary_DNS_Resolver
https://www.whonix.org/wiki/Why_is_Tor_slow
https://www.whonix.org/wiki/Tor
https://www.whonix.org/wiki/Dev/Virtualization_Platform
https://www.whonix.org/wiki/Tunnels/Introduction
We could then count questions what the actual FAQ are nowadays are and repopulate the FAQ.
Added video & audio editor and they are cross DEs.
un-template this section for better formatting (& only used on this page?
To answer this questionâŚ
On any template page (here: https://www.whonix.org/wiki/Template:TorBrowser_Proxy_Configuration) upper right gearwheel drop down menu What links here
https://www.whonix.org/wiki/Special:WhatLinksHere/Template:TorBrowser_Proxy_Configuration
that page is also used here:
Agree the FAQ is a bit sloppy at present and needs lots of bits being cut and pasted to other pages with a âsee here:â link to those relevant sections. Other priorities as I see it:
- Whonix 14 Updates & Whonix 15 release notes (should be 1-2 months and Whonix 15 will be available across all platforms). If you want to list a bunch (all) of the resolved bug links there, that would help (Iâll do the rest)
- A number of templates now have outdated links e.g. to the old mega large security guides -> Needs a proactive manual check x250 templates or so. Yah!
- Encrypted email entry is pointing to dead VFEmail. Needs text changes and a lot of pic upgrades to account for that.
- Continual rephrasing, link checking, updates of instructions, updated output, updated info etc. from Anonymous Email section down - although weâve achieved lots of fixes and improvements in various sections/areas further down the page already. (PS take mig5 off the current maintainer list?)
The first 9 sections up to and including Anonymous Browsing are now in a reasonable, functional, up-to-date state IMO.
Other observations - the text generally looks better when:
- no abbreviated words e.g. âdevsâ
- avoiding abbreviated forms e.g. âitâsâ, âtheyâreâ etc. Full form is better
- avoiding # presentation e.g. [[Multiple_Whonix-Gateway#KVM]]
- defining acronyms first before using them
- avoiding âfolksyâ language like the intro section here -> http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/VoIP (will fix that)
- stating things affirmatively, rather than in third person i.e. avoiding âusersâ & passive language
- avoiding personal pronouns in general (I, you, we, she/he, they, us etc.) e.g. âIf you want to set a âŚâ -> âTo set a âŚâ, âIf you are getting an error when âŚâ -> âIf an error appears when âŚâ etc.
- consistency in boxing & numbering long instructions
- consistency in spacing
- info boxes generally at the top of each section it applies to
Just gives it a more professional feel IMO.
PS I think the Tor devs hiding away NoScript from taskbar is a mistake. Better to have visual confirmation and I have seen attacks in the wild that enable it automatically - you wouldnât know if it was tucked away⌠which reminds me that moving NoScript icon into taskbar is probably fingerprintable(?).
We can even try without âsee hereâ. For example I doubt anyone is going to miss https://www.whonix.org/wiki/Dev/Source_Code_Intro#Why_not_Replace_grml-debootstrap_with_.27X.27.3F which was never a FAQ to being with. We can add the âsee hereâ when things actually become FAQ. The only way I see to clean sweep the FAQ.
Sorry, I am kinda overworked with stuff like server maintenance. Very invisible but also very important. So this wonât happen.
For that mass search replace could be used.