expand systemcheck unwanted packages list

Patrick · February 27, 2016, 11:01am

Possibly. Please try going further up by checking reverse-depends of reverse depends.

HulaHoop · February 27, 2016, 4:39pm

user@host:~$ sudo apt-cache rdepends plasma-dataengines-workspace
plasma-dataengines-workspace
Reverse Depends:
plasma-widget-yawp
plasma-widgets-addons
plasma-widgets-workspace

user@host:~$ sudo apt-cache rdepends plasma-dataengines-yawp
plasma-dataengines-yawp
Reverse Depends:
plasma-widget-yawp-dbg
plasma-widget-yawp

plasma-widget-yawp = yaWP (Yet Another Weather Plasmoid) - a KDE weather widget. Since its not enabled by default its ok.

HulaHoop · March 1, 2016, 6:11pm

A GNOME package for managing “cloud” accounts of PRISM partners. I think this should be banned to prevent newbie users from using them by mistake.

https://packages.debian.org/jessie/gnome-online-accounts

nurmagoz · March 8, 2016, 1:31am

do we need KDE wallet system (KWallet) in whonix (saw it in vbox version)?

Patrick · March 8, 2016, 12:33pm

I find this KWallet stuff very annoying outside and unrelated to Whonix. WiFi passwords are not simply stored and it no longer auto connects - each time it asks the wallet password. So I must figure out how to disable the wallet stuff. Usability issue.

Patrick · April 2, 2016, 3:09pm

2 posts were split to a new topic: How to get rid of insecure rpcbind?

nurmagoz · June 7, 2016, 6:56am

@HulaHoop there r vbox guest stuff installed inside whonix-kvm , i wonder why u dont remove them.

HulaHoop · June 7, 2016, 1:37pm

The files are small and don’t interfere with the other hypervisor. For simplicity the build system output gives builds of both versions KVM and Vbox in one run.

Patrick · June 7, 2016, 6:43pm

For simplicity, time saving and better usability for me personally, official downloadable Non-Qubes-Whonix builds are created with --target virtualbox and --target qcow2 at the same time.

Patrick · June 7, 2016, 10:50pm

Could you process the following thread please wrt packages to be added?

Which Debian packages leak information to the network?
https://lists.debian.org/debian-security/2016/05/threads.html#00043

HulaHoop · June 8, 2016, 1:11am

Thanks for getting the ball rolling Patrick. Very useful discussion

python-requests: fixed upstream
pip: leaks info about system package versions.
gnome-calculator: sets cookie. Bug open upstream for 2 years but not fixed by devs. Workaround is being done with Flatpak restrictions.

weather applications: leak location data but none enabled by default

Notes:

Apparmor network filtering not supported by upstream stock kernels:
https://bugs.debian.org/712451

Some advocate using sandbox frameworks like flatpak for blocking leaky apps.

Debian probably needs a privacy team to audit all packages that send
data to the network and develop mitigation, configuration or patches
to counter these.

+10 I strongly support Paul’s plan to have a review team look through packages and engage upstream projects to clean up leaks. He is open to attending a brainstorm session at DebConf16 if someone organizes it.

Patrick · June 8, 2016, 3:26pm

Can you make the changes in git whonixcheck config please?

HulaHoop · June 8, 2016, 9:55pm

Added.

Some people may complain but no one needs a package manager (python-pip) that still doesn’t support GPG signed packages and never will. After years of arguing they implemented TLS downloads and enabled it by default but as anyone knows this is not enough.

Weather widgets I can’t touch because they are reverse dependencies of core DE packages. The good thing is the user has to go out of their way to shoot themselves in the foot.

Patrick · June 8, 2016, 10:02pm

https://github.com/Whonix/whonixcheck/pull/5

Merged.

Off-topic: Btw it has been worked on or may still be worked on [did not check the status for some time] to make PIP use TUF.

HulaHoop · June 8, 2016, 10:29pm

It seems TUF is production ready after all. Its been integrated in half a dozen major projects including pip and docker.

HulaHoop · June 8, 2016, 10:40pm

Off-topic:

AppImage is supposed to be distro agnostic packaging format recently supported by Firejail. With TUF to secure app integrity and delivery we have a good combination.

github.com/AppImage/AppImageKit

Support for The Update Framework (TUF)

opened 10:37PM - 08 Jun 16 UTC

HulaHoopWhonix

enhancement idea help-wanted

AppImage is really cool. I propose integrating it with [The Update Framework (TU…F)](https://theupdateframework.github.io/) to have a secure mechanism for delivering programs from developers to end users. Their project has been designed for many years to work under many threat models and work around shortcomings in other package managers. Ruby,pip and Docker are some projects using TUF.

Patrick · February 3, 2021, 12:32pm

Do we want to keep this?
If so, we should add python3-pip as well?

marmarek · February 3, 2021, 12:52pm

Yes, makes sense to add python3-pip too.

Patrick · February 3, 2021, 1:53pm

Done just now in git master.

nurmagoz · April 28, 2021, 6:13pm

I found that we have wpasupplicant package which is used for wifi purposes only , do we need it ?

root@host:~# apt remove --purge wpasupplicant*
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Note, selecting 'wpasupplicant' for glob 'wpasupplicant*'
The following packages were automatically installed and are no longer required:
  libnl-3-200 libnl-genl-3-200 libnl-route-3-200 libpcsclite1
Use 'apt autoremove' to remove them.
The following packages will be REMOVED:
  wpasupplicant*
0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
After this operation, 3,432 kB disk space will be freed.
Do you want to continue? [Y/n]

non i can tell is important for VM distro.