Plans to remove a feature, the Whonix News Blog Offline feature

[html]

This feature is documented here:

https://www.whonix.org/wiki/Download#Whonix_News_Blogs

This is about this icon:

Here is a screenshot.

Whonix News Blog opened offline

Whonix News Blog opened offline

We should now be talking about the same feature.

I planed to discontinue this feature anyway. It causes a lot effort, to manually create a text-only version of every new blog post. In fact, it demotivates me to create new blog posts to keep your posted and involved about Whonix developments and plans.

The question for you is: How many are using this Tor Browser Recommended / Whonix News Blogs Offline feature anyway?

When no one actually does, then it’s save to discontinue the service. Otherwise would anyone have an idea how to semi-automate it to reduce the burden of maintaining a text file? (https://github.com/Whonix/whonix-developer-meta-files/blob/master/release/news/whonix_feature_blog.txt)

There are lots of other options following Whonix’s blog:

https://www.whonix.org/wiki/Download#Whonix_News_Blogs

https://www.whonix.org/wiki/Download#WhonixNewsBlogOtherChoices

Occq suggested to make remove the Tor Browser Recommended icon from Whonix’s desktop among other desktop icon and start menu changes. (https://www.whonix.org/forum/index.php/topic,184.0.html) Looks like a good time to discuss discontinuation of this feature.

[/html]

Discontinue this feature?

Yes. Since no one cares.

  • removing the desktop shortcut
  • removing the start menu shortcut
  • and posting a last news, that this feature has been discontinued should be sufficient

Removing this from whonixcheck Whonix News and Whonix torbrowser starter wouldn’t improve security or code readability. And in future when someone finds time and interest in maintaining this feature, we can re-enable it [without desktop shortcut].

How about just packaging the output from an RSS reader for the offline news? This should do all the heavy lifting in an automated way.

That was the case until Whonix 0.5.7 or Whonix 7. RSS is non-ideal, because it increases the attack surface. Offline news is supposed to be more secure than normal news.

Having all users always connect to Whonix’s blog invites someone to takeover the blog and add an exploit. With RSS it gets even worse. The RSS reader would have to parse the html and then again the browser would have to parse the rss html.

The current implementation just tells firefox to open plain text files. I haven’t found out how to automate rss -> plain text on server side.

I mean something automated that you as admin personally run serverside to extract the pages to an offline friendly format.

I think I found something here:

Then it would be up to me / the server not to publish malicious rss. That’s also a situation I did not want to get myself into.

Then EOL’ing this was the wisest choice as it prevents your machine from becoming an attack vector against the whole project.

The text files only create a negligible attack surface. Since Whonix News still exists, almost none at all. I just was demotivated to write a blog post if I then have to manually create a plain text version for Whonix Offline News Blogs… Knowing, that probably no one cares about that feature anyway…

I know this is 120 days old, and sorry for necroposting, but how about an RSS feed ?

RSS Not a good idea for security

We already have RSS feeds. It is a standard feature of wordpresss. Feel free to use it. Documented here:

Even if you torify it ?

Yes, please elaborate on what the risks with rss are, so we can document them (RSS: Really Simple Syndication).

Neurodrive I thought you were asking for RSS to be enabled for the blog by default in Whonix, and so that’s the reason I thought it was a bad idea. Reason is, if the site is compromised and there is a flaw in the reader, we don’t want every Whonix user to be infected. Patrick and I discussed this threat model already and I imagined thats what you meant.

But thats not what you were talking about.

You using RSS should be ok.