Potential info leak or identity correlation if upgrade system?

  1. Downloaded KVM on 2021-02-12 and upgraded.
  2. Downloaded KVM on 2020-05-01 and upgraded.

The software versions would be the same, but the exact files inside VM would be very different, could this be used to fingerprint users? File timestamp could also be used to track different users.
Or is it a better idea to always start with latest VM images and boot into VM live mode, then upgrade system? This won’t work if system need to be restarted to upgrade though.

No. Boot as few times without fully upgraded system as possible. Some vulnerabilities such as APT (past and hypothetical future) should be fixed as soon as possible. The system shouldn’t be non-upgraded, vulnerable and do actions which expose the vulerability to the internet (such as upgrading using known vulnerable APT).

Thanks, most of my concerns are mentioned on that wiki page.
Would more frequent VM images releases mitigate part of them? We would be more unified than upgrading OS inside VM.
Hardware info leaks are harder to prevent though, and will probably require upstreams. Paranoids would have to assume they are fingerprinted unless they use different hardware or/and use exclusively FOSS inside VMs. And in the era of ever haunting spectre, it might even be necessary to pause other VMs when doing sensitive computing.

No. What would? This:


Ideally every single file inside the VM should be identical to other user’s, to prevent fingerprinting.This can be probably guaranteed by using only vanilla unmodified VM images.
The released VM image is stateless (or stateful with the same identify), it then became stateful after system upgrade (more unique fingerprint).
Is there any post upgrade script to reduce artifacts introduced by upgrading? Like remove old kernels, old configs, logs, caches?


Essentially I’m talking about creating new fingerprints.

If I have to run a privacy invasive program, it’s better to begin with a VM image from Whonix or Debian Live, not my (up-to-date) Whonix workstation or Debian qcow2.
If somehow a website in Tor Browser is able to list all/some files inside VM via JS, then that website can link all the activities done from that VM image.

So it might be a good practice to restart from released VM images and update (creating new unique fingerprints), rather than keep using a months old qcow2 (reusing old fingerprint). In this regard, I thought more frequent VM image releases is beneficial.

How frequent? Builds take time. Are you willing to sponsor such an effort?

Monthly should be enough I think, as long as standard apt upgrade method won’t download a few hundred megabytes.
I found ova image release about once per month, while libvirt image takes much longer. Is building QEMU images so much harder? I can surely donate some computing power monthly, how much does it cost to build a QEMU image?

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Contributors] [Investors] [Priority Support] [Professional Support]