Pre-Release Audit of qubes-whonix 10.0.4-1

Pre-Release Audit of qubes-whonix 10.0.4-1

[hr]

Here is a thread for relevant discussion, tickets, links, info, etc for auditing the proposed version 10.0.4-1 of the “qubes-whonix” package for the Qubes + Whonix platform.

The official “qubes-whonix” code repository is here:

• [b]https://github.com/Whonix/qubes-whonix[/b]

This “qubes-whonix” package also uses the QubesBuilder “qubes-builder” and the “qubes-template-whonix” Plugin API:

• [b]https://www.qubes-os.org/doc/QubesBuilder[/b]
• [b]https://github.com/QubesOS/qubes-builder[/b]

Development code repositories are here:

• [b]https://github.com/nrgaway/qubes-whonix[/b]
• [b]https://github.com/nrgaway/qubes-template-whonix[/b]
• [b]https://github.com/nrgaway/qubes-builder[/b]
• [b]https://github.com/marmarek/qubes-template-whonix[/b]
• [b]https://github.com/marmarek/qubes-builder[/b]

Other relevant information to this audit:

• [b]News - Whonix Forum
• [b]Login
• [b]Whonix Forum

Changelog:

qubes-whonix (0:10.0.4-1) wheezy; urgency=medium
  [ Jason Mehring ]
  * Updated NOTES
  * Removed injected whonix_firewall rules and added to
    /etc/whonix_firewall.d/32_qubes
  * Moved qubesdb to utility_functions.sh
  * Changed ip-replace filelist and triggers

qubes-whonix (0:10.0.3-1) wheezy; urgency=medium
  [ Patrick Schleizer ]
  * added creation of upstream changelog to fix lintian warning
  * updated changelog.upstream

  [ Jason Mehring ]
  * Use trusted mode instead of installing keyring for local repo
    testing
  * Updated Qubes protected-files location
  * removed duplicate FILES entry
  * Renamed and configured systemd configurations files so they will not
    conflict with future Whonix versions
  * - Use /etc/whonix.d/50_whonixcheck_qubes - Disable/Re-enable qubes-
    whonix-network/firewall, tor, control-port-filter - sorted and added
    more replaceip triggers
  * Sorted and added more replaceip triggers
  * Added qubes-core-agent (>= 2.1.60) as a depend

qubes-whonix (0:9.6.7-1 / 0:10.0.2-1) wheezy; urgency=medium
  [ Jason Mehring ]
  * Update files to search and replace IP addresses Fix syntax typo for
    whonix workstation that prevented search and replace
  * start whonixcheck on startup for workstation
  * Use new whonix-setup-wizard directory for *.done files Use
    50_whonixcheck_user instead of 30_whonixcheck_default Enable new
    control-port-filter-python.service
  * Remove unneeded bind directories due to new localtion of whonix
    status files
  * - Remove references to old whonix status files; use new references -
    Start whonixcheck last - Add missing whonixcheck for workstation -
    Don't prompt to install repository in AppVM (Gateway or Workstation)
    - Prompt to install repository in templatevm
  * Add missing whonixcheck.conf file
  * Add systemd unit file for control-port-filter-python.service

qubes-whonix (0:10.0.1-1) wheezy; urgency=medium
  * version 10.0.1

qubes-whonix (0:9.6.6-1) wheezy; urgency=medium
[ Patrick Schleizer ]
  * added genmkfile to Build-Depends
  * updated makefile generic to version 1.5
  * updated readme
  * updated makefile generic to version 1.4

  [ Jason Mehring ]
  * Commented out watchdog as it was resetting tor every minute
  * More specific reference to be able to inject firewall code was
    needed for Whonix 10

qubes-whonix (0:9.6.5-1) wheezy; urgency=medium
  [ Jason Mehring ]
  * Remove chattr +i and replace with a protected files routine
  * Notes with issues not yet resolved due to changes in Qubes or qubes-
    whonix
  * Added wip whonixcheck systemd unit file
  * Added a tor systemd unit files along with a wip unit file to
    implement hardening
  * Added ability to upgrade and dist-upgrade from local test repo
  * Streamlined enable/disable services; remove immutable bits
  * Make sure qubes-network is started before qubes-firewall
  * Keep whonixcheck and sdwdate disabled and manually start them to
    prevent false positive errors that tor is not started
  * Send a 0 when enabling a service

qubes-whonix (0:9.6.4-1) wheezy; urgency=medium
  [ Jason Mehring ]
  * Bump version to 9.6.4
  * Fix a bug that gave error on upgrade when restarting service
  * Use debhelper package install to install files to prevent tests from being part of package
  * Fixed an issue with restarting services and added whonix-setup-wizard cache dir
  * Added more options to make sure unwanted dirs like rpm or deb do not make it into Debian package
  * Removed stale references from notes
  * Added a update test script that will install a local repo and perform an update of package
    The test suite is excluded from built package
  * Updated changelog for 9.6.3

qubes-whonix (0:9.6.3-1) wheezy; urgency=medium
  [ Jason Mehring ]
  * Added /var/cache/whonix-setup-wizard to list of dirs to bind on
    startup
  * Updated Makefile.builder to work with new qubes-builder api
  * Bumped version to 9.6.3

The proposed “qubes-whonix” package has been updated from 10.0.2-1 to 10.0.3-1.

I have updated the original posting above to reflect this.

I’ve also added additional relevant links and information.

Okay, I’ve reviewed “qubes-whonix” 10.0.3 and give it a thumbs up for release in its current form.

If any new functional changes are introduced, I’ll review those and provide a final check and update before release.

If no new functional changes are introduced, then I’m good with stable release of the current package.

Awesome work, @nrgaway!

The proposed “qubes-whonix” package has been updated from 10.0.3-1 to 10.0.4-1.

I have updated the original posting above to reflect this.

I’ve reviewed “qubes-whonix” 10.0.4 and give it a thumbs up for release in its current form.