I can help remove it from Whonix but first let’s seek for more input on this issue. Could you please share your opinions on this?
Related discussion:
The project seems to be inactive for a while now:
Contributors to ricochet-im/ricochet · GitHub
We may still make it into Whonix 14, but remove it later from Whonix 15+. Therefore, we will have more time focusing on the release of Whonix 14.
1- it supporting only android which Ricochet itself wasnt made for any phone platform.
2- it doesnt even mention where did they do any progress to Ricochet
3- not inside Debian package nor i think will be in the soon time
so these my opinions , in Conclusion Ricochet is BAD to be installed by default inside whonix.
there r alot of cool apps built on matrix going to come by debian packages on buster. so i think waiting to that time is the only way to go for now atm.
yeah sure , just hope u dont forget that.
This is rabbit hole.
[1] Whonix is based on Debian. It depends on Debian. Whonix depends on hundredths of packages which themselves depend on thousands of other packages (tools) and libraries.
If you believe ricochet is dead, therefore insecure and should be removed, then this is primarily a bug to be reported to Debian.
Definition of dead?
This first needs a very clear definition. Otherwise we won’t have any other subject ever again arguing what is dead what is not.
I am sure, under that definition there are a ton of packages from [1] which meet that definition.
That debian should take care of it.
but Debian philosophy through this subject it cant be ours why?
because our distro is anonymity focused not compatibility problems (only). so giving this time to the app and just trusting Debian pointview on its components that doesnt mean our product is safe. anonymity needs active projects and fix and upgrades the issues with nonstop (even if its taking long time in the fixation process). but being zero active project with no improvements to any tickets = run away for ur life if u r searching for anonymity.
so maybe the app still working on debian and compatible with its distros versions but that doesnt mean its safe and good decision to keep using it.
Does the version of Ricochet bundled with Debian/Whonix have any known vulnerabilities?
I know of s-rah’s efforts on building a secure remote command shell using Ricochet and apparently they are on-going. I believe that besides Patrick’s definition we should also not remove a package if:
tl;dr I’m for keeping it at the moment and monitoring how things play out.
Bubonic Chronic:
Does the version of Ricochet bundled with Debian/Whonix have any known vulnerabilities?
None reported against Debian.
I see no reason to remove it then. Worth keeping an eye on maybe. But no need to remove it if it works.
the flaw will effect all whonix users. Without the ability even to remove/purge it because of this problem:
Continuing the discussion from Whonix VirtualBox 14.0.0.5.5 Testers Wanted!:
and since its not maintained atm then no way also to wait for a patch. the only waiting is for the next release of whonix without ricochet.
Continuing the discussion from Whonix VirtualBox 14.0.0.5.5 Testers Wanted!:
in conclusion, Ricochet is great app with Tor but its only were continued …
i suggest to check Matrix there is too many users migrating to it. (as also Tox chat no more supporting Debian…)
The problem with this 0day argument its fatalistic and there is no way to verify it. There is are always 0days in the kernel too but that doesn’t mean we should abandon all hope and stop developing?
Understand ricochet is also written in memory safe python (though migrating to Go) and written with security in mind. There are many other base Debian packages that are not. If there is something that’s a weaker link its probably something else.
Worst case scenario it won’t affect anyone who doesn’t run it and so I wouldn’t consider it affecting “all Whonix users”
Matrix is interesting but can you suggest a desktop client already packaged for Debian?
I will split the topic into another thread about Matrix clients to discuss it.
This is wrong.
Example: thunderbird / torbirdy / enigmail was recently removed without Whonix 14 → 15 release upgrade. (Thunderbird / enigmail no longer installed / sudo apt-get dist-upgrade - The following packages will be REMOVED: enigmail)
Doesn’t apply here.
Whonix VirtualBox 14.0.0.5.5 Testers Wanted! - #10 by nurmagoz is about VLC on Whonix-Gateway due to a weird and hard to remove because no Whonix package on Whonix-Gateway directly wants to install VLC. Ticket: ⚓ T786 consider installing phonon4qt5-backend-null by default on Whonix-Gateway
Directly meaning “look into https://github.com/Whonix/anon-meta-packages/blob/master/debian/control”. Only package whonix-workstation-default-applications-gui Depends: vlc and whonix-workstation-default-applications-gui is not installed on Whonix-Gateway. So VLC on Whonix-Gateway is a dependency of something else.
Removing ricochet without release upgrade would be easy since package Whonix-Workstation directly Depends: on ricochet-im Directly meaning “look into https://github.com/Whonix/anon-meta-packages/blob/master/debian/control” where you can see whonix-workstation-default-applications-gui Depends: ricochet-im.
Debian security team would patch it independently if upstream is dead or not.
consider alternative with active development from debian repos:
Ricochet is working well here. There is absolutely no need to remove a functional and stable piece of software after all the effort it took to support and integrate in Whonix.