Tor Browser Hardening (hardened malloc, firejail, apparmor) vs Web Fingerprint

after all comments and thank you @madaidan for bringing this up i have concluded:

  • Firejail isnt yet matured , we should give it time like what apparmor been given before and see later. So removing it better (agree with @madaidan)

  • Firejail or Bubblewrap isnt the equation , but getting rid of them until they are matured and adopted by debian like apparmor and see after that (i agree with @Patrick)

  • Whonix was already working with/on apparmor before , since apparmor now part of debian we should continue carry on using it plus MAC (i agree with @HulaHoop on that)

  • Daniel Micay views not worthy , hes mistakenly in love with google/proprietary and his views unproductive on anything to be used here.

  • Some projects considering non of the above is any better e.g:

Ideally for whonix now is to not use except what already was using and keep improving it (mostly what netblue30 suggested)

Firejail is matured. That’s the worst part.

Both are matured and bubblewrap is even adopted by flatpak which is widely used.

Hulahoop was quoting netblue, hulahoop didn’t give his opinion on that and as I’ve already said, namespaces/seccomp are important which aren’t provided by apparmor.

His views are far more worthy than any of ours. Take your pointless insults elsewhere.

You do realise gvisor is made by google, right? Doesn’t using google software make you mentally sick now according to you?

No , meant by maturity to be adopted by debian.

It doesnt matter where are/it using both of them just not worth the headache of using atm

important when there are matured tools, not now.


Never said oh we should use it , never said its any better. All what said is opinion from another project thus i already said to not take any of these projects and ideally stay on what was whonix using.

Being adopted by debian is not a requirement for maturity. The main bubblewrap devs are even debian devs which should be a step in your view of “maturity”.

It is worth it. Namespaces and seccomp are really useful.

They are matured tools. Bubblewrap is used by thousands of people and recommended by security experts. How is that not mature?

It’s not just an opinion, it’s slander.

1 Like

when used by default on debian thats the turn part im talking about, not who developed it.

same answer before.

not matured in the way that it should be matured like i described it

Sorry not productive one according to his shitty views on everything except almighty proprietary.

In the end this my views , im not the one who decide what to install and what not to install and do all the bugs solving and related work this is @Patrick job and decision. We are here to share our views, and my position is software tester if bubblewrap included or not i will test in both cases.

Being used by default on debian is also not a requirement for maturity.

Whonix used apparmor long before it was the default on debian yet I haven’t seen any criticisms from you about it.

The answer before is “it’s not worth it” with no other explanation.

It’s extremely important. Without, seccomp a huge amount of kernel attack surface is exposed. For example, unprivileged programs can even mess with kernel memory faults with syscalls such as userfaultfd or privileged programs can gain read-write access to memory with syscalls such as ioperm or iopl.

No, that’s complete misinformation. He only criticises things that deserve criticism including many proprietary things.

I don’t see why you keep going on about proprietary stuff when he’s a massive contributor to open source projects. Whonix is using a lot of his work already.

  • bubblewrap will be installed by default after upgrades.
  • bubblewrap will also be installed by default in Whonix (and above).

But not because any decision / change by Whonix.

bubblewrap is a dependency.

sudo apt dist-upgrade and even sudo apt dist-upgrade --no-install-recommends on Whonix-Gateway will install bubblewrap. Technical reasons (dependency chain):

  • libwebkit2gtk-4.0-37 depends on bubblewrap
  • zenity depends on libwebkit2gtk-4.0-37
  • msgcollector-gui depends on zenity
  • tb-updater depends on msgcollector-gui (zenity progress bar, tb updater gui)
  • whonixcheck (--gui) needs zenity (zenity progress bar)