Using NixOS would allow us to implement both Live USB and Stateless

Hello, all.

I love Whonix. As far as I could tell, the wiki says that its community would Whonix to be stateless and have a Live USB option.

NixOS solves both these problems, and if Whonix developers are willing to try it out, I’d love to write a proof of concept.

I’ve been using NixOS for about 1.5 years, and it’s been a great experience. Everything is declarative, so in my dotfiles [1] (check out the modules folder), I specify my installed packages, dotfiles, mounted filesystems, dns server, systemd services, etc. NixOS even lets me patch software so that I can fix it before upstream does (see hardware/xps.nix for an example; I applied a patch to Linux to stop display corruption).

To create a Whonix Live USB, for example, we’d declaratively define the guest ISOs, declaratively setup kvm, then declaratively setup the window manager and services to start/stop kvm. We could also declaratively state whether or not we want swap space enabeled.

For stateless, among other things, we could tell NixOS to use ramfs for the home directory.

I’m posting here to see if Whonix developers would be interested in trying this out.

Cheers!

[1] Discourse won’t allow links; the repo is https://github.com/aaronjanse/nixos

Hi Aaron. Thanks for sharing your project. We think the Nix package manager has some very interesting features that can complement apt and potentially provide a more updated package selection in some cases without breaking the system. All attempts to create a Debian package of Nix pkg manager have stalled mainly because they were not compliant with install locations approved in Debian packaging guidelines. We don’t have a strong preference either way. If you can create and maintain such a package, it will unlock some of the benefits of the Nix package ecosystem.

I think the biggest issue here is how trusting Nix developers fits with the Whonix threat model.

On one hand, Nix’s declarative nature would make Whonix much easier to audit. The Whonix chain of trust would be simpler because Nix turns building an ISO into a very transparent process. Nix would also allow Whonix developers to quickly & transparently patch guest software/kernel. Another cool feature of Nix is that you can easily scan your system and get a list of CVEs for all software currently installed.

On the other hand, I imagine Nix developers get much less scrutiny than Debian developers.

If we think trusting Nix is net beneficial, or if we’re unsure, I’d be happy to even go as far as implementing a proof-of-concept guest Whonix Workstation/Gateway in Nix, ditching Debian entirely but still only using existing Whonix guest software.

If we trust Nix less than that, I’d still be happy to implement a proof-of-concept Whonix Live USB iso in Nix.

How do you think Nix fits into the Whonix threat model?
Is there any interest in either of these things?

We can’t ditch Debian because there is so much advantages to using it as base. Huge software selection, reproducible builds almost done, a supportive and responsive dev base, secure package installation and just more eyes on the code as you mentioned.

The idea with NIx package management is we can potentially have a simpler way to obtain software like Tor Browser as a package than Debian packaging would ever allow.