Where/How to best include additional default Debian packages?

WhonixQubes · January 5, 2015, 7:04pm

Branching off of this discussion…

I’d like to sort out where/how we would best include additional Debian packages for default installation into Whonix Qubes going forward?

For example, as mentioned in the other thread above, I would like to have “nautilus-open-terminal” installed by default for Whonix Qubes.

https://packages.debian.org/wheezy/nautilus-open-terminal

It seems by other recent discussions of @Patrick and @nrgaway, that some related issues/components of the new Whonix Qubes are still in flux.

Patrick mentioned the following here:

Yes. Maybe as [font=courier]Recommends:[/font]? [font=courier]Depends:[/font] would be weird, having a package that works perfectly well in terminal-only depend on a GUI package, no?

Please note this comment, it’s related:

Patrick mentioned the following here:

[quote=“Patrick, post:15, topic:764”]The whonix-qubes packages uses a few Recommends::

github.com

nrgaway/qubes-whonix/blob/master/debian/control#L22


      
          Maintainer: Jason Mehring <nrgaway@gmail.com>
          Uploaders: Patrick Schleizer <adrelanos@riseup.net>
          Build-Depends: debhelper (>= 9), faketime, genmkfile, python, dh-systemd (>= 1.5)
          Homepage: https://github.com/Whonix/qubes-whonix
          Vcs-Browser: https://github.com/Whonix/qubes-whonix
          Vcs-Git: https://github.com/Whonix/qubes-whonix.git
          Standards-Version: 3.9.6
          
          Package: qubes-whonix
          Architecture: all
          Depends: qubes-core-agent (>= 2.1.60), python-guimessages, whonix-setup-wizard, ethtool, initscripts, iptables, lintian, locales, net-tools, notify-osd, python, sudo, systemd, xen-utils-common, xinit, xsettingsd, xdg-user-dirs, ${misc:Depends}
          Recommends: nautilus-open-terminal, gnome-packagekit, gnome-terminal, network-manager (>= 0.8.1-1), network-manager-gnome
          Description: Qubes Configuration for Whonix-Gateway and Whonix-Workstation
           This package contains all the scripts and configuration options to be able
           to run Whonix-Gateway and Whonix-Workstation within a Qubes environment.
           .
           Whonix-Gateway should run as a ProxyVM.
           .
           Whonix-Workstation should run as an AppVM.
           .
           Template updates over Tor.

This is fine. Other packages by the Whonix project do this as well. But… You you need to know it has little effect.

Whonix’s build script installs all packages using “apt-get --no-install-recommends”. Reasons for that are a bit weird and difficult, but explained here:

So care to you get the [font=courier]Recommends:[/font] installed by default and plan to install the whonix-qubes package as part of [font=arial]build-steps.d/1700_install-packages[/font] or some anon-meta-package, then recommends would not be installed by default. We’d have to think of something. If you install it as part of the Qubes build process somehow without using --no-install-recommends then there will be no problem.

It’s just something to be aware of.[/quote]

Patrick mentioned the following here:

Note: “whonix-qubes” package has now been renamed to “qubes-whonix”.

So, specific to Whonix Qubes, where exactly would we include such additional default Debian packages and how would they be best implemented?

Thanks!

nrgaway · January 6, 2015, 12:11am

The first options is to have [font=courier]nautilus-open-terminal[/font] included within the base of Whonix available for everyone. One thing we need to make sure of is that the Qubes installation mimics as close to possible the original distribution of Whonix.

Now if this is not just a personal preference, in which you just install the package yourself after installing the Qubes-Whonix template, I believe that any packages specific to the Qubes installation should be included in the Depends section of the [font=courier]qubes-whonix[/font] package. That would make sure they are installed by default.

In case you are interested, the following lists the logical build steps to build the Whonix template using [font=courier]qubes-builder[/font] since at this point Qubes Whonix needs to be built using [font=courier]qubes-builder[/font] (the Qubes package that builds all of Qubes components, including the ability to create a full ISO to install the complete Qubes OS).

[ol][li]Create a configuration file to build template or use provided default[/li]
[li]get-sources: Retreives and verifiies all Qubes and Whonix Repos[/li]
[li]build Qubes modules: Builds all the required Qubes modules required by template[/li]
[li]build template[/li]
[list]
[li]Uses debootstrap to create an initial wheezy template[/li]
[li]Configure template basics. Convert to systemd as Qubes uses systemd (and the more I learn about it, the better I like it)[/li]
[li]Install the Qubes modules we built in step 3 and configure template for Qubes related stuff[/li]
[li]Run the whonix_build scripts thereby installing Whonix on template[/li]
[li]Install the qubes-whonix package[/li]
[/list]

You see that Whonix builder does not currently install [font=courier]qubes-whonix[/font]; it is installed as a separate step, but that could change when its incorporated into the Whonix repo. Not that any of this really matters much for your question :)[/ol]

WhonixQubes · January 6, 2015, 10:22pm

Patrick, understandably, was not keen on installing this package into Whonix proper for VirtualBox KDE users, as it would only benefit Whonix Qubes and Whonix Gnome users that have Nautilus as their default file manager.

Correct. Not proposing it as just a personal preference.

Wrote original proposal for reasons here:

@troubadour responeded in affirmation to this, as he frequently needs this functionality to transition from file manager to terminal in the current working directory of the file manager.

He pointed out how KDE Dolphin finds this basic feature important enough to include by default.

However, the file manager with primary Qubes functionality in Whonix Qubes is Nautilus, which Tor Browser (Firefox) natively opens its downloads inside of, and Qubes also implements its Inter-VM File Copy system inside of Nautilus as well.

So it would be a fundamental basic convenience in many cases to use the primary Nautilus file manager in this way for Whonix Qubes users (including myself).

Okay, great. I will look for this place inside the “qubes-whonix” package. Thanks!

[hr]

Part of me intuitively nods my head in affirmation to this statement. The other part of my asks “But Why?” So… Why do you say this statement?

[hr]

Always interested in every detail specific to Whonix Qubes!

[quote=“nrgaway, post:2, topic:777”]the following lists the logical build steps to build the Whonix template using [font=courier]qubes-builder[/font] since at this point Qubes Whonix needs to be built using [font=courier]qubes-builder[/font] (the Qubes package that builds all of Qubes components, including the ability to create a full ISO to install the complete Qubes OS).

[ol][li]Create a configuration file to build template or use provided default[/li]
[li]get-sources: Retreives and verifiies all Qubes and Whonix Repos[/li]
[li]build Qubes modules: Builds all the required Qubes modules required by template[/li]
[li]build template[/li]
[list]
[li]Uses debootstrap to create an initial wheezy template[/li]
[li]Configure template basics. Convert to systemd as Qubes uses systemd (and the more I learn about it, the better I like it)[/li]
[li]Install the Qubes modules we built in step 3 and configure template for Qubes related stuff[/li]
[li]Run the whonix_build scripts thereby installing Whonix on template[/li]
[li]Install the qubes-whonix package[/li]
[/list]

You see that Whonix builder does not currently install [font=courier]qubes-whonix[/font]; it is installed as a separate step, but that could change when its incorporated into the Whonix repo. Not that any of this really matters much for your question :)[/ol][/quote]

Thanks for that overview of the build process!

At some point I need to get around to deep diving into the code of Whonix Qubes.

Spent a bit of time getting more familiar with the Whonix code late last year. Need to do that with your Whonix Qubes code at some point.

Will likely have a number of questions as I get around to doing that.

Patrick · January 7, 2015, 1:10pm

Sounds good to me.

[quote=“WhonixQubes, post:3, topic:777”][quote author=nrgaway link=topic=856.msg6348#msg6348 date=1420503115]
One thing we need to make sure of is that the Qubes installation mimics as close to possible the original distribution of Whonix.
[/quote]
Part of me intuitively nods my head in affirmation to this statement. The other part of my asks “But Why?” So… Why do you say this statement?[/quote]
It’s true for some things. But in this case, I do not foresee any fingerprinting issues since it’s just a local thing.

nrgaway · January 7, 2015, 6:02pm

[quote=“Patrick, post:4, topic:777”]Sounds good to me.

It’s true for some things. But in this case, I do not foresee any fingerprinting issues since it’s just a local thing.[/quote]

Okay then, I added it to current qubes-whonix package. Will see how it goes. The only issue I see is if its a depend it can’t be removed. Does the same hold true if it is within the recommend section? I know you mentioned that Whonix does not install recommends by default, so we could just add a script to install qubes-whonix recommends by default as I would like them to be installed.

Or maybe this is possible… Two versions of qubes-whonix package would exist. The installation version which gets installed only once when the template is initially created. This version series would be 0:9.4-1. Then we could have the download-able version via the apt-get repo with a higher version number or epoc, so either 1:9.4-1 or start at 0:9.40-1, or even add a lesser important tag like -beta which will be seen as a lesser version and be up-gradable.

Now, first time user goes to update, the higher version package will be made available with all these dependencies removed in debian/control, so after the new package is installed, they would be free to remove those packages. All futures updates use the higher version number bump as installation package will only every be needed the first time.

Now this assumes that by reducing the depends would not automatically mark those packages for removal. Any thoughts on if this would work? Easy enough to test out I suppose

Patrick · January 7, 2015, 6:19pm

Okay then, I added it to current qubes-whonix package. Will see how it goes. The only issue I see is if its a depend it can't be removed. Does the same hold true if it is within the recommend section?

[font=courier]Recommends:[/font] can be removed.

I know you mentioned that Whonix does not install recommends by default,

Yes, here: https://www.whonix.org/wiki/Whonix_Debian_Packages#Technical_Stuff

Note, this only applies to building Whonix and to build-steps.d/1700_install-packages.

so we could just add a script to install qubes-whonix recommends by default as I would like them to be installed.

Instead of a new script, better make "--no-install-recommends" conditional in build-steps.d/1700_install-packages and set qubes-whonix to install without "--no-install-recommends".

Or maybe this is possible... Two versions of qubes-whonix package would exist.

Sounds like too much of a hack.

Better make two or more (meta) packages. You don’t even need a new git repository for it. Just ~8 more lines or so in debian/control.

See anon-meta-packages/debian/control at master · Whonix/anon-meta-packages · GitHub for comparison. It’s relatively easy to create such dependency packages.

Package: qubes-whonix-packages-recommended
Architecture: all
Depends: nautilus-open-terminal, ${misc:Depends}
Description: Recommended packages for Whonix-Qubes
 A metapackage, which installs packages, which are recommended for
 Whonix-Qubes.
 .
 Safe to remove, if you know what you are doing.

Then a package qubes-whonix-packages-recommended will be created during package build.

That package is supposed to be installed on gateway and workstation? Otherwise package name should be changed. Please check package names in anon-meta-packages/debian/control at master · Whonix/anon-meta-packages · GitHub so we can establish a nice, useful naming convention.