Whonix build script now optionally supports installing packages from Whonix remote repository rather than building packages locally

By adding

--remote-derivative-packages true

Whonix images will be build with packages from Whonix developers repository. No packages will be build locally.

This option is optional.
This option is opt-in.

This option is useful for me during development, during creation of developers-only test images. It saves a ton of time having to rebuild all packages again and rebuilding these packages over and over again for each build.

This option might be useful for other developers who work on aspects of the build which is not related to any contents of any packages.

Builds which will be redistributed to users (those announced in Whonix News Forums) will still be build from locally build packages to ensure consistency.

Using --remote-derivative-packages true Kicksecure XFCE images were build in around a half hour.







1 Like

Wohoo! Awesome feature. I’m using this bad boy th next time. Now I’ll be more motivated to make a new release sooner than once every quarter.

1 Like

That could lead to inconsistent results.

If package build time is discouraging, I could perhaps rather figure out how to only rebuild packages that require rebuild and not always rebuild all packages all the time. But sometimes all packages have some minor changes (packaging compat level bumps and whatnot) and require rebuild so I wouldn’t know if this would save a lot time in practice.

That state of Whonix developers (or any) repository is currently still a bit opaque. All files are there in the open, welcome to review. But there are no tools to simplify this process. There is no way to know at which version Whonix/Whonix git tag version the Whonix developers repository is. Therefore the build version number wouldn’t tell much.

For example at the moment by building Whonix/Whonix git tag with --remote-derivative-packages true it would actually use Whonix/Whonix build script version with packages from Whonix developers repository which are at

Latest git tag doesn’t necessarily match the state of Whonix developers repository.

Sometimes changes in the developers repository are badly breaking. As in, no easy upgrade path. (Let’s say for example permission bugs.) These bugs aren’t fixed (sometimes difficult or impossible) since they never get introduced for any non-developer and simply replaced by functional packages.

Qubes-Whonix is build from Whonix proposed-updates repository but this requires orchestration to know when the repository matches the expected git tag version.

How easy would it be to switch the build process to use apt repo snapshots for builds like outlined on this Tails page?



1 Like

Looks complex, daunting.

A simpler implementation maybe: Instead of suite buster-developers there could be an additional suite

In other words, instead of using
a could use for example

Patches welcome or perhaps some day.


1 Like