Whonix default packages review - mmdebstrap varriant related - risk of regressions

Development
2

The basic idea is that as few packages as possible should be installed at the debootstrap (mmdebstrap) stage. Only essential “required” packages should be installed to have a functional base Debian image which then can be built on top. Everything else should be managed by meta packages (anon-meta-packages), as a dependency of a Whonix package or as dependencies. The results in better control which packages get installed, leads to fewer unneeded packages, less sources for issues, faster upgrades, smaller image size.

  • lsb-base - Has many reverse-depends lsb-base that will hopefully pull this if required.
  • mime-support - Not sure. Not many reverse-depends mime-support. If missing, opening some files such as jpeg in ristretto or other default application pairings might break. Let’s try without.
  • readline-common - Not sure. Very few reverse-depends readline-common. Let’s try without.
  • apt-transport-tor - Not needed here since kicksecure-dependencies-cli will pull it.
  • apt-utils - contains apt-extracttemplates which sounds somewhat important “apt-extracttemplates is used to extract config and template files
    from debian packages. It is used mainly by debconf(1) to prompt for
    configuration questions before installation of packages.” - but these debconf prompts are bad for usability and APT automation anyhow. Let’s try without unless there is already a reason why it’s needed.
  • bsdmainutils - Does not seem important.
  • cpio - Not needed here since initramfs-tools-core will pull it.
  • dmidecode - Looks not important. Try without.
  • e2fslibs - transitional package. Try without.
  • e2fsprogs - contains fsck.ext4, will add to kicksecure-dependencies-cli.
  • eatmydata - no need.
  • gdbm-l10n, gnupg-l10n, debconf-i18n - Language packages, multi language support out of scope for now, will drop
  • gnupg (full suite of GnuPG) - Do we want this? Just a meta package that pulls dirmngr, gnupg-utils, gpg-wks-client, gpg-wks-server, gpgsm, gpgv.
  • gnupg-utils - Does not seem important. Do we need this?
  • gnupg2 - dummy transitional package
  • gpg (GNU Privacy Guard – minimalist public key operations) - whonix-workstation-packages-recommended-cli will pull it.
  • gpgconf - gpg depends on it there we get this anyhow.
  • dirmngr - whonix-workstation-packages-recommended-cli will pull it.
  • gpg-agent - Do we need this?
  • gpg-wks-client - Do we need this? Web Key Service protocol. Probably best discussed in separate forum thread.
  • gpg-wks-server - Do we need this?
  • gpgsm (GNU privacy guard - S/MIME version) - Do we need this?
  • iptables - whonix-firewall package depends on it, no need here.
  • initramfs-tools - Not needed here since non-qubes-vm-enhancements-cli already depends on it.
  • initramfs-tools-core - Not needed here since initramfs-tools will pull it as dependency.
  • ifupdown - Not needed here since whonix-[gw|ws]-network-conf pulls ifupdown as a dependency.
  • iproute2 - Not needed here ifupdown will pull it as dependency and whonix-[gw|ws]-network-conf depends on ifupdown.
  • iputils-ping - Not needed here since kicksecure-dependencies-cli already depends on it.
  • isc-dhcp-client, isc-dhcp-common - We don’t want this and if we wanted for kicksecure-network-conf or something the dependency should be defined in that package
  • klibc-utils - initramfs-tools-core will pull it as dependency.
  • kmod - Not needed here since linux image packages will pull it as dependency.
  • less - kicksecure-dependencies-cli will pull it as dependency.
  • linux-base - Not needed here since linux image packages will pull it as dependency.
  • mount - systemd will pull it as dependency therefore we will still have it and not needed here.
  • nano - kicksecure-dependencies-cli will pull it as dependency.
  • netbase - whonix-[gw|ws]-network-conf pull it as dependency, therefore not needed here.
  • pinentry-curses - whonix-workstation-packages-recommended-gui pull pinentry-qt | pinentry-x11 as dependency therefore probably not required here.
  • procps - seems important, contains many essential debugging tools ps, kill, free and more. Will add to kicksecure-dependencies-cli
  • python, python-minimal, python2, python2-minimal, python2.7, python2.7-minimal - Not needed during debootstrap (mmdebstrap) phase, if needed as dependency later it will be pulled as dependency automatically anyhow.
  • rsyslog - not needed
  • sensible-utils - probably good to add to some Whonix meta package for usability.
  • systemd - That is interesting. A few Whonix packages pull it as dependency but no Whonix meta package (anon-meta-packages) depends on it. Probably also should not… A cleaner solution (no functional difference) is the next package.
  • init - Some Whonix meta package should pull it as dependency.
  • systemd-sysv - Debian package init Depends: on systemd-sysv. Therefore no need to explicitly add a Depends: anywhere.
  • cron - logrotate depends on it. Therefore we will still have this. Maybe we can/should replace cron with Debian -- Details of package systemd-cron in buster ?
  • logrotate - Not needed here since packages that use it pull it as dependency. Should check later if that is still required nowadays or replaced by systemd.
  • tasksel - we don’t use tasksel
  • tzdata - Will make package timezone-utc pull it as dependency.
  • vim-common, vim-tiny - Not installed by default in anon-meta-packages, should be suggested there if shall be installed by default, droppping at this stage:
  • whiptail - if anything needs that, it should pull it as a dependency
  • xxd - if anything needs that, it should pull it as a dependency

Trusting that any libs will be pulled automatically as a dependency.