Whonix default packages review - mmdebstrap varriant related - risk of regressions

Long, full details. TLDR in next post.

It came to my attention that rsyslog is installed by default in Non-Qubes-Whonix. There is really no need for it nowadays. Among other non-essential packages.

Found the root cause. It’s related to which mmdebstrap (or same for debootstrap) variant gets used.

Symptom:


These are the “important” packages.

I: installing remaining packages inside the chroot…
Reading package lists…
Building dependency tree…
adduser is already the newest version (3.118).
apt is already the newest version (1.8.2).
debconf is already the newest version (1.5.71).
debian-archive-keyring is already the newest version (2019.1).
gpgv is already the newest version (2.2.12-1+deb10u1).
mawk is already the newest version (1.3.3-17+b3).
libpam-modules is already the newest version (1.3.1-5).
libpam-modules-bin is already the newest version (1.3.1-5).
libpam-runtime is already the newest version (1.3.1-5).
passwd is already the newest version (1:4.5-1.1).
fdisk is already the newest version (2.33.1-0.1).
The following additional packages will be installed:
dirmngr dmsetup gnupg gnupg-l10n gnupg-utils gpg gpg-agent gpg-wks-client
gpg-wks-server gpgconf gpgsm initramfs-tools-core klibc-utils libapparmor1
libapt-inst2.0 libargon2-1 libassuan0 libbsd0 libcap2 libcap2-bin
libcom-err2 libcryptsetup12 libdevmapper1.02.1 libdns-export1104
libeatmydata1 libelf1 libestr0 libexpat1 libext2fs2 libfastjson4 libidn11
libip4tc0 libip6tc0 libiptc0 libisc-export1100 libjson-c3 libklibc libkmod2
libksba8 libldap-2.4-2 libldap-common liblocale-gettext-perl liblognorm5
libmnl0 libncurses6 libnetfilter-conntrack3 libnewt0.52 libnfnetlink0
libnftnl11 libnpth0 libpopt0 libprocps7 libpython-stdlib libpython2-stdlib
libpython2.7-minimal libpython2.7-stdlib libreadline7 libsasl2-2
libsasl2-modules-db libslang2 libsqlite3-0 libtext-charwidth-perl
libtext-iconv-perl libtext-wrapi18n-perl libxtables12 linux-base lsb-base
mime-support pinentry-curses python-minimal python2 python2-minimal
python2.7 python2.7-minimal xxd


These are the “important” packages and the resulting dependencies begging installed.

The following NEW packages will be installed:
apt-transport-tor apt-utils bsdmainutils cpio cron debconf-i18n dirmngr
dmidecode dmsetup e2fslibs e2fsprogs eatmydata gdbm-l10n gnupg gnupg-l10n
gnupg-utils gnupg2 gpg gpg-agent gpg-wks-client gpg-wks-server gpgconf gpgsm
ifupdown init initramfs-tools initramfs-tools-core iproute2 iptables
iputils-ping isc-dhcp-client isc-dhcp-common klibc-utils kmod less
libapparmor1 libapt-inst2.0 libargon2-1 libassuan0 libbsd0 libcap2
libcap2-bin libcom-err2 libcomerr2 libcryptsetup12 libdevmapper1.02.1
libdns-export1104 libeatmydata1 libelf1 libestr0 libexpat1 libext2fs2
libfastjson4 libidn11 libip4tc0 libip6tc0 libiptc0 libisc-export1100
libjson-c3 libklibc libkmod2 libksba8 libldap-2.4-2 libldap-common
liblocale-gettext-perl liblognorm5 libmnl0 libncurses6
libnetfilter-conntrack3 libnewt0.52 libnfnetlink0 libnftnl11 libnpth0
libpopt0 libprocps7 libpython-stdlib libpython2-stdlib libpython2.7-minimal
libpython2.7-stdlib libreadline7 libsasl2-2 libsasl2-modules-db libslang2
libsqlite3-0 libss2 libssl1.1 libtext-charwidth-perl libtext-iconv-perl
libtext-wrapi18n-perl libxtables12 linux-base logrotate lsb-base
mime-support mount nano netbase pinentry-curses procps python python-minimal
python2 python2-minimal python2.7 python2.7-minimal readline-common rsyslog
sensible-utils systemd systemd-sysv tasksel tasksel-data tzdata udev
vim-common vim-tiny whiptail xxd
0 upgraded, 118 newly installed, 0 to remove and 0 not upgraded.
Need to get 31.4 MB of archives.


Quote mmdebstrap(1) — mmdebstrap — Debian buster — Debian Manpages

VARIANTS

All package sets also include the direct and indirect hard dependencies (but not recommends) of the selected package sets. The variants minbase , buildd and - , resemble the package sets that debootstrap would install with the same –variant argument.

extract

Installs nothing by default (not even “Essential:yes” packages). Packages given by the “–include” option are extracted but will not be installed.

custom

Installs nothing by default (not even “Essential:yes” packages). Packages given by the “–include” option will be installed. If another mode than chrootless was selected and dpkg was not part of the included package set, then this variant will fail because it cannot configure the packages.

essential

“Essential:yes” packages.

apt

The essential set plus apt.

required , minbase

The essential set plus all packages with Priority:required and apt.

buildd

The minbase set plus build-essential.

important , debootstrap , -

The required set plus all packages with Priority:important. This is the default of debootstrap.

standard

The important set plus all packages with Priority:standard.

“important” is the mmdebstrap default (which includes the following partially unwanted packages such as rsyslog). Now downgraded to “required” in Whonix git master.

Even if we want to keep these packages these should be re-added in anon-meta-packages/debian/control at master · Whonix/anon-meta-packages · GitHub

1 Like

The basic idea is that as few packages as possible should be installed at the debootstrap (mmdebstrap) stage. Only essential “required” packages should be installed to have a functional base Debian image which then can be built on top. Everything else should be managed by meta packages (anon-meta-packages), as a dependency of a Whonix package or as dependencies. The results in better control which packages get installed, leads to fewer unneeded packages, less sources for issues, faster upgrades, smaller image size.


  • lsb-base - Has many reverse-depends lsb-base that will hopefully pull this if required.
  • mime-support - Not sure. Not many reverse-depends mime-support. If missing, opening some files such as jpeg in ristretto or other default application pairings might break. Let’s try without.
  • readline-common - Not sure. Very few reverse-depends readline-common. Let’s try without.

  • apt-transport-tor - Not needed here since kicksecure-dependencies-cli will pull it.
  • apt-utils - contains apt-extracttemplates which sounds somewhat important “apt-extracttemplates is used to extract config and template files
    from debian packages. It is used mainly by debconf(1) to prompt for
    configuration questions before installation of packages.” - but these debconf prompts are bad for usability and APT automation anyhow. Let’s try without unless there is already a reason why it’s needed.
  • bsdmainutils - Does not seem important.
  • cpio - Not needed here since initramfs-tools-core will pull it.
  • dmidecode - Looks not important. Try without.
  • e2fslibs - transitional package. Try without.
  • e2fsprogs - contains fsck.ext4, will add to kicksecure-dependencies-cli.
  • eatmydata - no need.
  • gdbm-l10n, gnupg-l10n, debconf-i18n - Language packages, multi language support out of scope for now, will drop


  • gnupg (full suite of GnuPG) - Do we want this? Just a meta package that pulls dirmngr, gnupg-utils, gpg-wks-client, gpg-wks-server, gpgsm, gpgv.
  • gnupg-utils - Does not seem important. Do we need this?
  • gnupg2 - dummy transitional package
  • gpg (GNU Privacy Guard – minimalist public key operations) - whonix-workstation-packages-recommended-cli will pull it.
  • gpgconf - gpg depends on it there we get this anyhow.
  • dirmngr - whonix-workstation-packages-recommended-cli will pull it.
  • gpg-agent - Do we need this?
  • gpg-wks-client - Do we need this? Web Key Service protocol. Probably best discussed in separate forum thread.
  • gpg-wks-server - Do we need this?
  • gpgsm (GNU privacy guard - S/MIME version) - Do we need this?

  • iptables - whonix-firewall package depends on it, no need here.
  • initramfs-tools - Not needed here since non-qubes-vm-enhancements-cli already depends on it.
  • initramfs-tools-core - Not needed here since initramfs-tools will pull it as dependency.

  • ifupdown - Not needed here since whonix-[gw|ws]-network-conf pulls ifupdown as a dependency.
  • iproute2 - Not needed here ifupdown will pull it as dependency and whonix-[gw|ws]-network-conf depends on ifupdown.
  • iputils-ping - Not needed here since kicksecure-dependencies-cli already depends on it.
  • isc-dhcp-client, isc-dhcp-common - We don’t want this and if we wanted for kicksecure-network-conf or something the dependency should be defined in that package

  • klibc-utils - initramfs-tools-core will pull it as dependency.
  • kmod - Not needed here since linux image packages will pull it as dependency.
  • less - kicksecure-dependencies-cli will pull it as dependency.
  • linux-base - Not needed here since linux image packages will pull it as dependency.
  • mount - systemd will pull it as dependency therefore we will still have it and not needed here.
  • nano - kicksecure-dependencies-cli will pull it as dependency.
  • netbase - whonix-[gw|ws]-network-conf pull it as dependency, therefore not needed here.
  • pinentry-curses - whonix-workstation-packages-recommended-gui pull pinentry-qt | pinentry-x11 as dependency therefore probably not required here.
  • procps - seems important, contains many essential debugging tools ps, kill, free and more. Will add to kicksecure-dependencies-cli
  • python, python-minimal, python2, python2-minimal, python2.7, python2.7-minimal - Not needed during debootstrap (mmdebstrap) phase, if needed as dependency later it will be pulled as dependency automatically anyhow.
  • rsyslog - not needed
  • sensible-utils - probably good to add to some Whonix meta package for usability.

  • systemd - That is interesting. A few Whonix packages pull it as dependency but no Whonix meta package (anon-meta-packages) depends on it. Probably also should not… A cleaner solution (no functional difference) is the next package.
  • init - Some Whonix meta package should pull it as dependency.
  • systemd-sysv - Debian package init Depends: on systemd-sysv. Therefore no need to explicitly add a Depends: anywhere.
  • cron - logrotate depends on it. Therefore we will still have this. Maybe we can/should replace cron with Debian -- Details of package systemd-cron in buster ?
  • logrotate - Not needed here since packages that use it pull it as dependency. Should check later if that is still required nowadays or replaced by systemd.

  • tasksel - we don’t use tasksel
  • tzdata - Will make package timezone-utc pull it as dependency.
  • vim-common, vim-tiny - Not installed by default in anon-meta-packages, should be suggested there if shall be installed by default, droppping at this stage:
  • whiptail - if anything needs that, it should pull it as a dependency
  • xxd - if anything needs that, it should pull it as a dependency

Trusting that any libs will be pulled automatically as a dependency.

Needed for signing Whonix builds

No

Reads cpu serial no.

Yes

1 Like

It’s about packages installed early in the image.
Unrelated to host (build) system.
Missing host build dependence should be added here:

Ok, good. Thanks you for looking into this! :slight_smile:

Yes but no real need to have that package installed early or have it installed by default for everyone?

Will answer in Disk & USB Automount in Kicksecure - #21 by 59mpci2GJ5xlHhY

1 Like

debconf: delaying package configuration, since apt-utils is not installed

I guess we don’t get rid of these prompts but delay those. Therefore better added.