Try to remove the package and see what happens. Still enough time to abort. Also good to experiment in live mode. Then perhaps try to uninstall another package from that list instead to track further and further. Or uninstall and reinstall one by one using --no-install-recommends and see at which point something would pull the package.
Suggested packages are never installed by default. Only when using
--install-suggests, which I saw never anyone using. This is only about
That list of
Suggests: contains packages definitively to be avoided. Packages like gnome-keyring can cause other issues. Just not great to have any packages without really needing those.
Recommends: these should not be relied upon. Installation vs non-installation depends on which packages the user already has installed. Therefore this can lead to inconsistent / non-compareable results.
For example dnsmasq-base might recommend dnsmasq for no reason which could then interfere with host DNS. In worst case a world reachable port could be opened.
Another example for what mess it can create:
Installing git-all will delete some Whonix packages
More on why we need
In conclusion we really need start with Debian minimal, then install with and without
--no-install-recommends. Understanding the difference in packages being installed and having a basic understanding which each of this different packages would make.
By Debian policy, packages must not depend on any
Recommends: being installed for secure configuration. It won’t be that difficult after all. Just some features might break when some package is missing which can be easily fixed when knowing the difference of which packages are missing.
Whonix base install? You mean inside VMs? I wouldn’t know what pulls it . Not existing in Qubes-Whonix. Try to purge it:
sudo apt purge dnsmasq*
It might be a leftover in upgraded images. If it is removable inside Whonix VMs, it should be removed. Just cruft. That could even break alternative DNS resolvers.
(MX / SRV / DNSSEC / any DNS requests over Tor / DNSCrypt) (dnsmasq-base not so much but dnsmasq might create an unwanted listener port.)