Whonix Development News

Simplified Package Build Process

genmkfile is no longer a build dependency.

genmkfile is now only a tool useful for developers. It provides commands such as genmkfile manpages or genmkfile debinstfile. See make help. It’s no longer using a Makefile but can be used like any other tool by running genmkfile from command line. Therefore most Whonix packages now no longer depend on any other Whonix packages. Therefore getting started with development of any specific package got easier.

See:

chroot debootstrap install Whonix / Kicksecure to folder

Other Linux distributions such as Qubes and ParrotOS indicated interest in a package developed by Whonix developers, namely security-misc, which does Kernel Hardening; Protect Linux User Accounts against Brute Force Attacks; Improve Entropy Collection; Strong Linux User Account Separation; Enhances Misc Security Settings.

But security-misc is only one component of security hardening. These and other Linux distributions might in future become interested to re-base to Kicksecure, which is a security-hardened, non-anonymous Linux Distribution.

chroot / debootstrap is a method to download (“install”) a Linux distribution in a folder from an already installed operating system. This has many uses and can be used to build a derivative (of Kicksecure) Linux distribution or Qubes template.

Actually not debootstrap but mmdebstrap which is better.

More about Kicksecure:

How to install Kicksecure in a chroot:

Continuous Integration (CI)

One test running on Travis CI uses travis.debian.net script (sets up a docker container which runs Debian) where package whonix-host-xfce-kvm-nonfreedom gets installed for real.

Another two tests running on Travis CI (one not using apt-cacher-ng, another using apt-cacher-ng) uses mmbdebstrap to create a chroot for the following meta packages whonix-host-xfce-kvm-nonfreedom, qubes-whonix-gateway, qubes-whonix-workstation, kicksecure-cli, kicksecure-cli-vm, kicksecure-xfce, kicksecure-xfce-vm, non-qubes-whonix-gateway-xfce, non-qubes-whonix-workstation-xfce, which then pull other Whonix packages. Therefore many new build bugs can be quickly spotted.

generally:

a recent successful build:

Consolidating Whonix Packages

Progress was made, see: consolidating Whonix packages.

Fix Extraneous Whonix Default Installed Packages Bug

See Whonix default packages review - mmdebstrap varriant related - risk of regressions.

Whonix for arm64 / Raspberry Pi ( RPi )

Quote Whonix for arm64 / Raspberry Pi ( RPi ) - duplicate forum topic - #153

There might still be minor build issues or unrelated issues due to the recent development efforts. Therefore this is likely to work better when the next stable release of Whonix gets released.

Note: only the build was fixed. I didn’t try to boot the image let alone try it on real hardware. You could help the development if you could create instructions how to boot that image using virtualization such as libvirt configuration files and/or qemu command line to boot the image from a amd64 host.

It would be good if we had a Debian based CI (continuous integration) server with full support to use mount etc. Then Whonix build script could continue to build RPi builds on that server to make sure that new changes don’t break again RPi builds.

Whonix-Host

Features:

  • Debian based,
  • virtualizer KVM pre-installed
  • Whonix-Gateway KVM pre-installed
  • Whonix-Workstation KVM pre-installed
  • Kicksecure hardened by default.
  • Whonix-Host Live ISO
  • Installable to internal hard drive or external USB.
  • Whonix-Host Installed version can be booted into Persistent Mode or Live Mode.

Whonix-Host development progressed.

See task list for initial release of Whonix-Host:
⚓ Query: Advanced Search

Help welcome!

Fixing the Desktop Linux Security Model

See also previous Whonix blog post Fixing the Desktop Linux Security Model.

Automated Testing

Done:

In development:

Whonix Automated Test Suite WATS Developer Chat


Whonix User Telegram Chat | Whonix User Matrix Chat


3 Likes