Whonix minimal template?

cve · August 21, 2021, 8:39am

I am a fan of minimal templates ¹ in Qubes OS, as it allows one-app-per-qube compartmentalization without extra overhead (RAM, disk usage, package count).

By “minimal” I consider all non-app-specific Whonix security/privacy/anti-fingerprinting features and maybe Tor Browser, as used in most cases.

Current approach is manual uninstall of packages:

apt purge youtube-dl qubes-core-agent-passwordless-root monero-gui thunderbird hexchat onionshare qtox xpdf vlc keepassxc mousepad ristretto libimage-exiftool-perl thunar gpa
rm -rf /usr/share/binaries-freedom/electrum-appimage/
apt autoremove

, which reduces size and packages considerably, but isn’t optimal. E.g. I am not sure, what libraries are required by “core” Whonix components, and surely forgot different packages.

qubes-template-whonix ² seems to allow for custom installs, but by looking at the scripts, I did not find any config option concerning package inclusion.

Is there already a solution or recipe available for minimal Whonix-Workstation templates?

TIA for suggestions.

¹ Minimal templates | Qubes OS
² GitHub - QubesOS/qubes-template-whonix

Patrick · August 21, 2021, 9:58am

This might help:

Yeah. Currently not configurable.

github.com

Whonix/qubes-template-whonix/blob/master/whonix-gateway/04_install_qubes_post.sh#L98-L101


      
          elif [ "${TEMPLATE_FLAVOR}" = "whonix-workstation" ]; then
             [ -n "$whonix_meta_package_to_install" ] || whonix_meta_package_to_install="qubes-whonix-workstation"
          else
             error "TEMPLATE_FLAVOR is neither whonix-gateway nor whonix-workstation, it is: ${TEMPLATE_FLAVOR}"

But should be doable to add support for environment variables there.

No.

And quite unlikely to happen:

…unless contributed. For get started, a review of these ones would be useful:

Patrick · August 21, 2021, 11:21am

Done.

Untested.

And also usage, setting environment variables passed there by qubes-builder to qubes-template-whonix might be non-trivial (undocumented?). Unspecific to Whonix. Specific to qubes-builder.

cve · August 21, 2021, 2:42pm

Thank you very much for the infos and the commit @Patrick .

…unless contributed.

Let me see what I can do. Need to dig in a bit further and do some more reading first.

By the way:
Your link about Whonix Debian packages has been very helpful. qubes-whonix-gateway and qubes-whonix-workstation were uninstalled in my VMs.

Reason is: I had done

sudo apt purge qubes-core-agent-passwordless-root

, which triggered:

The following packages will be REMOVED:
qubes-core-agent-passwordless-root*
qubes-whonix-shared-packages-recommended* qubes-whonix-workstation*

A warning in this docs might be useful, if not already happened.

Patrick · August 21, 2021, 4:53pm

That’s what Debian Packages - Whonix is supposedly for.

josephsmith · November 16, 2023, 7:17pm

I’m sorry to revive this thread, but I wanted to see if there has been any progress towards building a minimal Whonix template for Qubes?

Patrick · January 15, 2024, 2:39pm

github.com/QubesOS/qubes-issues

Minimal Whonix templates

opened 12:28PM - 15 Jan 24 UTC

emanruse

T: enhancement help wanted C: Whonix P: default

### The problem you're addressing (if any) debian-12-minimal: ~1.5 GiB (468 p…ackages installed) whonix-gateway-17: ~2.2 GiB (926 packages installed) whonix-workstation-17: ~3.3 GiB (1200+ packages installed) As [asked before](http://forums.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/t/whonix-minimal-template/12152), it would be useful to have minimal Whonix templates. Although the default ones are suitable for beginners, for more experienced users they may be considered bloated, containing unnecessary software. Removing packages for the sake of minimizing a template is **not** the same as never having installed them. ### The solution you'd like Minimal Whonix templates, containing only essential software required for proper functioning and Tor-ification of AppVMs. ### The value to a user, and who that user might be The same as minimal templates in Qubes. Experienced users who like to have more task-focused optimized systems. Example: a qube which runs only certain `curl` commands through Tor. Or one may want to use a smaller mail client, different from the one shipped with Whonix by default. None of those require Tor Browser or Thunderbird, for example. CC: @adrelanos

I am not aware of any.

Patrick · January 15, 2024, 8:00pm

You mention POWER9 and similar - things that require adding stuff, not removing existing stuff.
The current issue is not about adding stuff but about the opposite - not adding it by default.

Unimportant detail and depending on viewpoint what is add vs remove. Adding/removing doesn’t change anything about what I said above.

It’s kinda also adding new stuff, that is a new build target and a different package selection.

“Removing” vs “adding” isn’t more complicated, doesn’t result in more questions just because of “removing” vs “adding”.

For example, debian-12-minimal differs from debian-12-xfce by the later having additional packages installed. The later is built from the former, so the xfce version is just a few more steps made after the minimal. Don’t do the extra steps and you have a minimal template.

This would be kinda similar here.

Considering Whonix is based on Debian, what is the great difference?

Does it not start from Debian minimal?

It does.

Is it not possible to simply install only Whonix specific packages in Debian minimal (I assume e.g. Thunderbird is not one of them, as one can remove it and still use Whonix)?

Possible.