Whonix minimal template?

cve · August 21, 2021, 8:39am

I am a fan of minimal templates ¹ in Qubes OS, as it allows one-app-per-qube compartmentalization without extra overhead (RAM, disk usage, package count).

By “minimal” I consider all non-app-specific Whonix security/privacy/anti-fingerprinting features and maybe Tor Browser, as used in most cases.

Current approach is manual uninstall of packages:

apt purge youtube-dl qubes-core-agent-passwordless-root monero-gui thunderbird hexchat onionshare qtox xpdf vlc keepassxc mousepad ristretto libimage-exiftool-perl thunar gpa
rm -rf /usr/share/binaries-freedom/electrum-appimage/
apt autoremove

, which reduces size and packages considerably, but isn’t optimal. E.g. I am not sure, what libraries are required by “core” Whonix components, and surely forgot different packages.

qubes-template-whonix ² seems to allow for custom installs, but by looking at the scripts, I did not find any config option concerning package inclusion.

Is there already a solution or recipe available for minimal Whonix-Workstation templates?

TIA for suggestions.

¹ _https://www.qubes-os.org/doc/templates/minimal/
² _https://github.com/QubesOS/qubes-template-whonix

Patrick · August 21, 2021, 9:58am

This might help:

Yeah. Currently not configurable.

github.com

Whonix/qubes-template-whonix/blob/master/whonix-gateway/04_install_qubes_post.sh#L98-L101


      
          elif [ "${TEMPLATE_FLAVOR}" = "whonix-workstation" ]; then
             [ -n "$whonix_meta_package_to_install" ] || whonix_meta_package_to_install="qubes-whonix-workstation"
          else
             error "TEMPLATE_FLAVOR is neither whonix-gateway nor whonix-workstation, it is: ${TEMPLATE_FLAVOR}"

But should be doable to add support for environment variables there.

No.

And quite unlikely to happen:

…unless contributed. For get started, a review of these ones would be useful:

Patrick · August 21, 2021, 11:21am

Done.

Untested.

And also usage, setting environment variables passed there by qubes-builder to qubes-template-whonix might be non-trivial (undocumented?). Unspecific to Whonix. Specific to qubes-builder.

cve · August 21, 2021, 2:42pm

Thank you very much for the infos and the commit @Patrick .

…unless contributed.

Let me see what I can do. Need to dig in a bit further and do some more reading first.

By the way:
Your link about Whonix Debian packages has been very helpful. qubes-whonix-gateway and qubes-whonix-workstation were uninstalled in my VMs.

Reason is: I had done

sudo apt purge qubes-core-agent-passwordless-root

, which triggered:

The following packages will be REMOVED:
qubes-core-agent-passwordless-root*
qubes-whonix-shared-packages-recommended* qubes-whonix-workstation*

A warning in this docs might be useful, if not already happened.

Patrick · August 21, 2021, 4:53pm

That’s what Debian Packages - Whonix is supposedly for.