Fortunately gag orders and NSLs donât exist in German jurisdiction yet so Whonix is safe.
Also warrant canaries are not bullet proof since Australiaâs government added provisions that work around it:
True, but they arenât far away with this kind of stuff and Agencies can still pressure Someone to do certain things without a official gag order.
I donât think a canary should only be used when âofficialâ Papers come inâŚ
just my 2 cents
What kind of pressure? Blackmailing? Violence?
Warrant canaries work if there are leftovers of constitutional[1] leftovers. The state playing by the law and the people defending with other laws. Once the law is ignored, I donât see how canaries still are of any help.
[1] English: meaning due process (of law)
[1] German: ordentliches, rechtsstaatliches, faires Verfahren / Gerichtsverfahren
Good day,
Adding to that, the question would be what purpose a canary would serve for Whonix? There is literally no information a hypothetical NSL could âgetâ from this project, as neither the forum nor the wiki log anything about itâs users (most of them using Tor anyways) and the source code for Whonix is public either way.
Have a nice ay,
Ego
A request to add a vulnerability / backdoor to the binary version / to an package upgrade?
I donât know the legal theory behind NSL includes such as possibility. I know much too little about the US legal system and the legal theory behind it. With my little understanding of the warrant canary legal theory however, asking to add a backdoor to the source code / binary could perhaps be considered forced speech. And the legal theory behind NSL / warrant canary says, that forced speech cannot be demanded in the first place. And elsewhere it was legally established that âcode is speechâ.
Good day,
Well, a NSL after the American model, which like already mentioned isnât really applying to a German project, only allows for the request of the release of telecommunication, bank record and similar information. Thatâs what I was meaning, since there is no information Whonixâs Forum/Wiki stores about their users which isnât publicly accessible either ways. Forcing anything into the source code isnât possible because, like you mentioned, according to Bernstein v. US, code is to be protected under the First Amendment and, adding to that, NSLâs havenât been designed for that purpose either ways.
Have a nice day,
Ego
I shouldnât be bound by previous opinions of mine.
Recently I had the idea that a warrant canary could be implemented with almost zero extra maintenance effort.
Based on Qubes warrant canary:
- example: qubes-secpack/canary-018-2019.txt at master ¡ QubesOS/qubes-secpack ¡ GitHub
- template: qubes-secpack/canary-template.txt at master ¡ QubesOS/qubes-secpack ¡ GitHub
Below is the template that I had in mind.
---===[ Whonix Canary #_ ]===---
Statements
-----------
The Whonix lead developer digitally signed this file
and states the following:
1. The date of issue of this canary is: see time of gpg signature
2. No warrants have ever been served to us with regard to the Whonix
Project (e.g. to hand out the private signing keys or to introduce
backdoors).
3. We plan to publish the next of these canary statement the next
time Whonix APT repository gets re-signed.
This file should be signed via detached OpenPGP signature.
Do not just trust the contents of this file blindly!
Verify the digital signatures!
Special announcements
----------------------
None.
Disclaimers and notes
----------------------
We would like to remind you that Whonix has been designed under the
assumption that all relevant infrastructure is permanently
compromised. This means that we assume NO trust in any of the servers
or services which host or provide any Whonix-related data, in
particular, software updates, source code repositories, and Whonix
downloads.
This canary scheme is not infallible. Although signing the declaration
makes it very difficult for a third party to produce arbitrary
declarations, it does not prevent them from using force or other
means, like blackmail or compromising the signers laptops, to coerce
us to produce false declarations.
The news feeds quoted below (Proof of freshness) serves to demonstrate
that this canary could not have been created prior to the date stated.
It shows that a series of canaries was not created in advance.
This declaration is merely a best effort and is provided without any
guarantee or warranty. It is not legally binding in any way to
anybody. None of the signers should be ever held legally responsible
for any of the statements made here.
Proof of freshness
-------------------
Proof of freshness will be appended similar to Qubes.
Let me know what you think.
I like the formatting. Keep it simple so everyone can understand it. 
Maybe one change.
The Whonix lead developer digitally signed this file
and states the following:
If its only you singing the file.
- Donât you want the Whonix master key fingerprint somewhere?
- How often (very roughly) will the Whonix APT repository get resigned? Readers will want to know.
- Bit wordy & passive language?
Instead, how about:
Whonix Canary
Statements
The Whonix lead developer who digitally signed this file states the following:
-
Canary issue date: see the gpg signature time.
-
No warrants have ever been served on the Whonix Project; for example, to hand out the private signing keys or to introduce backdoors.
-
We plan to publish the next canary statement whenever the Whonix APT repository is re-signed. This occurs approximately every month. [Ref 1] [Ref 2]
This file should be signed with a detached OpenPGP signature by the Whonix lead developer.
Do not trust the contents of this file blindly - always verify digital signatures!
Special announcements
None.
Disclaimers and notes
Be mindful that Whonix has been designed under the assumption that all relevant infrastructure is permanently compromised. This means NO trust is placed in any of the servers or services which host or provide any Whonix-related data, particularly software updates, source code repositories, and Whonix downloads.
This canary scheme is not infallible. Signing the declaration makes it very difficult for a third party to produce arbitrary declarations, but this does not prevent the use of coercion, blackmail, compromise of the signerâs laptop or other measures to produce false declarations.
The news feeds quoted below (see Proof of freshness) confirm this canary could not have been created earlier than the issue date. This demonstrates a series of canaries was not created in advance.
This declaration is provided without any guarantee or warranty. It is not legally binding upon any parties in any form. The signer should never be held legally responsible for any statements made here.
Proof of freshness
(coming soon)
References
- https://github.com/Whonix/Whonix/blob/master/aptrepo_remote/conf/distributions#L11
- DebianRepository/Format - Debian Wiki âThe Valid-Until field may specify at which time the Release file should be considered expired by the client.â
I havenât seen this by anyone else except Qubes. And âQubes does soâ by itself isnât an argument. Perhaps I should have asked Qubes for reasoning behind it? Well, the Whonix master key fingerprint will be visible when checking the gpg signature of the canary. If another (malicious) fingerprint would sign the canary theyâd just change the contents of the file too. So yeah, an implicit assumption (not written anywhere before now but assumed) is that the one verifying the canary already know Whonix ⢠Signing Key by heart. Maybe not by heart but they already need to know which identity/fingerprint is behind. For whom it makes sense to sign the canary.
Good point. The valid-until period is currently set to 1 month. (Debian uses 2 weeks.)
(On APT valid-until: Valid-Until field in Release files | Ganneffâs Little Blog)
( https://github.com/Whonix/Whonix/blob/master/aptrepo_remote/conf/distributions#L11 )
So I have to resign Whonix repository at less than 1 month before I signed it last time. I do it most times when I work on Whonix source code, and when I remember. So itâs infrequent. But we havenât had outdated apt repository metadata for a while so that works quite well.
Not sure what you mean by that but by experience your suggestions are almost(?) always taken. 
Please add.
Thanks. I edited that into my suggested canary text above.
At step 3, I noted there should also be two footnotes:
- https://github.com/Whonix/Whonix/blob/master/aptrepo_remote/conf/distributions#L11
- DebianRepository/Format - Debian Wiki âThe Valid-Until field may specify at which time the Release file should be considered expired by the client.â
This canary looks good to go?
When itâs up with Proof of Freshness, we only need to change the wiki canary entry accordingly.
What I never understood, what made me doubt the usefulness of canaries, but also never asked in public:
What if the case trying to plan for here actually happens? What if there:
- is a legal basis exists to request adding a backdoor to Whonix, and
- canary doesnât get updated,
- assume absence of other kinds of coercion for simplicity and focus of this question.
Then after the canary doesnât get updated in time, the public could reasonably assume that a backdoor was added to Whonix.
In result: everyone who used Whonix from the time of the last canary issued (no backdoor version) until the canary expired (backdoor added in meanwhile) would be potentially compromised by the backdoor, depending on the type of backdoor.
That would be a very bad result indeed. But perhaps better to know after a month that one was compromised for a month than never knowing it? Is that the point of a canary?
âpositivesâ (if it can be called that) in such worst case scenarios:
- A canary might dissuade requests for adding a backdoor?
- People might look for the backdoor, catch it, analyze it and widely publicize?
- Possibly make similar backdoors in future unlikely by technological improvements?
- People could fork Whonix and fix the issue?
What lavabit actually did by shutting down their service seems a much better than what lavabit could have done if they just had a canary and let it expire.
Warrant canary still seems to me have a very narrow scope:
- legally forced to add a backdoor
- legally forbidden to shut down service (can one be forced to run a project/business?)
- legally allowed to not update canary (right to refuse compelled speech)
Note: The point of this post is gathering a better understanding possibly leading to a better implementation. Whonix canary will be implemented in near future either way.
While I donât see how it applies to Whonix, (2) can certainly happen at cases authorities view the operation as illegal / supporting illegal activities: they take over the project while the project manager is required / coerced to cooperate. We have seen it happen with dark net markets.
I agree that a combination of all 3 is quite unlikely.
Of course. Some users didnât have a chance of updating and will not be affected. They are saved. Others didnât have potentially harmful material, yet. The rest will minimize the damage in any way they can and abstain from adding further compromising material or engage in communication that can compromise others.
Another point: there is some apparent contradiction between the principle of âperform updates as frequently as possibleâ and this canary concept. If indeed there is a canary (that is reliable in at least some scenarios), wonât it be better to update from Whonix sources only once a month, after itâs published (or you can look at it as possible negative of having a canary - users delay updates).
Or the way Truecrypt original devs shutdown shop by releasing a version that doesnât encrypt.
Shutting down the website/code repos is indeed a more visible warning than any text notice.
Canary is now live.
- https://download.whonix.org/whonixdevelopermetafiles/canary/canary.txt
- https://download.whonix.org/whonixdevelopermetafiles/canary/canary.txt.asc
Duplicated to github in case of whonix.org server issues.
Fixed.
Can you please change two things:
- Should have [1] [2] instead of [Ref 1] [Ref 2] in a few places (top section & footnotes section)
- Please add at the top this missing part and underline âStatementsâ (you want to keep numbering them right?):
â===[ Whonix Canary #1 ]===â
Statements
References removed entirely because: No need to mention my internal process âof doing this most of the time whenever I resign Whonix repositoryâ. Greatly simplified:
We plan to publish the next canary statement within 4 weeks.
Sorry, I didnât get this one.
Actually, no, I donât have numbering in mind.
Btw canary-template.txt lives here:
Pull requests welcome.