Feel free to re-suggest this one.
We can’t get rid of
orage unfortunately since package
xfce depends on it.
Whonix XFCE call for testers announcement is immanent. Any strong warning against it? Anything you’d like to mention?
Wiki already updated.
XFCE shall soon become the Whonix stable default download. It may still be a bit rough in the edges usability wise but still a ton better than KDE due to lower resource requirements / less VM freezes. Leaks are unlikely.
I already wondered where it went. I guess I’m going to close my related commit for now. I’d still add it in some way to the workstation together with mupdf. imho some image viewer is required for a decent user experience. The only other package where it could be added is “non-qubes-whonix-workstation-xfce” . Maybe also pulseaudio could be added to “whonix-workstation-packages-recommended-gui” and removed from “non-qubes-vm-enhancements-gui” before TNT_BOM_BOM sees it. Probably together with alsa utils and libasound. In this case “non-qubes-vm-enhancements-cli” could be merged with “non-qubes-vm-enhancements-gui” since they would only differ in one package.
Sure. We’ll add it somewhere.
kcalc, okular, gwenview, kgpg, libkf5kipi31.0.0, libkf5kipi-data does not fit into
hardened-desktop-applications-kde either since that results getting it installed on Whonix-Gateway.
Why? pulseaudio seems to fit perfectly into non-qubes-vm-enhancements-gui.
(Qubes sorts out its own audio support. And since whonix-workstation-packages-recommended-gui also gets installed on Qubes, pulseaudio does not fit there. This would result in a package conflict if Qubes moves from pulseaudio to an incompatible package that cannot be installed at the same time.)
Same as above.
This is not too simple to solve. In theory, we’d need:
- whonix-workstation-default-applications-kde AND,
This even doesn’t answer how to deal with Hardened Debian. Will think about this later.
Due to the limited prospects of a future of Whonix KDE in Debian 10
buster, I went for a slightly unclean, faster, duplicate code, but still less code in total solution.
All recent changes up to 188.8.131.52.5-developers-only are now in the stretch-developers repository.
Mostly because @TNT_BOM_BOM did not want to have it in the gateway. It would not be required in there.
Reduced delete between non-qubes-whonix-(gateway|workstation)-(kde|xfce), hopefully didn’t introduce bugs.
It looks like maybe hardened-packages-recommended-cli and
hardened-packages-dependencies-cli can be merged since they are always used in the same place. The same seems to be true for whonix-shared-packages-recommended-cli and whonix-shared-packages-dependencies-cli. Also all of those could be merged, except for hardened-debian-cli where it would add whonix specific packages. hardened-debian-kde is also currently missing kde specific stuff.
All package upgrades mentioned above tested. Working well. Merged into testers repository.
Changes below are not yet build and in the repository.
Yes, let’s not add Whonix specific packages to Hardened Debian.
Yes. hardened-debian-kde isn’t much used yet. Only one untested developers-only build. I guess it is dead on arrival.
And for a future hardened-debian-xfce (TODO) we must be careful not to add applications we don’t want to see on Whonix-Gateway.
It’s not clear to me what is remaining TODO. Please consider creating http://phabricator.whonix.org tickets so we can track, assign and implement them. (Same goes for CLI version.)
One task coming to mind which I don’t know how to implement:
remove browser starter in xfce task bar
Btw session saving glad it got disabled. Due to saved session saw this issue: kdesudo error popup window ( sdwdate-gui )
PromptOnLogout? What does it prompt for? Does it prompt to save session?
When set to false and you go to Applications --> Log Out you will be logged out immediately instead of the default window appearing which asks for log out, reboot, shut down … So the default should be used which is “true”. Or just dont set it and Xfce will use true automatically.
configure Qubes-Whonix XFCE default start menu entries (whitelisted appmenus)
Let’s consider to no longer depend on meta package xfce4. Instead, we could just depend on the individual packages we care about. Some packages that
xfce4 depends on that we may not need or don’t want:
- https://packages.debian.org/buster/gtk2-engines-xfce needed?
- https://packages.debian.org/buster/libxfce4ui-utils needed?
- https://packages.debian.org/buster/thunar keep for sure
- https://packages.debian.org/buster/xfce4-appfinder probably keep
- https://packages.debian.org/buster/xfce4-panel keep for sure
- https://packages.debian.org/buster/xfce4-pulseaudio-plugin keep for sure (but perhaps workstation only, not a big deal)
- https://packages.debian.org/buster/xfce4-session maybe we can avoid this one?
- https://packages.debian.org/buster/xfce4-settings keep for sure
- https://packages.debian.org/buster/xfconf keep for sure (but might be a dependency anyhow, so we might not need to add it as a dependency in Whonix anon-meta-packages)
- https://packages.debian.org/buster/xfwm4 required
- https://packages.debian.org/buster/desktop-base good if we could avoid it (since it contains Debian’s logo) but also not a big deal if we set our own background anyhow
- https://packages.debian.org/buster/tango-icon-theme probably keep
- https://packages.debian.org/buster/thunar-volman probably keep
https://packages.debian.org/buster/xorg we depend on
xserver-xorganyhow, not sure we need to explicitly depend on
- https://packages.debian.org/buster/gtk3-engines-xfce probably required
https://packages.debian.org/buster/xfce4-goodies probably keep (has some things we like such as
xfce4-datetime-pluginbut also some things we don’t need such as
- https://packages.debian.org/buster/xfce4-power-manager avoidable?
What’s the reasoning behind this? Will it be easier to move to alternative DEs in the future? Seems like a lot of deps to add manually instead of xfce4
Unrelated since this only affects package
(Since we nowadays have
non-qubes-whonix-workstation-cli it is nowadays a lot easier to add support for other desktop environments compares to times where Whonix KDE was the only thing that existed.)
See reason for each individual package above. Overall reasons:
- don’t install things which are a potential source of bugs (such as session management, remember this bug where KDE session saving caused this: kdesudo error popup window ( sdwdate-gui ))
- avoid unnecessary things (such as power savings inside VM)
- less potential privacy issues (sessions savings)
- lower attack surface
- save disk space
- not have some unnecessary, potentially harmful package included when upgrading to the next major Debian version
Agreed with your assessment of each. Pull the trigger