[Whonix-devel] Testers-wanted! Whonix 8 Release candidate #2 Whonix 7.7.9.8

Sat Feb 22 16:52:41 CET 2014

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Download
########

VirtualBox
==========

Whonix-Gateway for VirtualBox
http://sourceforge.net/projects/whonixdevelopermetafiles/files/whonix-8/Whonix-Gateway-8.ova/download

Whonix-Gateway for VirtualBox signature
http://sourceforge.net/projects/whonixdevelopermetafiles/files/whonix-8/Whonix-Gateway-8.ova.asc/download

Whonix-Workstation for VirtualBox
http://sourceforge.net/projects/whonixdevelopermetafiles/files/whonix-8/Whonix-Workstation-8.ova/download

Whonix-Workstation signature
http://sourceforge.net/projects/whonixdevelopermetafiles/files/whonix-8/Whonix-Workstation-8.ova.asc/download

KVM / Qemu
==========

Entirely untested! This is only useful if you have a developers mindset!

This is the first time .qcow2 images are available (as .tar.gz, qcow2
image and signature must be unpacked):
http://sourceforge.net/projects/whonixdevelopermetafiles/files/whonix-8/

We have unfinished(!) instructions for KVM:
https://www.whonix.org/wiki/KVM

There are still a few blockers before using Whonix with KVM can be
considered sane:
https://www.whonix.org/wiki/Dev/KVM

Please help out solving them. Whonix also needs a maintainer to
support using Whonix with KVM.

If you want to upgrade existing Whonix version using Whonix's APT
repository
################################################################

Use the whonix_repository tool and switch to Whonix testers
repository, see:
https://www.whonix.org/wiki/Whonix-APT-Repository

If you want to upgrade existing Whonix version from source code:
################################################################

Updating from the previous testers-only version 7.7.8.6 should be
possible, see:
https://www.whonix.org/wiki/Dev/BuildDocumentation_8_deb

Sorry, upgrading from existing Whonix version (0.5.6, 7, etc.) to
7.7.9.8. (and 8 when it's released) will not be possible.

If you want to build images from source code
############################################

See https://www.whonix.org/wiki/Dev/BuildDocumentation_8 and use git
tag 7.7.9.8.

Physical Isolation users
########################

Use Debian stable instead of testing, use git tag 7.7.9.8 and see
https://www.whonix.org/wiki/Physical_Isolation.

Changelog between Whonix 7 and Whonix 7.7.9.8 (testers-only version)
####################################################################

* Whonix is now based on Debian stable instead of Debian testing.
* In new installations, automatic updates of Whonix's debian packages
are disabled by default. During first start, users can decide if they
want to enable Whonix's APT repository or want to leave it disabled.
* Fixed Whonix's Tor Browser download and start script for TBB 3.5.
* Fixed physical isolation build script.
* Verifiable Builds. Whonix now has a feature which allows the community
to check that Whonix .ova releases are verifiably created from project's
own source code. Also made ade Whonix's APT repository verifiable (even
deterministic!). Please see
https://www.whonix.org/wiki/Verifiable_Builds for details.
* Made Whonix build script configurable (can now build terminal-only
Whonix-Gateway's and/or Whonix-Workstations; 64 bit builds and more)
* Improved Whonix News's security. All Whonix News Files are now inside
one tarball, which is signed. This stops leaking how many users are
using a particular version.
* whonixcheck's Whonix News download now checks if Whonix News are still
valid (currently up to 4 weeks) and therefore detects indefinite freeze
and replay attacks.
* whonix_repository tool now has a graphical user interface; added more
command line switches.
* Set default locale to en_US.UTF-8.
* Simplified custom user installation of TorChat, thanks to dummytor.
(Protecting from Tor over Tor.)
* Removed apper and synaptic from default installation, because they are
too confusing / have too many bugs, do not always work in all cases for
all users, #104, can still be manually installed if wanted, see also
https://www.whonix.org/wiki/Dev/Automatic_Updates
* whonixcheck: more configuration options, any function can now be
disabled, this is useful for users who wish to disable control port
filter proxy, they can disable the check_tor_bootstrap function
* whonixcheck: added protection against possibly malicious strings from
check.torproject.org (in case of a bug, compromise of check.tpo server
or CA compromise), IP strings are now max 50 characters long. User will
be warned in case the limit is exceeded.
* Whonix-Workstation: no longer installing Tor Browser by default, this
simplified implementing verifiable builds (#113), installing iceweasel
by default, which can be used to download Tor Browser, added local
iceweasel browser homepage saying that iceweasel should not be used for
anything other than downloading Tor Browser, unless one knows what one
is doing.
* Removed galternatives from whonix-workstation-default-applications
because galternatives has been (temporarily) removed from Debian testing
* Building Whonix from frozen repository, from snapshot.debian.org to
make the build script more resistant from upstream changes and also to
make Whonix verifiable.
* The Whonix Team can now use separate keys for Whonix's APT Repository
and Whonix News.
* Added technical documentation about keys in Whonix
whonix_shared/usr/share/whonix/keys/readme.
* new man page: man/whonix_shared/sdwdate.8.ronn
* Deactivated Maximizing Windows by dragging them to the top of the
screen to prevent users from accidentally maximizing their browser
window when they are using resolutions higher than 1024x768. See
https://www.whonix.org/wiki/Higher_Screen_Resolution ;
https://github.com/Whonix/Whonix/issues/110 and
https://trac.torproject.org/projects/tor/ticket/7255 for more
information. #108
* added udisks to whonix-shared-packages-recommended for mounting
removable drives
* KDE settings changes, set to oxygen as suggested by scarp in
"[Whonix-devel] Plastique kwin style & Widget Style"
* whonixcheck: increased timeout for the tor bootstrap.py utility from 5
to 10 seconds to make it compatible with slow systems as per bug
reporthttps://www.whonix.org/wiki/Special:AWCforum/st/id248/whonixcheck%3A_tor_bootstrap_statu....html
* whonixcheck: Whonix News File is now deterministic
* whonixcheck: Whonix News added timeout for gpg and tar
* added secure-delete, because it contains sfill, which can be used to
zero out free space, which is required for disk shrinking
* Deactivated running update-command-not-found during build, since not
deterministic (verifiable). Manually running is of course still possible.
* whonix_shared/etc/apt/sources.list.d/torproject.list: removed the "deb
http://deb.torproject.org/torproject.org tor-0.2.4.x-jessie main"
repository, since that repository has been removed by The Tor Project
(Tor is now in their Debian testing repository, which is already added)
* fixed a bug reported by scarp,
whonix_shared/usr/share/whonix/postinst.d/70_disable_kdm_autostart: was
not disabling other display managers other than kdm. Now using the more
generic
/usr/lib/whonix/display-manager-dpkg-post-invoke.
* msgcollector: fix race condition not always closing progress bar when
it reached 100%
* Whonix-Gateway: Workaround for
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=732578
https://www.whonix.org/wiki/Download#Connection_Issues_-_Tor_stops_working_after_an_Upgrade_and_needs_a_Workaround
https://www.whonix.org/wiki/Special:AWCforum/st/id287/new_tor_and_debian_updates_today....html
Set in /etc/default/tor:
USE_AA_EXEC="no" Can be commented out when that bug gets fixed.
* optionally (opt-in) building qcow2 images, first rudimentary
implementation, build target (VirtualBox or qcow2 or both) should
probably be configurable in whonix_build script (#122)
* Whonix News Blog Download / Whonix News: Whonix News Blogs (Whonix
Feature Blog and Whonix Important Blog) are now deployed over the same
mechanism as Whonix News.
* Whonix-Workstation: better implementation of dummytor using
config-package-dev (might break compatibility with Whonix 7)
* removed adrelanos' old key; removed
whonix_shared/usr/share/whonix/postinst.d/70_legacy (breaks
compatiblity with Whonix 7)
* Re-implemented uwt and dummytor using config-package-dev instead of
custom dpkg-diversions. Breaks compatibly with Whonix 7.
* Removed rawdog and pandoc since no longer required.
* moved misc scripts (Scripts for managing Whonix's offical repository
and Whonix News; debug scripts; developer documentation and deprecated
code) to https://github.com/Whonix/whonix-developer-meta-files
* whonixcheck: do not show output of gpg for Whonix News verification
* whonixcheck: do not start whonixcheck, if whonixsetup hasn't
finished yet
* whonixcheck: new --verbose / --debug options
* whonixcheck: Check that /proc/sys/net/ipv4/ip_forward and
/proc/sys/net/ipv6/ip_forward aren't set to 1 to prevent users from
shooting their own feet.
* whonixcheck: Whonix News can now optionally be signed with two keys,
as long as either one is still valid, will be accepted
* whonixcheck: whonix_shared/etc/init.d/whonixcheckd: on stop, give
whonixcheck time to gracefully shut down so it can close any still
eventually open progress bars
* whonixcheck: fix, exit cleanly (close progress bar) when killed by
other instance of whonixcheck
* whonixsetup: start whonixcheck at the end of whonixsetup on
Whonix-Workstation
* torbrowser: hide output of gpg import; ask "Start Tor Browser yes/no"
after upgrading"
* torbrowser: added timeout to gpg to prevent endless data attacks
* torbrowser/whonixcheck: alternative method detecting locally installed
Tor Browser version. When $tbb_folder/Docs/version does not exist, i.e.
when the user manually downloaded Tor Browser, try to detect version
number from ~/tor-browser_en-US/Docs/sources/versions.; comment
* desktop: higher resolution icons for whonix_repository, whonixcheck,
contribute and donate, whonix gateway firewall, tb recommend, important
blog and torbrowser
* ram adjusted desktop starter: fixed lightdm (/usr/sbin/...) auto
detection
* qcow2 images: added metadata preallocation
* qcow2 images: added "-o cluster_size=2M" to "qemu-img" for better
performance
* build script: fix "sudo: unable to resolve host debian"
* build script: added --no-options to gpg to avoid conflict with user's
gpg config files
* build script: added benchmarking
* build script: whonix_build_both: support extra parameter
* build script: got rid of grml_config by using grml-debootstrap's new
environment variables feature
* build script: skip backup-img-after-grml-debootstrap and
backup-img-after-meta-package-install build steps by default, can be
re-enabled by builder
* build script: allow running build-steps.d/2400_convert-img-to-qcow2
without root
* build script: improved error handling, when error is detected, wait
until builder presses enter before cleanup and exit to make it simpler
to read error messages when building in cli
* build script: fixed update-locale bug
build script: Avoiding "perl: warning: Setting locale failed." as
suggested on     https://wiki.ubuntu.com/DebootstrapChroot and
https://lists.debian.org/debian-amd64/2005/08/msg00249.html by setting
    export LANG="C"
* verifiable builds: new build step build-steps.d/2350_cleanup; Get rid
of /dev folder inside the vm image. This is only required for verifiable
builds. Otherwise this could be skipped. For example, "sudo
sha512sum /dev/xconsole" or "sudo sha512sum /dev/initctl" would run
forever. The /dev folder gets recreated by the kernel upon first boot.
* Improved messages.
* Lots of smaller fixes.
* Code refactoring.
* For more details, see the git log.

-----BEGIN PGP SIGNATURE-----

iQJ8BAEBCgBmBQJTCMfHXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2RTk3OUIyOEE2RjM3QzQzQkUzMEFGQTFD
QjhENTBCQjc3QkIzQzQ4AAoJEMuNULt3uzxIvHoP/3KjuhAVj32oF5RN0owwkOXT
UJYk2Y7C3WwhqQiAlVpJFWTLUG8+LEfTPozJk3gY97dRTip2W4VkL23CMmgyVI8+
JvzHWcBCHhm+p5hssWGiRaiD77v7gI3WmKvzBuhn1yk2TufXx0VaZi3B9zpQjJfe
PnvPf7NwT4Ii023PDI2o2sUdytcrbLRwB6gOT2nwp0Mise650c5CZiqTRSUto7sS
vf1+Bxs/nHKN8DFomCri4IavBeUvVkqTpIZhbq3covdMKZa855r7vXtamHurPTd6
ynGwBB4LHWk/35TLgml53wVN58vjeC8PhjDe8Zfa+w80qh/pG6j9bj5Iw+7or6DB
41mNvTRkV2/G3HQ1cNtda6dplLbfo62ft451qk4xCWJvOnXTOezjfQJ/3Jk5AQuT
3do47EbVEu3uxM7Lo0bqCFevgCEzyqTEovyARzJeksSMsXWkSHcPHYHVGN/AGMA+
hvxorHp9dMm08VjZk8HCXZK2xgxRhnuKAeKTR/oPFZGD9vsS/bqc7IDLr8AOjcTC
8gRQQ9Rd9T879mhTeE/CaLT1akzOzLeCWARxXy+cLlarIPMkmDPvlGPSyV9d3akU
pWBbQ8VJ6OMwAVZ5l3aY1CqOKRCzSSasWF+U59la5kXphVwIlnNVRu0OGN8CAkCE
RxVRnqRvhQ+FiKEzUizp
=tRXU
-----END PGP SIGNATURE-----