[Whonix-devel] revisiting decision of using stable as a Whonix base

bancfc at openmailbox.org bancfc at openmailbox.org
Fri May 13 03:35:38 CEST 2016

On 2016-05-10 18:09, Patrick Schleizer wrote:
>> I wanted to revisit the decision of using stable as a Whonix base. The
>> biggest (and only) advantage of using stable is to avoid unexpected
>> dependency breakages that increase maintenance burden.
>> From a security POV stable is a disaster that's guaranteed to have
>> security bugs that are not patched for years at a time. Not every
>> potentially exploitable bug that is discovered and fixed in upstream
>> software versions is marked as a cve for backporting. What appears as 
>> a
>> crash or DoS bug have security implications with enough effort. Linus 
>> is
>> infamous for doing "silent" fixes where he marks scores of bugs as DoS
>> when they have security implications and so they never make it into
>> stable distro kernels. The situation is similar for userspace software
>> in Debian stable to that suffer from publically discovered security
>> problems but don't get upgraded because of policy.
>> See:
>> https://mjg59.dreamwidth.org/41085.html
>> https://cxsecurity.com/issue/WLB-2008070032
>> Are testing snapshots a workable compromise between security and 
>> stability?
>> (Its up to you to post this conversation for public record)
> I not mind about public vs private.
> Debian testing:
> - build keeps breaking (ok, never mind and testing snapshots would do)
> - flood of constant upgrades (maybe also say never mind)
> - users will keep running into issues which creates a user support hell
> (this is serious)
> - it's impossible to keep up and to see how it interacts with Whonix.
> Just using testing in sources.list could quickly end in obscure stuff
> (like apparmor changes) resulting in Tor not longer starting and 
> whatnot.
> Or do you suggest somehow slowing down testing by having Whonix decide
> which snapshot of users are going to use?

Exactly so. This would resolve the most pressing problems like the 
breakage and support hell scenarios you describe while giving users a 
fresher/patched base for better security.

> Cheers,
> Patrick

More information about the Whonix-devel mailing list