[Whonix-devel] revisiting decision of using stable as a Whonix base

bancfc at openmailbox.org bancfc at openmailbox.org
Sun May 15 00:30:27 CEST 2016

On 2016-05-13 22:41, Patrick Schleizer wrote:
> I don't think this is possible with the resources we have.

The lack of maintenance power is decisive but lets look away from it for 
a minute to continue the thought exercise.

> We cannot manage /etc/apt/sources.list.d/debian.list though a Debian
> package / apt-get.
> Let's say we had a a snapshot.debian.org in
> /etc/apt/sources.list.d/debian.list as anon-apt-sources-list.
> At first run of apt-get would install a newer package of
> anon-apt-sources-list would ship a newer
> /etc/apt/sources.list.d/debian.list with a fresher snapshot and new
> Whonix debian packages. Only then, on next run of apt-get update and
> apt-get dist-upgrade, newer Debian packages would be installed. So the
> Whonix packages would have to be tested and compatible with the older
> and newer Debian packages.

Couldn't apt-during-apt help with this? Postpone any new Whonix package 
install until next time when anon-apt-sources package and the the new 
snapshot packages have had a chance to upgrade?

> Or use some other mechanism to guide upgrades, something outside of
> apt-get which is not great, reinventing such a system.
> What would work in theory would be not using the official Debian
> repository, but a mirror of all Debian packages under Whonix control. 
> So
> packages are only made available to everyone once they have been tested
> for Whonix compatibility. Ubuntu does something similar. They freeze
> Debian testing, stabilize and support.
> I don't think we have enough reliable working hours per week or even 
> per
> month to get this done. And I can't do it alone, because then this 
> would
> be kinda my only task.

 From what I understand Debian snapshots include packages in the whole 
archive - its essentially a wayback machine for the official repos. 
Every two years you usually have to go thru the dependency testing 
process with every major stable upgrade.

With snapshots you have more control of when the system packages get to 
transition. Lets say you update the snapshot every year or even 6 months 
or whenever it suits you. This is still a win from a security point 
because exposure time is less than waiting for a new stable snapshot.

Also if something turns out to be badly broken in the future stable 
release you can wait it out and skip to a newer snapshot where its 
fixed. Essentially instead of syncing Whonix development around Debian's 
release schedule you instead work around your own - which hopefully 
means more frequent package upgrades. If its still too much then its a 
non-starter but at least its been explored.

> As a half baked solution there could be a maintainer who provides a
> Whonix version based on Debian testing who provides patches to make
> Whonix compatible with both stable and testing.
> Cheers,
> Patrick

More information about the Whonix-devel mailing list