Dev/Default Application Policy
How to decide which apps come with Whonix?
Overall: not killing the project for being badmouthed by The Tor Project and/or geeks due to bad decisions.
The following numbers are not referring to priorities, just to reference them. Not written in stone!
- There must be a reliable upgrade path. Stuff that is in Debian is perfect.
- Upgrading must not eat up Whonix maintainer's time to keep Whonix maintainable.
If the applications issues network activity, there must be a way to properly configure it for Stream Isolation, to keep Tor's TransPort clean for the user's own stuff.
- When downloading applications, especially since downloads run over Tor, strong verification must be supported (Ex: OpenPGP, apt-get does that well.) or be so trivial that some trusted devs can audit the code for being not intentionally malicious.
- Must be Tor-safe. (Definition: must not be totally pseudonymous. No major protocol leaks. For example, using Tor Browser instead of Firefox and recommending Thunderbird/TorBirdy and not some other client.)
- Must be Free Software / Open Source.
- Must not be a total security disaster.
- Must not issue network activity while the application is not in use.
- Installation/modification must not limit discussion about Whonix to the controversy of that application. (Ex: No Tor modifications.)
- Installing it by default in Whonix must not totally f*ck up The Tor Project.
- We must believe that a fair amount of users likes it.
- We must believe that it is usable by a fair amount of users.
- Mature behaving and communicative upstream, not important if the application/script is trivial and maintenance is simple.
a) There is no BitCoin client installed by default in Whonix, because no gui client was available in Debian stable at time of release. Shipping a manually installed one by default would be nightmare, because users wouldn't know how it was installed and not update it. Updating would be left to the user. It is better if the whole process download, verification, install, upgrade notification and upgrade is up to the user.
b) There is no Email client installed by default in Whonix, because no Tor-safe client (Thunderbird + TorBirdy) was available in Debian stable at time of release.
c) There is no torrent client installed by default in Whonix, because we know of none fulfills 3. If one has been found, this topic has to be brought up on tor-talk mailing list, asking for their official position, due to contradictory prior statements to fulfill 10.
Generally... packages.debian.org gives us:
- always stable, not breaking stable, a maintainer testing the package with Debian
- some vetting that the package does not contain an obvious backdoor
- easily installable without much long term time sunk from developer side, just add once to anon-meta-packages and be done with it
- no extra repository signing keys (that have the ability to replace any package on the system), if we theoretically added something like deb.gnunet.org, if they were compromised, all Whonix users would be compromised at once through an malicious upgrade. That's how Debian works. All packages have full system access. No sandboxing.
- no need for to follow up on security issues of the package, no quick security fix uploads, all done by Debian.
- no time sunk as in reuploading new packages to deb.whonix.org.
- no download from the vendors website
- no verification of signature from the vendors website
- no upload / install test from developers repository [a broken package could break the whole system, not in malicious ways, but for example broken connectivity that cannot be restored without hacking command into a console]
- no upload / install test from testers repository, have more people try to run into such issues
- no migrate to stable repository
- no remember the state, bug reports, look if it was actually tested of the whole thing
- it is not very difficult technically, but demanding on mental resources and time, without a dedicated release manager, it is better to pick to pick fewer "special" packages from other sources than packages.debian.org
Tor from deb.torproject.org as well as Tor Browser is a tedious enough task.
In summary, there are issues with security as well as maintenance overhead.
Uploading Source Packages to deb.whonix.org
Usability wise not very useful. Users could download and compile source packages. As far as I know there is no install/upgrade mechanism for source packages. Even if there was, they would not auto compile and upgrade. Would require quite some documentation. apt-get source pkg-name, cd pkg-name, install build dependencies, install dependencies, build, install. More support overhead. Plus almost same issues as for binary packages.
GNU Guix is a compromise between tracking/maintaining the dependency hell of a non-Debian program or completely excluding them for that reason.
By including and maintaining Guix as a gateway into instead we cut down the effort needed to obtain external programs for us and for the program devs too.
Brief Intro: In addition to standard package management features, Guix supports transactional upgrades and roll-backs, unprivileged package management, per-user profiles, and garbage collection (more details in the manual.)
*Where to download? How to verify? How to install? (Any compilation required?)
Download here: https://www.gnu.org/software/guix/download/
Verification and install instructions: https://www.gnu.org/software/guix/manual/html_node/Binary-Installation.html
No compilation required. A signed binary tarball is distributed. The binary installation tarball can be (re)produced and verified simply by running the following command in the Guix source tree:
Full manual: https://www.gnu.org/software/guix/manual/guix.html
*Any ready-made repositories available that we can start using? Like, if one manages to install Guix on Debian or Whonix, what packages can be installed? How does that work in practice?
The Guix library is made of ~5K packages. They carry Libre packages only: https://www.gnu.org/software/guix/packages/
Packages are installed with:
guix package -i hello
*Any onion repositories?
No. I think they might be open to running one. I can talk with them and the Tor people to make it happen.
Update: Planned with serious discussions happening around this topic. https://lists.gnu.org/archive/html/guix-devel/2017-03/msg00189.html
*Does it pass TUF's threat model?
I haven't been able to find anything on that. A very good question to discuss with them.
Update: Not yet but being worked towards and should be there by v.1.0 https://lists.gnu.org/archive/html/guix-devel/2017-03/msg00192.html
*Socks proxy support or can torsocks work?
Package configuration definitions include support for defining network access including redirecting traffic to Tor. Manual example:
Scheme Procedure: tor-service [config-file] [#:tor tor]
Return a service to run the Tor anonymous networking daemon.
The daemon runs as the tor unprivileged user. It is passed config-file, a file-like object, with an additional User tor line and lines for onion services added via tor-hidden-service. Run man tor for information about the configuration file.
*How does its sandboxing work and why is it secure?
Not sandboxing as in Apparmor isolation but the ability to build/install/upgrade software without requiring root ever. Guix packages can also be shared among unprivileged user profiles.
*Any example packages?
There is the hello package as an example or any of the ones listed in the directory mentioned above(?)
Info on making packages:
*How to create a repository?
In the manual there is support for fetching source from git repositories and building that. So potentially any git repo can act as a decentralized package hosting. Edit: I can confirm that all packages in their package list are indeed git repos hosted on savannah.
All packages and their dependencies are available in the Guix main collection.
Interesting reading: https://arxiv.org/pdf/1305.4584.pdf
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.