From Whonix
< Dev
Jump to navigation Jump to search

Development Notes about Fedora


Consideration for recommending Fedora as host operating system...


  • Looks much more friendly and modern.
  • It is available over SSL.
  • verification are also available over SSL.
  • gpg signing key is available over SSL.

Package Manager

  • yum is safe as apt according to the people

Consideration for using it as Virtual Machine Guest

(i.e. for Whonix-Gateway and Whonix-Workstation)

  • Is there a tool to create virtual machine images like there is grml-debootstrap for Debian?
    • The feature set of grml-debootstrap seems to be a one-liner solution to getting a full working install.
    • Fedora supports kickstart files, which are the equivalent of Debian preseeding. It should conceivably not be too difficult to achieve a grml-deboostrap experience using kickstart files plus some minimal scripting (if one does not exist already). Fedora has automated builds for docker images.
  • The more restrictive approach taken by SELinux (which is default in Fedora) might offer some security benefits.

In-Place Release Upgrades:

  • Can be release upgraded in-place from one major release to another major release. [1]

Release Cycle:

  • Fedora has a relatively short life cycle: each version is usually supported for at least 13 months, where version X is supported only until 1 month after version X+2 is released and with approximately 6 months between most versions.

  • Can Whonix keep up with that?

Conflict of interest:

  • Fedora won't really get stable since that would obsolete RHEL?

Package repository:

  • Smaller than Debian?


  • DNF equivalent is python3-dnf-plugin-torproxy.

Fedora doesn't seem to care about Reproducible

Other stuff:

  • Has not been considered yet.
  • What would be particularly interesting is if Whonix could provide a generalized set of scripts to set up the target environment in as much of a distro-agnostic way as possible (perhaps by leveraging Ansible, or similar). Making a working Fedora version in addition to Debian might be a start towards that. → Unrealistic. Would require a dedicated contributor. A port causes a huge amount of work.
  • Also interesting would be a containerized version of the Whonix-Gateway that could be easily deployed on a host OS (this provides less anonymity than what Whonix is mainly aiming at, but has different use cases): For example, setting up an OnionPi-style hotspot. Current solutions, like the Adafruit OnionPi tutorial, are (1) not very easily deployable, (2) not as feature-full -- for example, limited to HTTP or particular protocols -- not full isolating proxies, and (3) tend to have a large footprint on the host/root OS -- ideally, one Raspi could be used both for providing a Tor Hotspot and for numerous other functions, with the Tor hotspot functions contained in one LXC and using only a handful of ports and hardware interfaces from the host OS. → Same as above.

Debugging Scriptlets[edit]

1) Add the prerun scriptlet to a file by running the following command (credit[2]):

rpm -q --queryformat '%{PREUN}\n' qubes-template-whonix-gw-experimental > ~/qubes-template-whonix-gw-experimental.preun

2) Run that script as root while having errexit, xtrace enabled and output exit code:

sudo sh -ex ~/qubes-template-whonix-gw-experimental.preun 0 ; echo $?

The file name qubes-template-whonix-gw-experimental.preun actually doesn't matter. You could use a shorter file name.


sudo yum langinstall de

Requires newer yum. So at the moment the easiest is using a Fedora based VM as UpdateVM.

sudo qubes-dom0-update langinstall de


phone home issue (says closed but is unfixed):

Forum Discussion[edit]

See Also[edit]


  2. Thanks to airfishey for the on unix.stackexchange.

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!