Actions

Bug Reports and Software Development

From Whonix

Bug Report Recommendations[edit]

Non-critical Bugs[edit]

Users who find bugs are encouraged to report them to the Whonix ™ issue tracker. To assist developers, please refer to the Reporting Guidelines further below when describing the problem.

Once notified issues are reproduced and confirmed, developers discuss the problem in order to find a suitable solution or workaround. All Whonix ™ source code fixes and related matters are implemented as quickly as possible and the finding is posted for the public benefit.

Security Vulnerabilities[edit]

Responsible disclosure: Users are kindly asked to privately report security bugs and describe the problem in detail - see the recommended Reporting Guidelines below for guidance. Lead Whonix ™ developer Patrick Schleizer should be contacted via OpenPGP encrypted mail before the information is published in public forums; see Contacting Whonix ™ developers / Feedback / Questions. In this way, vulnerabilities can be patched without endangering the Whonix ™ population and the notifier can be credited with the finding(s) after the change reaches the stable repository (or next Whonix ™ release).

Reporting Guidelines[edit]

Before developers take time to answer concerns, the reporter should make a reasonable attempt to demonstrate it is an actual issue. Whonix ™, Qubes OS and most other software projects expect thorough reports to include: [1]

  1. Whonix ™ version and platform.
  2. Affected component(s) or functionality.
  3. Steps to reproduce the behavior.
  4. Expected behavior.
  5. Actual behavior - including detailed console output.
  6. Context - How has this issue affected you? What are you trying to accomplish? Providing context helps us come up with a solution that is most useful in the real world.
  7. Relevant Documentation that was consulted.
  8. Any related, non-duplicate issues (bugs).

The following example report would be considered wholly insufficient by Whonix ™ developers:

  • Platform: Non-Qubes-Whonix 15.
  • Affected functionality: Updating/upgrading the system.
  • Steps to reproduce: Update the system in a terminal.
  • Expected behavior: No error messages appear.
  • Actual behavior: The message "70 signatures not checked due to missing keys" appears.
  • Context: Curiosity.

Instead, further indicators are necessary in order to meet the threshold of a bug report.

Sample Bug Report[edit]

In many cases only developers, developers-alike and very technical users will be able to report an actual issue based upon console output. A sample, thorough bug report is given below. [2]

Table: Example Whonix ™ Bug Report

Indicator Description
Whonix ™ version All Whonix ™ 15 variants (Non-Qubes-Whonix ™ and Qubes-Whonix ™).
Affected component(s) or functionality Whonix-Gateway ™ (sys-whonix) firewall.
Steps to reproduce the behavior Enable the fail closed firewall mechanism in Whonix-Gateway ™ (sys-whonix). [3] Later on when a whonix-firewall package upgrade becomes available, networking is no longer functional after installation.
Expected behavior An upgrade of the whonix-firewall package should not break networking.
Actual behavior An upgrade of the whonix-firewall package breaks networking.
Context Running standard ("everyday") upgrade instructions.
Relevant Documentation that was consulted See below.
Any related, non-duplicate issues (bugs) None, but these resources are directly relevant:

A detailed answer to a reported issue is more likely if:

  1. Reporters exert more effort, provide detailed analysis, perform multiple web searches, and read the source code beforehand; or
  2. The reporter is a Whonix ™ contributor or developer.

Software Development Cycle[edit]

Community Feedback[edit]

The Whonix ™ project is highly receptive to genuine feedback and suggested improvements from users. Software projects flourish from community input and every suggestion is noted and considered.

The Whonix ™ community is asked to remain patient. The development cycle involves a number of competing priorities and challenges which must be overcome to achieve ambitious roadmap goals. Further, there is also an existing backlog of unresolved bugs and feature requests to address.

As Whonix ™ resources grow over time, development activity and responsiveness to user input will increase in kind.

Old Stable Support Policy[edit]

It is not uncommon for Linux Distributions to support multiple release versions. [4] The popular Debian Linux distribution on which Whonix ™ is based not only provides the stable, testing and unstable versions, but also maintains support for the old-stable version. The main reason is because it can take a long time for some organizations to plan, test and upgrade all computers when a new stable version is released. [5]

Supporting the old-stable version with continued security updates for a period of time provides flexibility when migrating to the stable version. However, even for distributions like Debian that have a large number of developers, it can be very difficult to support both the stable and old-stable versions. This is evident by the limited time that the old-stable version is supported after the new stable is released - currently around one year on average. [6]

Providing extended support for previous stable versions is preferred for both large and small projects alike, but this is infeasible for Whonix ™ due to limited human resources. The reason is the vast majority of developer time must be focused on core components of the stable release version, otherwise providing support for both stable and old-stable would unduly stall its development. Therefore, without a significant increase in funding or manpower, the maintenance of two stable release versions is unlikely in the near or distant future.

Package Upgrade Policy[edit]

Prior to Whonix ™ 14, tickets that were resolved on the Whonix ™ issue tracker were not automatically pushed to the stable (or even developer) version of Whonix ™. This meant stable package upgrades were rare -- unless critical security security vulnerabilities were discovered -- thereby entirely avoiding the risk of destabilizing the Whonix ™ platform and necessitating manual user fixes. Fixes noted on the issue tracker generally only became available to all users after the next stable version release.

Whonix ™ 14 and later releases have transitioned to a rolling distribution, meaning far more frequent updates will filter through to the stable, stable-proposed-updates, testers and developers repositories. Advanced users who do not wish to wait for package updates can of course manually apply fixes to the relevant package(s) before that time. [7]

Phabricator issue tracker labels can be interpreted as follows:

  • Reviewed: "Completed in the latest source code version of Whonix" (but not released). Further testing is required in the next Whonix ™ developers-only or testers-only release.
  • Resolved: "Completed in the development version of Whonix".
  • There is no specific label to indicate status in the stable Whonix ™ release.

Patches are Welcome[edit]

Volunteer contributions to Whonix ™ are most welcome. All proposed patches are carefully reviewed and merged if appropriate. Volunteers with the requisite coding ability should refer to the current backlog of open Whonix ™ issues and consult with developers before undertaking any significant body of work.

Often, proposed improvements or fixes to the Whonix ™ platform are awaiting implementation due to differing developer priorities, limited human resources and/or the inordinate amount of time required to develop a particular feature or solution. In a minority of cases, the Whonix ™ team is unsure how to resolve a bug or implement a specific change / feature. [8]

It is generally unhelpful to debate the priorities laid out in the future Whonix ™ roadmap, as this diverts energy from core development. Some major suggestions might become available in the long-term or might never eventuate, such as the availability of a Live Whonix ™ CD/DVD.

Support Request Policy[edit]

Effective December 1, 2018, the policy concerning responses to support requests and concerns has changed. Whonix ™ developers will normally only respond if they are convinced an actual technical, privacy or security-related problem has been identified.

In the past, Whonix ™ developers provided answers to a wide range of reported oddities, such as console output messages that were difficult for users to understand. Unfortunately this level of attention is no longer possible, for reasons outlined in this FAQ entry.

Sample Non-issue[edit]

For example, if a user reported that the following console message appeared during an update, Whonix ™ developers would be unlikely to respond.

70 signatures not checked due to missing keys

The reason is because developers are aware this is not symptomatic of a technical problem, but rather a minor usability issue. If the user reporting the problem conducted simple Internet research, they would quickly realize the cause of the error is not Whonix ™-specific. [9]

As a reminder, most anomalies are generally harmless rather than an indication of a compromise:

If trivial changes are noticed on your system -- such as a duplicate deskop icon -- this is not evidence of a hack or leak. Similarly, if warning or error messages appear that are difficult to understand, in most cases there is no need for panic. If something unexpected occurs such as the appearance of a "htaccess file in home directory", or graphical glitches emerge in Arm, then it is more likely a harmless bug and/or usability issue rather than a compromise.

Policy Rationale[edit]

There are several reasons for this policy shift:

  • Developer Time: Providing answers for each and every reported non-issue costs time, which could be otherwise dedicated to core development and the backlog of existing bugs.
  • Personal Initiative: Whonix ™ is Freedom Software, which means every aspect of the source code is available for review. This level of transparency allows those who spend enough time or monetary resources to analyze everything in detail. In the spirit of Freedom Software, Whonix ™ is purposefully opposed to artificial boundaries which make analysis unnecessarily more difficult. [10]
  • Feature Richness: Since Whonix ™ is based on Debian there are thousands of software packages available for use, and not all oddities can be explained due to time constraints.
  • Usability Issues: In the main, most usability issues will remain out of scope for developer attention. The reason is two-fold: either they are outside the control of the Whonix ™ project and/or it is not economically viable due to the very structure of Freedom Software development; see Linux User Experience versus Comparable Operating Systems for further information.

There are several reasons for this wiki entry. First, a link can be posted whenever necessary, thereby saving developers significant time and effort in addressing non-issues. This demonstrates acknowledgement of the report, but also signals it is not considered a serious problem at this time. Secondly, answering with a link is better than a non-answer. A nil response makes it unclear if the report has been seen or whether project development is even active.

Users are welcome to report whatever they like, but it is strongly recommended to first search the forums and Internet as per The Free Support Principle to see if it was already reported - this is often the case.

Appendix[edit]

Linux User Experience versus Commercial Operating Systems[edit]

When newcomers interact with a Linux operating system like Whonix ™, they come with certain expectations in regards to their overall experience. For the majority, expectations are based on their familiarity with Windows or macOS, since they dominate the desktop and laptop markets. [11] These commercial platforms pre-install a wide variety of popular and fully-featured applications, while the graphical user interface (GUI) is easy to use and intuitive. As a consequence, the seamless integration of new system software packages is the rule rather than the exception.

Windows and macOS users are now accustomed to an integrated experience where "everything just works". Attempts to provide a comparable experience in Linux have proven to be very difficult and the problem seems insurmountable. Many find the Linux GUI difficult to use and counterintuitive. There are software applications that are similar in design to those found in Windows or macOS, but they often lack many of the same features [12] or do not fully integrate with other packages. For Linux beginners, it might be difficult to understand how applications with similar design goals can have vastly different cross-platform functionality. Only by comparing the structural differences between a typical corporate hierarchy and a Linux distribution's collaborative effort can the discrepancies be explained.

The following table provides a simplified comparison of the major organizational structural differences.

Table: Linux Distribution vs. Commercial Operating System

Linux Distributions Commercial Operating Systems
Software Based on packages from many independent projects which develop software according to their own design goals Centralized (in-house) development with unified design goals
Funding Sources Donations, volunteer payments, grants, corporate sponsorship, professional services Revenue from software licensing [13] [14]
Funding Amount Unprofitable, most are underfunded and depend on volunteers Profitable, billion dollar profits are the norm
Authority to Issue Directives None, can only ask third party projects nicely CEO issues directives
Human Resources Community-based volunteers (limited time and human resources) In Windows' case, over 120,000 employees [15]
Popularity ~ 1.7 per cent of the desktop operating system market [16] Windows: ~ 82 per cent of the desktop operating system market [16]

macOS: ~ 13 per cent of the desktop operating market [17]

User Experience Fragmented Unified

Software Comparison[edit]

As shown in the table, Linux distributions are based on many third party projects which develop software according to their own design goals. For instance, an application might be initially developed by a volunteer for Windows and optimized for that platform. Later on, another volunteer joins the project, forks the application and ports it to the Linux platform. When these projects develop software, they do not necessarily prioritize the design goals to suit compatibility with Linux distributions.

Linux distributions can only pick software packages that are already available, meaning the selected packages might fall short of the design goals. Moreover, unlike a traditional company, distributions are not structured with a large number of paid employees. Neither do they have the authority to issue directives to third party projects to make desirable software changes. If a distribution needs package changes from an independent project, there are a few options but they all require time and patience: [18]

  • Try to understand the perspective of the third party project.
  • Politely ask the project if they would be willing to make the changes.
  • Submit code that makes sense from their point of view.
  • Patch and/or fork their software.
  • Use an alternative package from a different project.

In contrast, commercial operating systems are based on software expressly designed to provide a fully-unified user experience. While Linux distributions rely on third party packages, commercial platforms are developed in large companies with a strict corporate hierarchy. In these companies, the CEO can issue a directive to developers to make any change needed to improve the integrated experience. Any developer who lacks the necessary skills or refuses to make changes is likely to be terminated for non-compliance. The human resources department (representing the CEO) will not tolerate delays in software development, as it might threaten profits.

Funding Comparison[edit]

Linux distributions are based on Freedom Software which can be used freely by anyone. Without a software licensing fee, options to generate a reliable funding stream for development are severely limited. Unless funding is available to hire a large contingent of full-time employees, it is nearly impossible to provide a unified experience. Instead, distributions rely primarily on the goodwill of developers who volunteer their time to integrate and maintain software packages. Without a salary, the time developers can devote to the task is necessarily reduced. Although this problem is attributable to the restricted funding sources available, it has less impact for sizeable or popular distributions due to:

  • Donations or volunteer payment-based funding.
  • Professional services provided on a commercial basis such as technical support, training and consulting.
  • Developmental grants.
  • Corporate sponsorship.

On the other hand, proprietary operating systems like Windows are funded through the sale of software licenses and few barriers exist to funding growth. Licensing generates billions of dollars in revenue which is used to employ a large number of full-time developers. This in turn allows these employees to focus on developing the software packages from the ground up, while remaining focused on the primary design goal: maintaining and improving the "Windows user experience" that the community has come to expect.

Conclusion[edit]

Based on the preceding information, it is unrealistic to expect any Linux distribution to provide a unified user experience identical to Windows or macOS. Linux has gradually improved the quality and consistency of the user experience on various devices, particularly for larger and more popular distributions like Debian, Fedora and Ubuntu. However, it is impossible for most (if not all) distributions to replicate the quality found on commercial platforms. In the case of smaller distributions like Whonix ™, very limited human resources mean it is out of the question. Instead, developers must spend a large portion of their time on core functionality development.

One obvious impact is that Whonix ™ developers have limited time to answer support requests. Therefore, it is recommended to follow the advice outlined in the Free Support Principle chapter before asking for specific help. In addition, please document any steps that were used to solve problems in the forums and/or wiki, thereby supporting the co-developer concept which has been adopted by the Whonix ™ project. [19]

Footnotes[edit]

  1. This recommended format is taken directly from the Qubes OS bug tracker; for an example, see this bug.
  2. https://phabricator.whonix.org/T875
  3. So that networking is blocked if whonix-firewall.service fails to load.
  4. At the time of writing, Fedora supports 2 release versions - Fedora {29,30}; see https://fedoraproject.org/wiki/Releases#Current-supported-releases
  5. https://wiki.debian.org/DebianOldStable/#FAQ
  6. https://www.debian.org/security/faq#lifespan
  7. For example, the Whonix ™ AppArmor profiles package is a prime candidate for manual fixes, as it frequently breaks Tor Browser functionality when later browser versions are released.
  8. Some of these relate to cross-platform problems which are not Whonix ™-specific.
  9. For example, see: https://unix.stackexchange.com/questions/485349/installing-mysql-with-mysql-apt-config-missing-keys
  10. By comparison, generally the architects of complex structures like buildings or hardware (and a myriad of other professions) do not explain any technical details for free to the general public.
  11. Around 95 per cent combined.
  12. Like Skype.
  13. For example, recent Windows earnings can be found here.
  14. Most desktop computers sold worldwide come with Windows pre-installed, generating significant revenue from licensing.
  15. Microsoft Corporation: employee count from 2005 to 2018 (in 1,000s)
  16. http://gs.statcounter.com/os-market-share/desktop/worldwide/
  17. If options or features require a substantial time investment, it may be infeasible for a distribution with limited resources to implement the desired changes.
  18. It is possible to contribute in a number of ways, such as by helping to answer questions in the forums.

No user support in comments. See Support. Comments will be deleted after some time. Specifically after comments have been addressed in form of wiki enhancements. See Wiki Comments Policy.


Add your comment
Whonix welcomes all comments. If you do not want to be anonymous, register or log in. It is free.


Random News:

Please help us to improve the Whonix Wikipedia Page. Also see the feedback thread.


https | (forcing) onion

Follow: Twitter | Facebook | gab.ai | Stay Tuned | Whonix News

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian. Debian is a registered trademark owned by Software in the Public Interest, Inc.

Whonix ™ is produced independently from the Tor® anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.