Whonix Debian Packages

From Whonix



It is safe to run sudo apt-get autoremove so long as the specific Whonix ™ machine meta package is kept for the Non-Qubes-Whonix or Qubes-Whonix platform. In other words, these packages should not be in the list of autoremoved packages.

Non-Qubes-Whonix ™ XFCE:

Qubes-Whonix ™:

  • Whonix-Gateway ™: qubes-whonix-gateway
  • Whonix-Workstation ™: qubes-whonix-workstation

Re-install Meta Packages and Safely Run Autoremove[edit]

1. Update the package lists.

sudo apt update

2. Ensure a proper meta package is installed.

Non-Qubes-Whonix ™ XFCE:

  • Whonix-Gateway ™:
    sudo apt install non-qubes-whonix-gateway-xfce

  • Whonix-Workstation ™:
    sudo apt install non-qubes-whonix-workstation-xfce

Qubes-Whonix ™:

  • Whonix-Gateway ™:
    sudo apt install qubes-whonix-gateway

  • Whonix-Workstation ™:
    sudo apt install qubes-whonix-workstation

3. Auto remove packages.

sudo apt autoremove

4. Reconfirm a proper meta package is still installed.

Repeat step two.

5. Done.

The procedure of safely running sudo apt autoremove is complete.

Related: Whonix ™ Factory Reset

Changed Configuration Files[edit]

Be careful if a message like this appears.

Configuration file '/etc/apparmor.d/usr.bin.sdwdate'
Configuration file '/etc/apparmor.d/whonix-firewall'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** whonix-firewall (Y/I/N/O/D/Z) [default=N] ? 

For general advice, see: Changed Configuration Files. A rule of thumb is to select Y or I for packages coming from Whonix ™, and N for packages coming from other distributions. [1]

As per the previous link, always install configuration file changes for the following Whonix ™ files which are not an exception:

  • /etc/apparmor.d/usr.bin.sdwdate
  • /etc/apparmor.d/whonix-firewall

Advanced Topics[edit]

Packages FAQ[edit]

Table: Meta-packages Frequently Asked Questionss

Question Answer
What is the disadvantage of removing a meta package? The disadvantage is any changes in package dependencies will not be automatically processed by the system when it is upgraded.

For example the whonix-workstation-packages-recommended-gui meta package depends [2] on package tb-updater [archive]. If the whonix-workstation-packages-recommended-gui package is not installed, you would not notice if tb-updater was replaced [archive] with package torbrowser-launcher [archive]. tb-updater might become unmaintained, broken or even have unfixed security issues. Whonix ™ tries to keep users up-to-date if/when (security relevant) packages are deprecated. If that occurs, you could simply run sudo apt-get purge tb-updater and consider installing what the Whonix ™ meta package recommends as a replacement.

See also: Technical Information.

Which meta packages are safe to remove? Use apt-cache to see the package description.
  • Replace package-name with the package you intend to install.

apt-cache package-name

It will include either:

  • Safe to remove, if you know what you are doing.; or
  • Do not remove.

Note the Removal Instructions below! When that entry is understood, feel free to remove any desktop specific meta packages.

Which packages do Whonix ™ meta packages install? See files

Or use for example.

apt-cache show whonix-workstation-packages-recommended-gui

Which meta packages should never be removed? Do not remove any packages which include the name dependencies, unless the implications are fully understood.

TODO: document

How to uninstall qubes-core-agent-passwordless-root without also uninstalling qubes-whonix-workstation or qubes-whonix-gateway? Install [archive] dummy-dependency first, then drop qubes-core-agent-passwordless-root:

sudo apt update
sudo apt install dummy-dependency
sudo apt purge qubes-core-agent-passwordless-root

Removal Instructions[edit]

These instructions allow for safe removal of a package (in this example the uwt package). This results in meta package removal without breaking the whole system when next time running sudo apt-get autoremove.

1. Upgrade.

Upgrade the system.

2. Clean up.

If custom packages were installed and uninstalled or dependencies changed in the meanwhile, remove unneeded dependencies first.

sudo apt-get autoremove

3. Uninstall.

As an example, consider how the uwt [archive] package could be uninstalled.

sudo apt-get purge uwt

A message will appear similar to this.

Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  faketime libfaketime
Use 'sudo apt autoremove' to remove them.
The following packages will be REMOVED:
  qubes-whonix-workstation* uwt* whonix-shared-packages-recommended-cli*
0 upgraded, 0 newly installed, 4 to remove and 1 not upgraded.
After this operation, 302 kB disk space will be freed.
Do you want to continue? [Y/n] 

4. Keep packages installed by meta packages.

Now, there is a small issue:

  • Next time the sudo apt-get autoremove command is run, all packages listed under "The following packages were automatically installed and are no longer required:" would also be uninstalled. (Such as rads [archive] and others.)
  • In order to keep the other packages which were installed such as by the whonix-workstation-packages-recommended-gui and the whonix-shared-packages-recommended-cli meta packages, mark them as manually installed so they do not get removed. This can be conveniently achieved with aptitude. [3] [4]

sudo aptitude keep-all

5. Done.

The procedure is complete. Be sure to understand the disadvantage of this approach.

Alternatively, there might be a very crude workaround which is discussed in the following forum topic: Issues with removal of specific packages by users / builders [archive].

Technical Information[edit]

Info This section provides technical information for interested readers and can be skipped.

The underlying technical issues with meta packages are not caused by Whonix ™, but instead have been inherited from Debian. Those are also described here:

The Debian manual also provides further information about meta packages:

The Whonix ™ build script installs all packages using apt-get --no-install-recommends. [5] The --no-install-recommends option is being used to prevent installation of many additional packages that are unwanted. For example:

  • whonix-workstation-packages-recommended-gui (used to) Depends: gwenview.
  • gwenview Recommends: kamera.
  • Without using --no-install-recommends, kamera would also be installed and then pull its own Depends: as well.
  • kamera [+ dependencies] would not be useful to have installed by default on Whonix-Workstation ™ as it would cost unnecessary disk space. There are many more examples which could end up installing packages by default that are unrecommended for privacy reasons.

Since the --no-install-recommends option is used, meta packages like whonix-workstation-packages-recommended-gui must use the Depends: field and cannot use the Recommends: field. (Since no packages would be installed then.)

Even if Whonix ™ could and did use the Recommends: field, new packages added to the Recommends: field would not be installed when the meta package that Recommends: them gets upgraded. This is because packages listed after the Recommends: field only get installed during their initial sudo apt-get install package-name installation.

Some readers might notice that despite this explanation, anon-meta-packages's debian/control file uses the Recommends: field anyway. This is not a contradiction because it may be useful for a later Whonix ™ installation from Whonix ™ repository use case.

Forum discussion:
Issues with removal of specific packages by users / builders [archive]

See Also[edit]


  1. Otherwise settings affecting anonymity, privacy and security might be lost.
  2. Depends: field in debian/control
  3. [archive]
  4. It is possible to safely mix apt-get and aptitude. Raphaël Hertzog, dpkg and Debian Developer, stated in 2011 that this is not a problem anymore:

    First I want to make it clear that you can use both and mix them without problems. It used to be annoying when apt-get did not track which packages were automatically installed while aptitude did, but now that both packages share this list, there’s no reason to avoid switching back and forth.

    Source: apt-get, aptitude, … pick the right Debian package manager for you [archive]

  5. Function pkg-install-maybe in [archive].

Fosshost is sponsors Kicksecure ™ stage server Whonix old logo.png
Fosshost About Advertisements

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: 1024px-Telegram 2019 Logo.svg.png Discourse logo.png Matrix logo.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png link=mailto:?subject=Whonix Debian Packages&body= link= Debian Packages link= Debian Packages link= Debian Packages%20 Debian Packages

There are five different options for subscribing to Whonix ™ source code changes.

https link onion link Priority Support | Investors | Professional Support

Whonix | © ENCRYPTED SUPPORT LP | Heckert gnu.big.png Freedom Software / Osi standard logo 0.png Open Source (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.