Whonix Debian Packages

From Whonix


When is it safe to run sudo apt-get autoremove?[edit]

sudo apt-get autoremove is safe to run, if one of the following packages is being kept. That means if one of the following packages is not in the list of to be autoremoved packages.

Non-Qubes-Whonix ™ XFCE:

Qubes-Whonix ™:

  • Whonix-Gateway ™: qubes-whonix-gateway
  • Whonix-Workstation ™: qubes-whonix-workstation



re-install meta package and safely run sudo apt-get autoremove[edit]

1) Update the package lists.

sudo apt update

2) Make sure a proper meta package is installed.

Non-Qubes-Whonix ™ XFCE:

  • Whonix-Gateway ™: sudo apt install non-qubes-whonix-gateway-xfce
  • Whonix-Workstation ™: sudo apt install non-qubes-whonix-workstation-xfce

Qubes-Whonix ™:

  • Whonix-Gateway ™: sudo apt install qubes-whonix-gateway
  • Whonix-Workstation ™: sudo apt install qubes-whonix-workstation

3) Auto remove packages.

sudo apt autoremove

4) Make again sure a proper meta package is still installed.

Repeat step 2).

5) Done.

The procedure of safely running sudo apt autoremove is complete.

Related: Whonix ™ Factory Reset

Changed Configuration Files[edit]

Configuration file '/etc/apparmor.d/usr.bin.sdwdate'
Configuration file '/etc/apparmor.d/whonix-firewall'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** whonix-firewall (Y/I/N/O/D/Z) [default=N] ? 

Generally, see Changed Configuration Files.

Specifically for the following files:

  • /etc/apparmor.d/usr.bin.sdwdate
  • /etc/apparmor.d/whonix-firewall

Install. Press I. These files are not an an exception. These are following the general rule. Same as above link.


The following are expected and ok.

The following packages were automatically installed and are no longer required:
  whonix-workstation-default-applications-gui whonix-ws-desktop-shortcuts
The following packages were automatically installed and are no longer required:

Autoremoving those is safe.

Advanced Topics[edit]

Whonix ™ first time users warning Warning:
Advanced users only!

What is the disadvantage of removing a meta package?[edit]

Then changes in package dependencies will not be automatically processed by your system when you upgrade your system.

For example the anon-workstation-packages-recommended meta package depends [3] on tb-updater [archive]. When you do not have the anon-workstation-packages-recommended package installed, you would not notice if we replace [archive] tb-updater with torbrowser-launcher [archive]. tb-updater might become unmaintained, broken or even have unfixed security issues. We'll try to keep you up to date should we deprecate (security relevant) packages. If we do that, you could simply sudo apt-get purge tb-updater and consider installing what our meta package recommends as replacement.

See also #Technical_Stuff.

Which meta packages are safe to remove?[edit]

Use apt-cache to see the package description.

  • Replace package-name with the package you actually want to install.

apt-cache package-name

It will include either:

  • Safe to remove, if you know what you are doing., or
  • Do not remove.

Note the #Removal Instructions below! When you understood those, feel free to remove the following desktop specific meta packages.

Which packages do Whonix ™ meta packages install?[edit]

See debian/control in Whonix ™ anon-meta-packages [archive] source code folder or on github [archive] (choose the correct branch!).

Or use for example.

apt-cache show whonix-workstation-default-applications-gui

Which meta packages should never be removed?[edit]

Do not remove ...-dependencies packages, unless you really know what you are doing.

TODO: document

Why is package X installed?[edit]

Look up the package in question in developer documentation, packages documentation:

Removal Instructions[edit]

These are instructions for safe removal of a package (in this example package uwt) which would result in meta package removal without breaking the whole system when next time running sudo apt-get autoremove.

1. Upgrade.
Upgrade your system.

2. Cleanup.
When you installed and uninstalled some custom packages or dependencies changed in meanwhile, get rid of unneeded dependencies first.

sudo apt-get autoremove

3. Uninstall.
Let's see how for example the uwt [archive] package could be uninstalled.

sudo apt-get purge uwt

You will see something like this.

Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  anon-banned-packages anon-iceweasel-warning gpl-sources-download knetattach-hide power-savings-disable-in-vms poweroff-passwordless rads scurl shared-folder-help swap-file-creator swappiness-lowest tor-ctrl
Use 'apt-get autoremove' to remove them.
The following packages will be REMOVED:
  anon-shared-packages-recommended* uwt* whonix-shared-packages-recommended*
0 upgraded, 0 newly installed, 3 to remove and 2 not upgraded.
After this operation, 152 kB disk space will be freed.
Do you want to continue [Y/n]? 

4. Keep.
Now, there is a small issue. Next time you were to run sudo apt-get autoremove, you would also uninstall all packages listed under "The following packages were automatically installed and are no longer required:". (Such as rads [archive] and others.) Since you most likely want to keep the other packages which were installed by the anon-shared-packages-recommended and the whonix-shared-packages-recommended meta packages, mark them as manually installed, so they do not get removed. You can conveniently do this using aptitude. [4] [5]

sudo aptitude keep-all

5. Done.
Make sure you understood the #Disadvantage.

Alternatively, there might be a very crude workaround which can be seen and discussed here: [archive]

Technical Stuff[edit]

Technical explanations why stuff is as is. Users can skip this chapter.

The underlying technical issues with meta packages are not caused by Whonix ™, are general issues Whonix ™ inherited from Debian. Those are also described here:

About meta packages:

Whonix ™ build script installs all packages using apt-get --no-install-recommends. [6] The --no-install-recommends option is being used to prevent installation of lots of packages we do not want to install. For example, anon-workstation-default-applications Depends: gwenview, which Recommends: kamera. Without using --no-install-recommends, we would also install kamera, which would then pull its own Depends: as well. kamera [+ dependencies] would not be useful to have installed by default on Whonix-Workstation ™. Would cost unnecessary disk space. And there are more examples. We might even end up installing packages by default we do not recommend privacy reasons.

Since we do use the --no-install-recommends option, meta packages such as anon-workstation-default-applications must use the Depends: field and cannot use the Recommends: field. (Since no packages would be installed then.)

Even if we could use and did use Recommends: field, new packages added to the Recommends: field would not be installed when the meta package that Recommends: them gets upgraded. This is because packages listed after the Recommends: field only get installed during their initial sudo apt-get install package-name installation.

You might notice that even though having said this, anon-meta-packages's debian/control file uses the Recommends: field anyway. This is not a contradiction. It may be useful for a later Whonix ™ installation from Whonix ™ repository use case.

Forum discussion:
issues with removal of specific packages by users / builders [archive]

See Also[edit]


  1. Ok:
    The following packages will be REMOVED:
      anon-shared-applications-kde anon-shared-desktop anon-shared-desktop-kde anon-shared-packages-dependencies anon-shared-packages-recommended anon-torchat anon-workstation-default-applications anon-workstation-packages-dependencies libcdio13 libdirectfb-1.2-9
      libgles1-mesa libiso9660-8 libjsoncpp1 libvcdinfo0 libvlccore8 non-qubes-vm-enhancements non-qubes-whonix-workstation thunderbird whonix-shared-packages-dependencies whonix-shared-packages-recommended whonix-workstation-packages-dependencies
      whonix-workstation-packages-recommended xul-ext-torbirdy
    0 upgraded, 0 newly installed, 23 to remove and 0 not upgraded.
    After this operation, 151 MB disk space will be freed.
    Do you want to continue? [Y/n]
  2. Temp:
    sudo apt-get install enigmail
    Reading package lists... Done
    Building dependency tree       
    Reading state information... Done
    Some packages could not be installed. This may mean that you have
    requested an impossible situation or if you are using the unstable
    distribution that some required packages have not yet been created
    or been moved out of Incoming.
    The following information may help to resolve the situation:
    The following packages have unmet dependencies:
     enigmail : Depends: thunderbird (>= 1:52.0) but it is not going to be installed or
                         icedove (>= 1:52.0)
    E: Unable to correct problems, you have held broken packages.
  3. Depends: field in debian/control
  4. [archive]
  5. Can we safely mix apt-get and aptitude? Yes, Raphaël Hertzog, dpkg and Debian Developer said already in 2011 that this is no problem anymore.

    First I want to make it clear that you can use both and mix them without problems. It used to be annoying when apt-get did not track which packages were automatically installed while aptitude did, but now that both packages share this list, there’s no reason to avoid switching back and forth.

    Source: apt-get, aptitude, … pick the right Debian package manager for you [archive]

  6. Function pkg-install-maybe in [archive].

text=Jobs in USA
Jobs in USA

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: 1024px-Telegram 2019 Logo.svg.png Discourse logo.png Matrix logo.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png link=mailto:?subject=Whonix Debian Packages&body= link= Debian Packages link= Debian Packages link= Debian Packages%20 Debian Packages

Did you know that Whonix ™ could provide protection against backdoors? See Verifiable Builds. Help is wanted and welcomed.

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.

Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.