Old Stable and Earlier Releases

From Whonix
Jump to navigation Jump to search

About this Old Stable and Earlier Releases Page
This wiki page is maintained by a contributor.
Support Status stable
Difficulty easy
Contributor torjunkiearchive.org
Support Support
Oldstablewhonix.jpg

Whonix ™ 13 Changelog[edit]

Whonix ™ 13 was released on May 31, 2016. [1] Whonix ™ 13 contains many small security and usability improvements, features and bug fixes. [2] [3]

Descriptions of changes in Whonix ™ 12archive.org and earlier versionsarchive.org can be found on sourceforge.net.

All Platforms[edit]

AppArmor[edit]

  • Fixed the Tor Browser AppArmor profile to allow correct functionality. [4]
  • Resolved AppArmor conflicts affecting Pidgin, Chromium and Evince. [5]
  • Merged AppArmor profiles for sdwdate, timesync and whonix-check into their corresponding packages and now install them by default. [6]

Bug Fixes[edit]

  • Fixed broken whonix-setup-wizard functionality. [7]

Code[edit]

  • Updated Whonix ™ code for Tor Browser tb-updater. [8]
  • Refactored the Whonix ™ socks redirection firewall rules to reduce their size and use less script code. [9] [10]
  • Refactored Whonix ™ code so that scripts only use configuration files that end with the .conf extension. [11]

Improved Functionality and Usability[edit]

  • Modified whonixcheck to test for slow or fast system clocks which prevent Tor from properly connecting. [12]
  • Implemented an explicit check for timekeeping watchdog kernel messages in whonixcheck, so users are warned about clock jumps which prevent / time-out Tor connections. [13]
  • Enforced maximized terminal windows for xdg desktop users. [14] [15]
  • Enabled Transparent Proxy Ports for Whonix-Gateway ™ by default (except for Whonix ™-Firewall). [16] [17]
  • Configured Whonix ™ to use /etc/skel instead of writing to the home folder directly to maintain forward compatibility with Qubes. Further, this allows for proper error-handling where "user" is hardcoded in Whonix ™, and a newly created account with a different name has been used. [18]
  • Deprecated the timesync progress bar and replaced it with a tray icon using sdwdate-gui to improve usability and reduce confusion. [19]
  • Created a stable-proposed-updates repository for users who want to help in testing Whonix ™ fixes, without resorting to the testers repository which comes with many more changes. [20]
  • Moved the WhonixBackupScript to the usability-misc package to make it more accessible. [21]
  • Replaced XChat with HexChat, since the former is no longer actively maintained, and created a new AppArmor profile to contain it. [22]
  • Implemented a VPN_FIREWALL feature as part of whonix-ws-firewall. [23]

Security Enhancements[edit]

  • Created a security-misc package that turns off Nautilus and Dolphin file previews by default, since this poses security risks. [24]
  • A known, good version of Tor is now maintained and uploaded to the Whonix ™ repository from deb.torproject.org [25]
  • Uploaded the Tor 0.3.2.9 major (stable) release to the Whonix ™ repository to enable full v3 onion functionality for both hosting of onion services and access to v3 onion addresses in Tor Browser. [26]
  • Extended the lifetime of the Whonix ™ signing key. [27]
  • Sourced new onion services webservers for the sdwdate feature, which ensures the system's clock is correctly set for security, privacy and anonymity purposes. [28]

Qubes-Whonix ™[edit]

Bug Fixes[edit]

  • Fixed qubes-whonix-firewall systemd service start. [29] [30]
  • Resolved whonixcheck fixes for Qubes R4. [31]
  • Corrected false positive failure messages for the updates proxy test in Qubes R4. [32] [33]
  • Disabled qubes-SetDateTime / qubes.SyncNtpClock in Qubes-Whonix ™ VMs since it interfered with timesync. [34]
  • Resolved accumulation of old Tor Browser instances in /var/cache/tb-binary/.tb/ which caused users to run into full disk error messages. [35]
  • Resolved an occasional error message whereby Whonix ™ templates incorrectly reported they were not connected to the Whonix-Gateway ™ ProxyVM. [36]
  • Resolved the broken anon-ws-disable-stackedtor function in Qubes-Whonix ™. [37]
  • Enforced the opening of all links from sys-whonix, whonix-gw and whonix-ws in the anon-whonix AppVM to prevent error messages. [38]

Builds[edit]

  • Corrected the build failure of Whonix-Workstation ™ template in Qubes-Whonix ™ R3.2 and added the qubes-template-whonix to continuous integration service TravisCI. [39]
  • Resolved Whonix ™ template build failures in Qubes R4 related to Tor Browser downloads. [40]
  • Changed the Qubes-Whonix ™ build process to install Whonix ™ from the Whonix ™ binary APT repository. This simplifies code, results in faster builds, removes build dependencies inside the template, and reduces the overall template size. [41]
  • Allowed the Whonix ™ build script to run as root and reworked user_name. [42]

Code[edit]

  • Removed fetching of Whonix ™ source code in qubes-template-whonix. [43]
  • Removed the qubes-update-check system service from Qubes-Whonix ™ Templates, since it was unnecessary. [44] [45]
  • Reworked / removed a number of installed packages in Qubes-Whonix ™ which are only required for the Non-Qubes-Whonix ™ desktop. [46] [47]
  • Removed the default username and password in the Qubes-Whonix ™ terminal, because it is not required. [48]

Improved Functionality and Usability[edit]

  • Ported whonixcheck and tb-updater to Qubes' qrexec-based updates proxy, since Templates are non-networked by default in Qubes R4. [49]
  • Changed the tb-updater configuration to use Qubes updates proxy, since Qubes R4 sets the NetVM of Templates to none by default. [50]
  • Implemented the ability to install Whonix-Workstation ™ and Whonix-Gateway ™ from dom0 with a sudo apt install whonix-(workstation|gateway) feature. [51]
  • Ported the bind-directories functionality upstream to Qubes. [52]
  • Implemented the new bind-directories functionality in Qubes-Whonix ™. [53]
  • Implemented a check for whether the whonix-gw ProxyVM (sys-whonix) has a NetVM which is set to "none", with a warning shown if this is the case. [54]
  • Implemented a new feature so that following an update of the Whonix-Workstation ™ Template, newly created AppVMs based on the updated Template come with an up-to-date version of Tor Browser. [55]
  • Modified whonixcheck to check if: Whonix-Gateway ™ is running in a NetVM or ProxyVM; Whonix-Workstation ™ is running in an AppVM; and to skip the test if a Template is detected. [56]

Security Enhancements[edit]

  • Prevented /usr/lib/qubes/qubes-setup-dnat-to-ns from running in Qubes-Whonix ™ to stop it from modifying firewall rules. [57]

Whonix ™ 14 Changelog[edit]

Whonix ™ 14 was released on August 6, 2018. Significantly, Whonix ™ 14 is based on the Debian stretch (Debian 9) distribution which was released in mid-2017, instead of Debian jessie (Debian 8). [58] Users now have access to numerous updated and new software packages, a more modern branch of GnuPG, and more. [59] [60] [61]

All Platforms[edit]

AppArmor[edit]

  • Fixed the whonixcheck AppArmor profile to remove continuous denied messages relating to signal. [62]
  • Fixed the AppArmor profile for obfs4proxy to enable correct functioning of Tor Bridges in Whonix-Gateway ™. [63]
  • Fixed the Tor Browser AppArmor profile to allow correct functionality. [64]
  • Corrected the tor-controlport-filter AppArmor profile to ensure correct functioning. [65]
  • Removed the Pidgin AppArmor profile, since Pidgin is recommended against for security reasons. [66]
  • Hardened the Control Port Filter AppArmor profile. [67]
  • Disabled installation of apparmor-notify (AppArmor notifications) by default, thereby removing the reporting of mostly harmless denied messages. [68] [69]

Bug Fixes[edit]

  • Corrected the broken whonix-setup-wizard autostart on Whonix-Gateway ™. [70]
  • Fixed sdwdate-gui freezing when using right-click in the menu. [71]
  • Fixed dependency issues which prevented the whonix-setup-wizard gui from starting. [72]
  • Implemented the correct Tor --verify command for Whonix-Gateway ™ torrc configuration checks to prevent the reporting of false positives. [73]
  • Modified the uwt wrapper script to correctly handle symbolic links. [74]
  • Changed the Whonix-Gateway ™ firewall prerouting rules for socks ports so they do not interfere with trans port traffic. [75]
  • Modified whonixcheck to first test if network interfaces are up to prevent the test from failing unnecessarily. [76]
  • Fixed a whonixcheck whonix-firewall check race condition. [77]

Builds[edit]

  • Resolved genmkfile build dependencies for building Whonix-Workstation ™ and Whonix-Gateway ™. [78]
  • Confirmed the new and upgraded Whonix ™ 14 builds are identical. [79] [80]
  • Fixed debian/control parsing with respect to make_deb_build_dependencies / make_deb_runtime_dependencies. [81]

Code[edit]

  • Updated Whonix ™ code for Tor Browser tb-updater. [82]
  • Changed the bindp compile to postinstall to make it cross-platform (Qubes, 64-bit, 32-bit). [83]
  • Rewrote sclockadj in C and updated the sdwdate package to compile sclockadj. [84] [85]
  • Implemented symlinks for onion-grater profiles to maintain functionality following profile upgrades. [86]
  • Enhanced onion checking in sdwdate to improve the unit test. [87]
  • Ported msgcollector to python3 and python3-pyqt5. [88]
  • Ported whonix-setup-wizard to python3. [89]
  • Ported python-guimessages to python3. [90]
  • Rewrote sdwdate to ensure python exceptions are written to the journal. [91]
  • Rewrote control-port-filter-python to ensure exceptions are written to the journal. [92]
  • Re-added some non-essential packages to Whonix ™ that were removed from Debian stretch. [93] [94]
  • Ported helper-scripts so they instead use Tor authentication cookies. [95]
  • Ported whonixcheck check_tor_socks_port_reachability.bsh to use the Tor unix domain socket socks file. [96]
  • Ported anon-ws-disable-stacked-tor to systemd socket activation to remove unnecessary, idle socat listeners. [97] [98]
  • Removed auditd configuration folder parsing /etc/audit/rules.d/ by default, since the feature has been implemented upstream.
  • Implemented anonymous counting of Whonix ™ users via the whonixcheck Whonix ™ News function. [99] [100]
  • Implemented, but did not activate changes to the Whonix ™ firewall so: sdwdate is stopped before suspend; timesync-fail-closed mode is set before suspend; sdwdate is restarted after resume; and Whonix ™ firewall enters full mode after resume following successful sdwdate activation. [101]
  • Configured auditd to process the configuration folder /etc/audit/rules.d/ by default to aid debugging. [102] [103]
  • Implemented monitoring of changes to /var/lib/tor/lock access rights via auditd to aid debugging. [104]
  • Modified anon-ws-disable-stacked-tor to maintain Tor Browser functionality with Unix domain socket files redirection and prevent Tor over Tor scenarios. [105]
  • Configured whonixcheck to test for failed daemons. [106]
  • Implemented a sdwdate sd_notify systemd watchdog. [107]
  • Disabled systemd-resolved and instead implemented a /lib/systemd/system/systemd-resolved.service.d/ drop-in. [108]
  • Ported /usr/sbin/service to systemctl as the latter runs non-interactively. [109]
  • Disabled timedatectl network time synchronization in Debian stretch to prevent conflicts with sdwdate. [110]
  • Removed brltty, brltty-speechd and brltty-x11 since they create a local listener port which may conflict with onion-grater. [111]
  • Modified anon-ws-disable-stacked-tor systemd-unit-files-generator so it is configurable. [112]
  • Rewrote slockadj3 in C and determined how to prevent spamming of sclockadj3 time changes to logs. [113] [114] [115] [116]

Improved Functionality and Usability[edit]

  • Implemented the major new Anon Connection Wizard feature to simplify connections to the Tor network via a Tor bridge and/or a proxy. [117]
  • Integrated the Tor Pluggable Transport meek_lite. [118]
  • Integrated anon-connection-wizard into whonix-setup-wizard, so that the latter can now start the former. [119]
  • Removed the Control Port Filter Proxy script from anon-ws-disable-stacked-tor since it is no longer required for proper Tor connections or Tor Browser functions (its functionality is now replaced by onion-graterarchive.org). This means Ricochet, Zeronet and OnionShare are now compatible with Whonix ™. [120] [121] [122]
  • Installed necessary dependencies for proper ZeroNet functionality. [123]
  • Installed onioncircuits by default in Whonix-Gateway ™. [124]
  • Added --list-interface to tor-controlport-filter, as it works better with dynamic IP addresses. [125]
  • Added a /etc/tor-controlport-filter.d configuration extension feature. [126]
  • Fixed the control-port-filer-python configuration to rewrite HS_DESC replies by Tor, so OnionShare is supported. [127]
  • Merged the tor-controlport-filter by Tails for various enhancements. [128]
  • Implemented more user-friendly error messages (instead of tb-starter error handlers) when non-Whonix ™ related Tor Browser issues cause start-tor-browser to fail and exit zero. [129]
  • Implemented sane built-in defaults for whonix-gw-firewall, whonix-ws-firewall, whonixcheck, sdwdate, uwt, onion-grater, rads, open-link-confirmation, tb-starter and tb-updater, even if configuration files do not exist. [130]
  • Changed uwt to set AllowOutboundLocalhost / AllowInbound which can help make servers utilizing Tor onion services work. [131]
  • Implemented a sd_notify watchdog feature for onion-grater so the service is restarted if it appears to be running, but has became unresponsive. [132]
  • Created a bindp Whonix ™ package to enable Whonix-Workstation ™ applications that use Tor ephemeral onion services to bind on all interfaces as necessary. [133]
  • Modified sdwdate to check if the clock is changed "behind the back" of the program and suggest a manual user fix. [134]
  • Improved default torsocks information / warning messages when wrapped commands are invoked to reduce user confusion. [135]
  • Both Non-Qubes-Whonix ™ and Qubes-Whonix ™ are now compatible with the Tor Project's sandboxed Tor Browser. [136]

Security Enhancements[edit]

  • Confirmed functionality of the kloak anti-keystroke deanonymization tool in Whonix ™. [137] [138]
  • Identified more reliable onion servers as appropriate time sources for sdwdate, which enables correct network time synchronization for anonymity-focused distributions. [139]
  • Implemented Tails' Control Port Filter Proxy in Whonix ™ and merged recent changes since it was forked. [140] [141]
  • Fixed security and hardening (stack canary) issues with the bindp libindp.so package (which were merged upstream). [142]
  • Uploaded Tor version 0.3.3.9 (stable) release to the Whonix ™ repository to enable full v3 onion functionality for both hosting of onion services and access to v3 onion addresses in Tor Browser. [143]
  • Onion sources are now preferred for Whonix ™ updates/upgrades for greater security. Note: this change has been reverted due to the unreliable nature of onion connections at present - see footnote. [144]
  • Disabled the apt-timer in Debian stretch to prevent auto updates, thereby preventing the attendant security risks associated with background updates without user input. [145]
  • Disabled nautilus previews by default due to the security risks. [146]
  • Implemented uwt to set TORSOCKS_ISOLATE_PID in Debian Stretch so all uwt wrapped applications are stream isolated. [147]
  • Implemented tor+http / apt-transport-tor rather than Acquire::BlockDotOnion "false" for better security and stream isolation. [148]
  • Disabled the systemd DNS resolver feature in order to reduce the attack surface and to remove the potential for adverse anonymity impacts. [149]
  • Established a dedicated Whonix ™.org repository, with appropriate redirects from Whonix ™ mirrors. [150]
  • Removed the DHCP client from Whonix-Gateway ™ and switched to a static network configuration so the dhclient is no longer present on all interfaces, including the internal network. [151]
  • Disabled VLC metadata collection by default. [152]
  • Disabled "Obey DRM limitations" in Okular, [153] since Digital Rights Management (DRM) can be used as a tracking vector. [154] [155]

Non-Qubes-Whonix[edit]

Info Desktop shortcuts are no longer available in Non-Qubes-Whonix ™. [156]

Bug Fixes[edit]

  • Increased the Whonix-Gateway ™ VRAM in VirtualBox from 8 to 16 MB to avoid error messages and possible video problems when using full screen mode. [157]
  • Corrected sdwdate-gui systray so it properly registers in kde systray and does not appear as a gap in the Entry column. [158]
  • Corrected the sdwdate-gui tray icon so it is visible in Debian stretch. [159]
  • Corrected the virtualization detection method to properly recognize KVM. [160]

Builds[edit]

  • Reduced the size of the default, binary Whonix ™ images by approximately 50 per cent using zerofree. [161] [162] [163] [164]

Code[edit]

  • Removed kmix-disable-autostart since it is no longer required to make sure the clipboard history icon is loaded into the system tray. [165]

Improved Functionality and Usability[edit]

  • Created the grub-live package which can run Whonix ™ as a live system. [166] [167]
  • Added Kscreen to Whonix ™ by default in order to allow DPI scaling and other basic desktop features of Plasma 5. [168]
  • Removed the VirtualBox shared folder and confirmed automounting of shares is enabled in Debian stretch. [169]

Security Enhancements[edit]

  • Removed okular from anon-shared-applications-kde to anon-workstation-default-applications so it is not installed on Whonix-Gateway ™. [170]
  • Hide the CPUID in VirtualBox 5 by setting generic values via HostCPUID. [171]

Qubes-Whonix ™[edit]

Bug Fixes[edit]

  • Implemented whonixcheck fixes for Qubes R4. [172]
  • Corrected false positive failure messages for the updates proxy test in Qubes R4. [173] [174]
  • Resolved non-functionality of Tor Browser due to jemalloc corruption. [175]
  • Resolved segfaults in Tor Browser caused by excessive string length in the XDG_CONFIG_DIRS environment variable. [176]
  • Resolved accumulation of old Tor Browser instances in /var/cache/tb-binary/.tb/ which caused users to run into full disk error messages. [177]
  • Corrected dependencies in the qubes-whonix package to resolve issues when upgrading to Debian stretch. [178]
  • Fixed a corridor lintian warning on Debian related to systemd documentation. [179]
  • Resolved error messages associated with tput using an empty TERM environment variable. [180]
  • Resolved the failure of tb-updater to copy Tor Browser into the user's home directory on first VM startup in Qubes R4. [181] [182] [183]
  • Implemented the correct appmenus for Qubes-Whonix ™ 14 Templates and fixed missing appmenu entries. [184] [185]
  • Resolved the false positive timedatectl error message when using whonixcheck. [186]
  • Corrected the absent 'Connected to Tor.' message, which arose due to a missing notification daemon. [187]
  • Resolved non-persistence of files in /usr/local, such as the Tor configuration file. [188] [189]
  • Implemented a qvm-features-request whonix-ws=1, so that newly created Whonix-Workstation ™ AppVMs inherit the anon-vm tag. [190] [191] [192]
  • Created qubes-core-admin-addon-whonix to enforce the anon-vm tag for newly created Whonix-Workstation ™ AppVMs. [193]
  • Removed redundant warning messages affecting Whonix-Workstation ™ DisposableVMs that related to the first invocation of an open-link-confirmation. [194]
  • Fixed an APT package issue whereby some users were downgraded to a known vulnerable version. [195] [196]
  • Corrected an aptitude update failure which affected all Qubes-Whonix ™ VMs. [197]
  • Installed Tor Browser by default in Whonix-Workstation ™-DisposableVMs, as it was previously missing upon VM launch. [198]
  • Fixed the periodic failure of Whonix-Workstation ™ AppVMs to start correctly, which prevented the launch of any user applications. [199]
  • Fixed an error which caused /etc in Qubes-Whonix ™ templates to be owned by user:user [200]

Builds[edit]

  • Corrected the build failure of the Whonix-Workstation ™ template in Qubes-Whonix ™ R3.2 and added qubes-template-whonix to the continuous integration service TravisCI. [201]
  • Removed older unstable Whonix ™ 14 builds from Qubes' unstable repository. [202]
  • Resolved unexpected build failures. [203]
  • Removed Whonix ™ 14 templates from Qubes' unstable repository, since testing versions now reside in qubes-templates-community-testing. [204]
  • Backported versioning of Whonix ™ template names from Qubes R4 to Qubes R3.2 to simplify the installation procedure for users on the earlier platform. [205]

Code[edit]

  • Removed cups and system-config-printer from Whonix-Workstation ™, since printing capabilities are better suited to alternate VMs and this also removes a local TCP listener that is otherwise created. [206]
  • Corrected anon-meta-packages compatibility for Qubes R3.2 and R4. [207]
  • Installed pulseaudio-qubes for audio support and removed pulseaudio and VLC from sys-whonix. [208]
  • Created a qvm-features-request whonix-gw=1 as a prerequisite for sdwdate-gui-qubes. [209]

Improved Functionality and Usability[edit]

  • Confirmed full Qubes-Whonix ™ compatibility with Qubes R4. [210]
  • Confirmed Qubes-Whonix-Workstation has full DispVM support. [211]
  • Created a tb-updater storage path for Qubes R4 so new AppVMs and DisposableVMs have a copy of the latest Tor Browser version. [212] [213]
  • Created Qubes-Whonix ™ 14 SaltStack state files with flexible versioning for future releases. [214] [215]
  • Modified Qubes-Whonix ™ Salt code so the repository is not hard-coded, allowing users to choose either the qubes-templates-community or qubes-templates-community-testing repository. [216]

Licensing[edit]

  • Added a COPYING file to the Qubes-Whonix ™ template repository to assure users they are covered by a free software license. [217] [218]

Security Enhancements[edit]

  • Added Qubes-Whonix ™ tags on domain-load rather than upon VM creation to avoid missing tags for users that upgrade. [219]

Whonix ™ 14 Updates[edit]

As Whonix ™ is now a rolling distribution, users will benefit from regular small security and usability improvements, features and bug fixes as they enter the Whonix ™ stable repository. Those will be announced here.

Documentation[edit]

Website Fixes and Outreach[edit]

  • Website fixes: implemented the proposed download directory structure as well as download redirects, stable download links and permalinks. [243]
  • Implemented numerous mediawiki fixes for better website presentation. [244]
  • Opened a Peertube video channel. [245] [246]
  • Updated Release Announcements to collate all places where this should be posted. [247]
  • Post Whonix release announcements in crypto currency Reddit forums. [248]
  • Researched social media strategies to increase Whonix ™ awareness. [249]
  • Established mirroring of all Whonix ™ announcements. [250]
  • Bookmarked the outreach workboard. [251] [252]
  • Signed the Whonix ™ developer team up to various developer mailing lists. [253]

All Platforms[edit]

AppArmor[edit]

  • Corrected the dnscrypt-proxy AppArmor profile for full functionality. [254]
  • Removed unnecessary and extensive capabilities from the Tor Browser AppArmor profile. [255] [256] [257]
  • Amended the Tor Browser AppArmor profiles so 8.* versions correctly launch. [258] [259]
  • Added capability sys_module to whonixcheck because it is required for ifconfig. [260] [261]
  • Added a wildcard for non-Tor or modified Tor Browser Bundles. [262] [263]
  • Deprecated /etc/apparmor.d/home.tor-browser.start-tor-browser due to broken functionality. [264]
  • Added various permissions to the XChat AppArmor profile for greater functionality. [265]

Bug Fixes[edit]

  • Implemented an automated /var/lib/tor permission fix. [266] [267]
  • Installed the missing pinentry-qt package so Enigmail decryption is functional. [268] [269]
  • Fixed the Whonix custom firewall settings start menu entry in Whonix XFCE. [270]
  • Fixed the false-positive "Tor Browser not installed" message in tb-starter. [271]
  • Onion-grater: fix Tor control auth cookie authentication even if HashedControlPassword is set. [272]
  • Fixed output when using open-link-confirmation. [273]
  • Change etc/.skel to etc/skel/Downloads in all code. [274] [275]

Builds[edit]

  • Released new Whonix 14 builds to address the APT security update bug. [276] [277]

Code[edit]

  • whonixcheck: grep journal for "fail", "error" and "denied". [278]
  • Re-implemented Tor Browser local version number detection. [279]
  • Decided against virtualizer configurations which attempt to hide the CPU model. [280] [281] [282]
  • Moved kcalc, okular, gwenview, kgpg, libkf5kipi31.0.0 and libkf5kipi-data from hardened-desktop-applications-kde to non-qubes-whonix-workstation-kde and qubes-whonix-workstation. [283]
  • Simplified code by using apt-key rather than custom code when adding a gpg key. [284]
  • Fixed the mime type in whonix-repository. [285]
  • Refactored the whonixcheck code and included an option to show "sudo apt-get-update-plus dist-upgrade" if it is available. [286] [287]
  • Ported the IP check in whonixcheck to https://check.torproject.org/api/iparchive.org [288]
  • sdwdate-gui: permission lockdown, fixed merge conflicts, avoidance of 'clock is fast' false positives and other miscellaneous fixes. [289] [290] [291] [292]
  • anon-ws-disable-stacked-tor: set 'restart' rather than 'start' to support running scripts. [293]
  • Added a mechanism to add variables to Debian packaging maintainance scripts. [294] [295]
  • Thunderbird is no longer installed by default in Whonix ™. [296] [297]
  • Beautified the Whonix landing page for Tor Browser v8.0+. [298] [299]
  • Implemented use of /usr/lib/helper-scripts/terminal-wrapper rather than hardcoding Konsole. [300] [301] [302] [303]
  • Deprecated anon-workstation-extra-applications, anon-workstation-langpack-common and anon-shared-desktop-langpack-kde. [304] [305]

Improved Functionality and Usability[edit]

  • Changed (Qubes-)Whonix default applications from KDE to XFCE. [306] [307] [308]
  • Installed magic-wormhole by default as an OnionShare alternative. [309] [310] [311]
  • Set mousepad as the default editor for sudoedit. [312] [313]
  • Added support for XFCE, thunar and gksudo in Whonix-Gateway. [314]
  • Allow multiple flashproxy ports in Whonix firewall. [315] [316] [317] [318]
  • Disabled Whonix ™ onion apt sources by default due to unreliability. [319] [320] [321]
  • Added a new branch for compression/decompression tools. [322] [323] [324]
  • Implemented support for the new Snowflake pluggable transport in Anon-Connection-Wizard. [325]
  • Implemented the Tor Controller GUI in Whonix ™ with various fixes. [326]

Security Enhancements[edit]

  • Removed mapaddress entries in torrc for 1.1.1.1 and 2.2.2.2 due to the fingerprinting risk. [327] [328]
  • Run whonixcheck in Whonix-Workstation on first time boot. [329] [330]
  • Added a spectre/meltdown test to whonixcheck. [331] [332]
  • Enforce connections to deb.debian.org instead of us.debian.org and now use https (SSL/TLS) by default, as well as fixing build --connection onion. [333] [334]
  • Implemented optional tb-updater onion mirrors download support. [335] [336]
  • Corrected systemd hardening for onion-grater. [337]
  • Added systemd sandboxing for sdwdate. [338]
  • Enforced tor+http in apt sources lists to make use of apt-transport-tor. [339] [340] [341] [342]
  • Disabled uncommon network protocols for improved security. [343] [344] [345]
  • Added a Bitcoin Core onion-grater profile. [346] [347] [348] [349]

Non-Qubes-Whonix[edit]

Bug Fixes[edit]

  • Disabled KDE session restoration to prevent VirtualBox error notifications upon boot in either Whonix-Gateway or Whonix-Workstation. [350] [351] [352]
  • Start the KDE desktop session login with an empty session / resolve the kdesudo error popup window related to sdwdate-gui. [353]
  • Fixed the Whonix-Gateway XFCE / CLI keyboard layout error. [354]
  • Fixed a lintian error for sdwdate-gui / missing xml files for specific desktop environments. [355] [356] [357]

Code[edit]

  • Closed all KDE-related requests and bug fixes following the shift to XFCE. [358] This includes:
    • Change default application to not use kmail. [359]
    • Change KDE theme and KDE mouse theme. [360]
    • Disable the Baloo file indexer. [361]
    • Add /media to desktop icons. [362]
    • Add /media to pinned places in Dolphin. [363]
    • Disable/remove KDE system and network settings. [364]
    • Disable web shortcuts. [365]
    • settings-plasma search/configure search configurations from Whonix-Gateway. [366]
    • Non-Qubes-Whonix KDE plasma 5 fixes. [367]
  • Implemented numerous XFCE fixes: Whonix builds, desktop shortcuts, xfce4-terminal, related meta-packages and general fixes.[368] [369] [370]
  • Created a configuration file for Whonix XFCE Desktop. [371]
  • Updated the check for installed meta packages for Whonix XFCE and Whonix CLI. [372]
  • Removed pulseaudio from hardened-desktop-applications-xfce. [373]
  • Removed Ristretto from hardened-desktop-applications-xfce. [374] [375]
  • Deprecated non-qubes-vm-enhancements-gui. [376] [377]
  • Merged whonix-shared-packages-recommended-cli into whonix-shared-packages-dependencies-cli. [378]
  • Port to and take ownership of /etc/xdg/xfce4/xfconf/xfce-perchannel-xml [379] [380] [381]
  • Modified whonix-firewall to remove the old IP 192.168.0.10 reference in non-qubes-whonix-gateway. [382]
  • Minimized VirtualBox Whonix-Gateway CLI differences with non-qubes-whonix-workstation cli. [383] [384]

Improved Functionality and Usability[edit]

  • Implemented Whonix for arm64 / Raspberry Pi (RPi). [385]
  • Implemented a unified Whonix download rather than separate Whonix-Gateway / Whonix-Workstation downloads. [386] [387] [388]
  • Re-enabled hidden files and volume management. [389]
  • Whonix Setup Wizard: added instructions on how to change keyboard layout in XFCE. [390]
  • Added mupdf and Ristretto to non-qubes-whonix-workstation-xfce. [391]
  • Show the pulseaudio plugin by default. [392]
  • Increased Whonix-Workstation VRAM in Non-Qubes-Whonix to 2GB to improve performance. [393] [394]

Security Enhancements[edit]

  • Disabled maximizing of the Tor Browser window when moving to the top of the screen. [395] [396]
  • Disabled previews / thumbnails in Thunar for better security. [397]

Qubes-Whonix ™[edit]

Bug Fixes[edit]

  • Corrected Tor Browser in whonix-ws-14 based VMs sometimes blocking JavaScript on first start. [398] [399] [400]
  • Qubes templates: removed the broken graphical updater (Apper). [401] [402]
  • Resolved the command failure when running qubesctl state.sls qvm.anon-whonix. [403] [404]
  • Added missing Whonix tags anon-vm / anon-gateway to user-created, Whonix-based VMs. [405] [406]
  • Fixed failure of Whonix-Gateway to respond after an update. [407] [408]
  • Corrected an update error caused by an expired release file. [409]
  • Corrected a false whonixcheck notification about outdated packages after performing an in-place upgrade. [410]

Builds[edit]

  • Amended builder.conf so template build commands are not ignored. [411]
  • Deprecated Whonix 13. [412]

Code[edit]

  • Set $tag:anon-vm $anyvm deny in template-whonix-ws.sls. [413]
  • Removed the default installation of emacs and vim. [414]
  • Modified the Spectre / Meltdown check so it only runs in Qubes R4 and above. [415]

Security Enhancements[edit]

  • Confirmed Qubes-Whonix ™ templateMVs cannot upgrade in timesync-fail-closed mode. [416]
  • Confirmed the efficacy of jitterentropy random number generation in Xen. [417]

Whonix ™ 15 Changelog[edit]

Whonix ™ 15 was released on July 1, 2019. [418] Significantly, Whonix ™ 15 is based on the Debian buster (Debian 10) distribution which was officially released on July 6, 2019 instead of Debian stretch (Debian 9). The buster release has nearly 60,000 packages and over 62 per cent of them were updated [419] [420] -- see the official Debian 10 release notesarchive.org to learn more.

All Platforms[edit]

Bug Fixes[edit]

  • Fixed file saving issues in scurl wrappers. [421] [422] [423]
  • Fixed the partial truncation of text in Whonix Connection Wizard. [424]
  • Installed cryptsetup by default so errors do not appear when using a GUI and interacting with encrypted containers. [425] [426] [427]

Builds[edit]

  • Ported the build script to cowbuilder; build packages in chroot and use mmdebstrap for better security. [428]

Code[edit]

  • Modified whonixcheck so it suggests to start networking / onion-grater if it is not running. [429]
  • Improved the /usr/share/sdwdate/unit_test [430] [431]
  • Improved the sdwdate message Tor consensus message. [432]
  • Confirmed the sanity of systemd DNS after porting to Debian buster. [433]
  • Established sane built-in defaults even if configuration files are non-existing. [434] [435]
  • Updated the onion list time sources for sdwdate so that offline and unwanted onions were removed. [436]

Improved Functionality and Usability[edit]

Security Enhancements[edit]

Non-Qubes-Whonix[edit]

Bug Fixes[edit]

  • Corrected a VirtualBox error related to guest utils not starting. [456] [457]

Builds[edit]

  • Significantly reduced the size of Non-Qubes-Whonix images using zerofree. [458]

Improved Functionality and Usability[edit]

Security Enhancements[edit]

Qubes-Whonix ™[edit]

Bug Fixes[edit]

  • Correctly configured Qubes-Whonix ™ Xfce default start menu entries (whitelisted appmenus). [475]

Builds[edit]

  • Created Qubes-Whonix 15 template configuration files. [476] [477]
  • Confirmed the Whonix-15-gateway template builds. [478]

Improved Functionality and Usability[edit]

  • Simplified instructions for VM kernelarchive.org in Qubes-Whonix ™ by installing the same recommended Qubes packages as Qubes Debian packages. [479] [480]
  • In DisposableVMs, tb-updater / tb-starter was modified to no longer copy Tor Browser to the user home directory at first boot -- /var/cache/tb-binary is now directly used to improve startup performance. [481] [482]

Security Enhancements[edit]

  • Confirmed Qubes-Whonix ™ TemplateMVs cannot upgrade in timesync-fail-closed mode. [483] [484]

Whonix ™ 15 Updates[edit]

As Whonix ™ is now a rolling distribution, users will benefit from regular small security and usability improvements, features and bug fixes as they enter the Whonix ™ stable repository. Those will be announced here.

Info The majority of the enhancements below also also apply to Qubes-Whonix ™. Exceptions include:

Many of these will be possible once the use of in-VM kernels is simplified and promoted in Qubes OS. [486] [487]

All Platforms[edit]

In 2019, point releases were announced on 10 September, 22 and 23 November. [488] [489] [490] [491] In 2020, point releases were announced on 16 and 27 February, 19 and 21 March, 29 May, 10 and 18 June, 27 August, 7 and 17 and 30 September, and 17 December. [492] [493] [494] [495] [496] [497] [498] [499] [500] [501] [502] [503] [504] In 2021, point releases were announced on 17, 19, 22 and 27 April, 9 and 12 July. [505] [506] [507] [508] [509] [510] [511]

AppArmor[edit]

apparmor-profile-everythingarchive.org:

  • Further development of AppArmor for everything. APT, systemd, init, all systemd units, all applications. [512] [513] [514]
  • Implemented proper whitespace handling. [515] [516]
  • Fixed various denial errors. [517]

apparmor-profile-torbrowserarchive.org:

Other AppArmor improvements:

  • Implemented AppArmor Live Mode fixes and various enhancements. [519] [520]
  • Numerous apparmor profile enhancements were added.
  • Added a new apparmor-watch tool to check for DENIED and ALLOWED log messages. [521]
  • Implemented apparmor-info which parses AppArmor denial logs to hide unnecessary information and remove duplicates. [522]

Bug Fixes[edit]

anon-apps-configarchive.org:

  • Disabled GPG default key servers. [523]
  • Removed SecBrowser code since it is deprecated. [524]

anon-connection-wizardarchive.org:

  • Updated usr/share/anon-connection-wizard/bridges_default from ~/tor-browser/Browser/TorBrowser/Data/Tor/torrc. [525]
  • Fixed error handling. [526]
  • Minor non-Whonix reliability fix. [527]
  • Modified wording to be similar to the newer tor-launcher. [528]
  • Partial fix for meek lite in Whonix ™. [529] [530]
  • Added /usr/lib/anon-gw-anonymizer-config/edit-etc-resolv-conf as another part of fixing meek lite in Whonix ™. [531] [532]
  • Fixed anon-connection-wizard truncated text.
  • Fixed a bug in Whonix 15.0.0.8.9 where anon-connection-wizard added %include /etc/torrc.d/95_whonix.conf to /etc/tor/torrc configuration file even though Whonix was already ported to %include /etc/torrc.d/
  • Fixed some “unknown connection tag” messages in Whonix-Gateway.
  • Fixed default bridges. [533] [534]

anon-gw-anonymizer-configarchive.org:

  • Reload apparmor profiles after installation to make the package work -- a reboot is no longer required. [535]
  • Partial meek lite fix in Whonix ™ -- added /usr/lib/anon-gw-anonymizer-config/edit-etc-resolv-conf. [536] [537]

anon-meta-packagesarchive.org:

  • Fixed ristretto missing thumbnails and popup by installing tumbler by default -- added “Depends: tumbler” to whonix-workstation-packages-recommended-gui [538] [539] [540]
  • OnionShare is no longer installed by default. [541] Debian buster -- which Whonix ™ 15 is based on -- packages version 1.3.2. This only supports legacy v2 onions which are being phased out and deprecated on July 15th, 2021archive.org. [542] [543] The Flatpak installation method is recommended at this time.
  • Bumped python-msgpack to python3. ZeroNet now uses python3 and python2 is removed from Debian as of bullseye. [544]
  • Split the repository-dist GUI / CLI dependencies. [545] [546]

anon-ws-disable-stacked-torarchive.org:

  • Fixed "Firefox is offline" messages in Tor Browser 10.5a17 and above. [547]

Various fixes for I2P inside Whonix-Workstation: [548] [549]

  • Preparation for installation of i2p by default.
  • Do not autostart i2p.service if installed.
  • Do not autostart privoxy.service if installed.
  • Do not autostart i2p.service in Qubes Template.
  • Do not autostart privoxy.service in Qubes Template.
  • Fixed the i2pbrowser local browser homepage.

open-link-confirmationarchive.org:

  • Remove SecBrowser code since it is deprecated. [550]

Qubes-Whonix:

security-miscarchive.org:

  • Fixed security-misc to allow group sudo and console to use consoles.
  • No longer unconditionally abort pam for user accounts with locked passwords.

tb-default-browserarchive.org:

  • Removed SecBrowser code since it is deprecated. [552]

tb-starterarchive.org:

  • Removed SecBrowser-specific code since it is deprecated.
  • Added custom user.js support. [553]
  • Updated Tor Browser Integration. [554]
  • Fixed a tb-starter bug.

tirdadarchive.org:

  • Load tirdad before LKRG so LKRG does not judge tirdad to be malicious. [555]
  • /etc/modprobe.d/30-tirdad.conf softdep p_lkrg pre: tirdad: Imported from the LKRG package since it does not belong there and because Debian packaging for LKRG is now provided by upstream.

/usr/lib/anon-gw-anonymizer-config/torrc-d-cleaner:

  • During package upgrades of anon-gw-anonymizer-config, avoid moving /etc/torrc.d/95_whonix.conf to /etc/torrc.d/backup/95_whonix.conf.dpkg-new. [556]

whonix-firewallarchive.org:

  • Miscellenous improvements. [557]
  • Remove deprecated variable SOCKS_PORT_TBB_GPG. [558]
  • Whonix-Gateway firewall: implemented INTERNAL_OPEN_PORTS.
  • Deprecated support for SOCKS_PORT_CUSTOM=" 9230 " syntax; use INTERNAL_OPEN_PORTS+=" 9230 " instead.
  • Refactoring / code simplification. [559] [560]
  • Fixed denial errors. [561]

Other fixes:

  • Fixed whonixcheck msgcollector permission errors.
  • Corrected authentication failures related to Anon Connection Wizard and Whonix ™ repository. [562]
  • Resolved the APT error relating to Debian's suite value changing from 'testing' to 'stable'. [563]
  • Fixed starting pkexec-based applications from start menu, such as gdebi, synaptic and gparted. [564]
  • Added an encrypted swap file to the system to avoid Whonix-Gateway freezing (for systems with low RAM) during the apt full-upgrade procedure. [565] [566] [567]
  • Worked around a NoScript race condition that permitted JavaScript on around 30 sites in Tor Browser when the Security Slider was set to Safest. [568] [569]
  • Prevented the keyboard-configuration debconf popup during apt full-upgrade. [570] [571]
  • Implemented a command-not-found permission fix to avoid the WARNING:root:could not open file '/etc/apt/sources.list' message. [572] [573]
  • Fixed the bug parsing torrc.d twice.
  • Added x11-xserver-utils to kicksecure-desktop-environment-essential-gui to fix Xfce logout button. [574]
  • Disabled vm.unprivileged_userfaultfd=0 because it is currently broken. [575] [576] [577]
  • pkexec wrapper: fixed gdebi / synaptic but at the cost of checking for passwordless sudo /etc/suders /etc/sudoers.d exceptions. [578]
  • SecBrowser / i2pbrowser: no longer use firejail by default even if installed since it is not currently maintained by a contributor in Whonix / Kicksecure.
  • Fixed an onioncircuits error report related to user permissions. [579] [580]
  • Added an ENOUGH_RAM setting to swap-file-creator (1950 MB RAM default), so if there is enough RAM a swap file is not created (improving boot time). [581]
  • first-boot-skel: fixed /etc/skel/.bashrc to /home/user/.bashrc handling if the home folder is completely empty.
  • Disabled the Tor Browser security slider question at first start because it is brokenarchive.org. [582]
  • Disabled proc-hidepid due to pkexec issues.
  • Removed command-not-found from the default package installation, since it is not working out of the box which leads to confusing error messages. [583] [584]
  • Ensured consistent parsing of /usr/local/etc/name.d for applications by Whonix that also parse /etc/name.d. Parsing /rw/config/name.d is still possible for compatibility but will be deprecated.
  • Fixed adduser -- no longer writing to /nonexistent.
  • Set the environment variable QMLSCENE_DEVICE=softwarecontext (in VirtualBox, and also after upgrades in KVM) to workaround a VM-specific Monero bugarchive.org.
  • Implemented a sdwdate python 3.7 fix if the host timezone is set to something other than UTC.
  • Fixed a false positive live mode detection in live mode indicator.
  • Fixed update-torbrowser not seeing version 10.0.6 due to a new, upstream version format. [585]
  • Tor Browser Starter by Whonix Developers: fixed opening URLs which contain question marks and added more folder permission checks.
  • ro-mode-init: fixed the non-functional Live Mode Indicator. [586]
  • Fixed Thunderbird connectivity out of the box with a torbirdy replacementarchive.org.
  • qtox is no longer installed by default. [587]
  • Disabled the following Tor stream isolation ports since the related applications in Whonix have been deprecated:
    • Mixmaster update (9120)
    • Mixmaster (9121)
    • Privoxy (9112)
    • Polipo (9113)
    • TorChat (9119)
    • Tor Browser Updater by Whonix Developers gpg key download (9116) [588]
    • Tor Messenger (9153)
  • Installation no longer requires auditd by default. [589] [590]
  • kicksecure-meta-packagesarchive.org: Fixed missing ristretto thumbnails and popup by installing tumbler by default -- this adds “Depends: tumbler” to whonix-workstation-packages-recommended-gui. [591] [592] [593]

Builds[edit]

kicksecure-meta-packagesarchive.org:

  • Removed os-prober from non-qubes-vm-enhancements-cli since it is only useful for multi-boot which is rarely done inside VMs because it can cause build issues. [594]
  • Split repository-dist GUI / CLI dependencies. [595] [596]
  • Removed SecBrowser code since it is deprecated. [597]

repository-distarchive.org:

  • Reduced dependencies for CLI version; split dependencies into repository-dist (CLI) and repository-dist-wizard (GUI). [598] [599]

Whonix Build Script:

  • Ported onion support from onion v2 to onion v3.
  • Mac M1 / arm64 architecture support development. [600]

Other changes:

Contentious Changes[edit]

  • Tor Browser Updater (by Whonix developers): reduced old versions being kept to 0 in /var/cache/tb-binary.

Developer Notes[edit]

anon-base-files:

  • Do not create a home folder during postinst.
  • Leave user user creation to Qubes.
  • Fixed and actually use --no-create-home.

repository-distarchive.org:

  • The same GPG signing key is now used with new e-mail addresses. [606]

sdwdatearchive.org:

  • Split Anon Meta Packagesarchive.org into Anon Meta Packages (Whonix) and Kicksecure ™ Meta Packagesarchive.org.
  • Renamed whonix-repository to repository-dist.
  • Renamed setup-dist to setup-dist.
  • Renamed whonix-setup-wizard to setup-wizard-dist.
  • Renamed whonixcheck to systemcheck.
  • Ported to onion v3. [607] [608]
    • Removed all v2 onion sources.
    • Ported to onion v3 onion sources.
  • Restored MAX_FAILURE_RATIO=0.34 since enough v3 onions are available. [609] [610] [611]
  • Added /usr/share/sdwdate/onion_test_confirm; this is a script to check if onions correspond to archived link. [612]
  • Moved comment field rules to Sdwdate: Comment Field Rulesarchive.org. [613]
  • Change the onion source comment format, the archived link now appears first. [614]
  • Implemented a more human-readable format. [615]
  • Config test changes. [616]
  • Implemented arm64 architecture support fixes. [617]
  • Fixed onion_tester. [618]
  • Split arch-specific syscalls from the base whitelist. [619]
  • Added one more SystemCallFilter syscall for arm64. [620]
  • Added extra SystemCallFilter syscalls required for restarting sdwdate on arm64. [621]
  • Fixed systemd sandboxing for the arm64 platform. [622]
  • Fixed systemd sandboxing for the powerpc64 / ppc64el platform. [623] [624]

developer-meta-filesarchive.org:

  • prepare_release: added libvirt raw image support and multiple platform support. [625]

Other changes:

  • Added anon-base-files to whonix-host-xfce-kvm-freedom.
  • Added hardened-malloc to hardened-packages-dependencies-cli.
  • Removed unneeded dependency live-config-systemd.
  • No longer depend on logrotate.
  • Whonix Development Newsarchive.org
  • Significant progress regarding Whonix-Host development.
  • Whonix is slowing migrating from GitHub to GitLab. [626] [627]

Documentation[edit]

Multiple, new wiki chapters:

Multiple wiki improvements/enhancements:

Improved Functionality and Usability[edit]

anon-apt-sources-listarchive.org:

anon-connection-wizardarchive.org:

  • Updated the default bridges in anon-connection-wizard from The Tor Project [638] and removed ‘-max 3’ from the snowflake command.
  • Removed the deprecated obfs3 bridges option from Anon Connection Wizard.

anon-consensus-delete:

anon-log:

  • Created the new anon-log command line utility.
  • anon-log simplifies the manual dump Tor log command by only showing relevant log entries and no non-issues.

anon-verify:

  • Report extraneous Tor configuration files (files that do not end with file extension .conf).
  • Ignore file names starting with dot (.) [640]
  • Ignore subfolders when using %include /path/to/folder [641]
  • Fix checking of all files in torrc.d folders for issues.

binaries-freedomarchive.org:

  • Upgraded the Bitcoin Electrum wallet to version 4.1.2. [642]
  • Added ThomasV signing key. [643]
  • Added SomberNight signing key. [644]
  • Updated to version 4.1.4. [645]

helper-scriptsarchive.org:

  • Added apt-key-install. [646] This is a utility to install APT signing key to the system Input file. It can support GPG keys in either ASCII-armored or binary format. [647]

genmkfilearchive.org:

  • Changed the output of genmkfile deb-chl-bumpup-manual. [648]

gvfs:

  • Installed gvfs by default: [649] [650] [651] [652] [653]
  • Fixed access to LUKS encrypted USB drive with Thunar.
  • Added gvfs to kicksecure-desktop-applications-xfce.

helper-scriptsarchive.org:

  • Added the initramfs-debug-enable debugging tool which enables xtrace (set -x). [654]
  • Removed unnecessary cat calls. [655] [656]
  • Disabled running anondate-get as diagnostic utility since it cannot currently be run due to no new privs apparmor issues with the sdwdate apparmor profile. [657] [658]

Monero:

  • Installed Monero GUIarchive.org by default in Whonix-Workstation.
  • Upgraded the monero-gui package to version 0.17.2.1. [659]

onion-graterarchive.org:

  • Added new command line tools onion-grater-add / onion-grater-remove which will allow to simplify instructions that require onion-grater configuration changes.
  • Removed Whonix specificity from onion-grater. [660]
  • Simplifed and updated 40_bitcoind.yml so it works with bitcoind v0.21 [661] [662]
  • Added Wahay profile. [663]
  • Added changes for arm64. [664]

Onion services authentication: [665]

sdwdate-guiarchive.org:

  • Ported from tor-control-status tor_status to anon-connection-wizard and fixed minor confusing log output. [666] [667]
  • Disabled systemxcheck “Connecting to Tor…” and “Connected to Tor.” messages in favor of sdwdate-gui. [668]

security-miscarchive.org:

  • Implemented systemd RemainAfterExit=yes for better usability. [669] [670]
  • pam abort when attempting to login to root when the root password is locked.

systemcheckarchive.org:

  • Depends: replaced bsdtar with libarchive-tools. [671] [672]
  • Improved the text. [673] [674]
  • Added a check for deprecated derivative (Whonix or Kicksecure) versions. [675] [676]
  • Ensured Kicksecure ™ compatibility.
  • Fix telling if Tor is disabled. [677]
  • Added a Package Manager Consistency Check. [678] [679]
  • Reorderd tests. [680]
  • Fixed the AppArmor profile for ppc64le. [681]

tor-control-panelarchive.org:

  • Removed obfs2 and obfs3. [682]
  • Utilize the same default bridges as anon-connection-wizard. [683]

Tor:

  • Upgraded Tor to version 0.4.2.6-1, 0.4.3.5, 0.4.5.7 and then again to version 0.4.5.9 in a later release. [684] [685] [686]

tb-updaterarchive.org:

  • Upgraded Tor Browser to version 10 and later releases in this series.
  • Set alpha tbb_hardcoded_version=“10.5a16”. [687]
  • Set tbb_hardcoded_version=“10.0.18”. [688]
  • Utilize the Heikki Lindholm GPG signing key for digital signature verification of arm64 builds from sourceforge.net created by Heikki Lindholm. [689] [690]
  • Added the Heikki Lindholm GPG signing key for arm64 builds. [691] [692]
  • Created an arm64 port. [693]
  • Added arm64 platform support. [694] [695] [696]
  • Updated the signing key. [697] [698]
  • Fixed DispVM mounting. [699] [700]
  • Updated to Tor Project onion v3 for --onion. [701]
  • Depends: replaced bsdtar with libarchive-tools [702] [703]

Tor Browser Downloader configuration options:

  • Added --onion to optionally download over onions.
  • Added --alpha to optionally download alpha rather than stable versions.

usability-miscarchive.org:

uwtarchive.org:

  • Now guess and tell the user which package needs installing. [706] [707]
  • Improved output. [708] [709]

VirtualBox:

whonix-libvirtarchive.org:

Other changes:

  • Added support for OnionShare “bundled Tor”.
  • Packaged str_replace for literal search and replace functions.
  • Display the pulseaudio plugin by default.
  • Added arc-theme, gnome-themes-extra, gnome-themes-extra-data and gtk2-engines-murrine for better visual presentation and a more modern look.
  • Set SUDO_EDITOR="mousepad" if: mousepad is installed and the environment variable SUDO_EDITOR has not already been set.
  • Full /etc/torrc.d/*.conf configuration snippet drop-in folder support. [715]
  • The Whonix build script now optionally supports installing packages from the Whonix remote repository, rather than building packages locally. [716]
  • Simplified the default sudo lecture (presenting text upon first run) so it only shows the default password for Whonix. [717] [718] [719]
  • Work towards Whonix Host operating systemarchive.org.
  • Renamed package non-qubes-vm-audio to non-qubes-audio.
  • corridor -- Tor traffic whitelisting gateway and leak tester -- merged upstream changes and improved Debian host support. [720] [721]
  • Added usability and output enhancements to grub-live, and improved the live mode indicator systray. [722] [723] [724]
  • Added packaging and other improvements to Hardened Malloc [725]
  • Added a sudo askpass wrapper for automated testing. [726] [727]
  • Added packaging and other enhancements for kloak. [728]
  • Refactored Qubes-Whonix network proxy setup. [729]
  • Created debug-miscarchive.org: opt-in package which enables miscellaneous debug settings for easier debugging. [730]
  • Added links to search engines to the Whonix landing page in Tor Browser.
  • Split most of /usr/share/tor/tor-service-defaults-torrc into /etc/torrc.d drop-in configuration snippets.
  • Hide verbose output messages during boot to improve startup speed (logs are still available in the journal).
  • Changed the desktop background images to better distinguish Whonix-Gateway from Whonix-Workstation and vice versa.
  • Upgraded packages by packages.debian.orgarchive.org
  • Set hostname to localhost for VM builds. [731]
  • Disable DNSCrypt by default for now due to issues. [732]
  • The Debian stable-updates repository is now enabled by default. [733]
  • Merged python-guimessages into helper-scripts.
  • Set ClientOnionAuthDir in /var/lib/tor/authdir.
  • Permit Tor Browser to show improved error pages for onion service errors.
  • Whonix-Workstation Firewall: added a configuration option firewall_allow_udp=true to allow outgoing UDP.
  • anon-apps-config: Skip setting timezone to UTC if file /etc/noutc or /usr/local/etc/noutc exists.
  • whonixcheck now warns if dmesg contains “Bad RAM detected”.
  • Added a DVD drive by default for Whonix-Custom-Workstation. [734] [735]
  • Created a constrained system resources program starter wrapperarchive.org which is useful to run applications with limited system resources.
  • Implemented an apt-get-reset command for improved usability. [736]
  • whonix-welcome-page: added a link to https://web.archive.org/https://t.me/s/Whonix_archive.org
  • Added gpg-dearmor. [737] This is a wrapper to convert to GPG ASCII-armored format binary format. [738].

Kernel and Related Hardening[edit]

Significant kernelarchive.org and other security hardening has been implemented; numerous enhancements have been made to security-miscarchive.org: [739]

  • Enabled kernel panic on kernel oops after boot, see: set oops=panic kernel parameter or kernel.panic_on_oops=1 sysctl for better securityarchive.org.
  • Enabled pam_umask.so usergroups, so group permissions are the same as user permissions. [740]
  • Removed read, write and execute access for others for all users who have home folders under folder /home. [741] [742]
  • Group sudo membership is required to use su.
  • Passwordless, recovery / emergency mode has been implemented.
  • Lock user accounts with pam_tally2 after five failed authentication attempts are detected. [743]
  • Fix pam_tally2 check when read-only disk boots without ro-mode-init or grub-live.
  • The thunderbolt and firewire modules were blacklisted, since they can be used for Direct Memory Access (DMA) attacks.
  • Every module must now be signed before being loaded; any module that is unsigned or signed with an invalid key cannot be loaded. [744]
  • Uncommon network protocols were blacklisted: these are rarely used and may have unknown vulnerabilities. [745]
  • Enabled IOMMUarchive.org.
  • The SysRq key is restricted to only allow shutdowns/reboots.
  • Restrictarchive.org the SysRq key so it can only be used for shutdowns and the Secure Attention Key.
  • A systemd service mounts /proc with hidepid=2 at boot, thereby preventing users from seeing each other’s processes.
  • A systemd service clears System.map on boot as these contain kernel symbols that could be useful to an attacker. [746]
  • Remove System.map after a kernel upgrade.
  • remove-system-map: use shred instead of rm.
  • The kernel logs are restricted to root only.
  • The BPF JIT compiler is restricted to the root user and is hardened.
  • The ptrace system call is restricted to the root user only.
  • Added user root to group sudo. This is necessary so it is still possible to login as a user in a virtual console. [747]
  • Kernel symbols in /proc/kallsyms are hidden. This prevents malware from reading and using them to learn more about system vulnerabilities that can be attacked.
  • Kexec is disabled because it can be used for live patching of the running kernel.
  • Bluetooth is blacklisted to reduce the attack surface.
  • Added experimental SUID Disabling and Permission Hardeningarchive.org: [748] [749]
    • A systemd service removes SUID / GUID from non-essential binaries as these are often used in privilege escalation attacks. [750]
  • Enables mitigations for the L1TF (L1 Terminal Fault) vulnerability. [751]
  • Unconditionally enable all kernel patches for CPU bugs (spectre, meltdown, L1TF and so on) -- this might reduce performance: [752] [753]
    • spectre_v2=on
    • spec_store_bypass_disable=on
    • tsx=off
    • tsx_async_abort=full,nosmt
  • The MSR kernel module is blacklisted to prevent CPU MSRs from being abused to write to arbitrary memory.
  • Vsyscalls are disabled as they are obsolete, are at fixed addresses and are a target for ROP.
  • Page allocator freelist randomization is enabled.
  • The vivid kernel module is blacklisted as it is only required for testing and has been the cause of multiple vulnerabilities.
  • An initramfs hook sets the sysctl values in /etc/sysctl.conf and /etc/sysctl.d before init is executed so sysctl hardening is enabled as early as possible.
  • The kernel panics on oopses to prevent it from continuing to run a flawed process and to deter brute forcing.
  • Improve entropy collection: [754] [755]
    • Load jitterentropy_rng kernel module.
    • Distrust the CPU for initial entropy at boot as it is not possible to audit, may contain weaknesses or a backdoor.
    • Disable trusting RDRAND.
    • random.trust_cpu=off
  • Experimental: remount /home, /tmp, /dev/shm and /run with nosuid,nodev (default) and noexec (opt-in). To disable this, see footnote. [756] [757] [758]
  • Fix xfce4-power-manager xfpm-power-backlight-helper pkexec lxsudo popuparchive.org.
  • Do show lxqt-sudo password prompt if there is a sudoers exception.
  • Improved pkexec wrapper logging.
  • Installation fix in the case when user user does not exist.
  • Better output if trying to login with a non-existing user.
  • Add user user to group console in Whonix and Kicksecure.
  • Lock user accounts after 50 rather than 100 failed login attemptsarchive.org.
  • Disable the busmaster bit on all PCI bridges during very early boot to avoid holes in IOMMU. [759] [760] [761]
  • Only allow symlinks to be followed when outside of a world-writable sticky directory, or when the owner of the symlink and follower match, or when the directory owner matches the symlink’s owner. Prevent hardlinks from being created by users that do not have read/write access to the source file. These prevent many TOCTOU races:
    • fs.protected_symlinks=1
    • fs.protected_hardlinks=1
  • Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent unprivileged attackers from loading vulnerable line disciplines with the TIOCSETD ioctl which has been used in exploits before. [762] [763] [764]
  • For a full list of changes, see: https://github.com/Kicksecure/security-miscarchive.org

hardened-kernelarchive.org:

  • Enabled CONFIG_KPROBES. [765]
  • Reverted “Optionally enable kprobes/ftrace for LKRG support” [766]

KVM[edit]

  • Command line control of KVM VMs is now supported. [767]
  • The microphone is disabled by default.
  • Switched RNG to /dev/urandom.
  • pvspinlock is enabled.
  • Fixed Whonix-Gateway firewall desktop shortcuts.
  • No longer install pulseaudio by default on Whonix-Gateway.
  • Various apparmor fixes.
  • Created new apparmor profiles for bootclockrandomization, permission lockdown, and pam tally2 information.
  • Ensured future compatibility for apparmor-profile-everything.
  • Improved the output of remove system.map.
  • Fixed the KVM prepare_release script.
  • Fixed the GPU tag in libvirt XML.
  • Updated Tor Browser to version 9.0.1, then later versions (9.5).
  • Fixed Kicksecure ™ KVM’s broken networking.
  • Moved to gitlab.com. [768]
  • Other platforms build fix.
  • monero-gui can be uninstalled.
  • Fixed /etc/resolv.conf.
  • Enabled export QMLSCENE_DEVICE=softwarecontext for KVM.
  • Upgraded to the 2020 Whonix ™ Logo version.
  • Upgraded monero-gui.

Security Enhancements[edit]

anon-shared-build-apt-sources-tpoarchive.org:

  • Updated deb.torproject.org comments to onion v3 [769] [770]

Much stronger Linux user account isolation has been enforced in Non-Qubes-Whonix ™: [771]

Added vanguardsarchive.org to protect against guard discovery and related traffic analysis attacks: [778] [779] [780]

  • The daemon in Tor through 0.4.1.8 and 0.4.2.x through 0.4.2.6 does not verify that a rendezvous node is known before attempting to connect to it, which might make it easier for remote attackers to discover circuit information -- vanguards fixes thisarchive.org.
  • Use vanguards from packages.debian.orgarchive.org
  • Ensured vanguards do not start in a Template in Qubes-Whonix.

Eased installation of Linux Kernel Runtime Guard (LKRG) for users of Non-Qubes-Whonix ™, Kicksecure ™ and Debian hosts -- sudo apt install lkrg: [781] [782]

  • Improves overall system security and is compatible with tirdad.
  • Hardens kernel security by killing whole classes of exploits, detecting exploits and performing Linux kernel runtime integrity checking.
  • Worked with LKRG upstream to fix LKRG VirtualBox host support.
  • Packaging enhancements were incorporated, so any standard Debian build tool can be used. [783]
  • Disabled the “System is clean!” message to avoid spamming dmesg and tty1.
  • Fixedarchive.org compilation using DKMS on kernel upgrade by adding support for make variable KERNELRELEASE (DKMS sets it).
  • Auto-load LKRG after installation. [784]
  • Upgraded LKRG to the latest upstream version (version 0.8.1; although not yet installed by default).

sandbox-app-launcherarchive.org:

  • Wait (blocking) for processes inside the sandbox to be killed. [785]
  • Replaced dynamic wrapper script creation with static script for code simplification. [786] [787]
  • Fixed wrapper script creation and access rights. [788]
  • Improved the command to create a wrapper script for more self-explanatory bash xtrace. [789]
  • Unduplicated/removed permission check code in function run_program because it is already performed in function setup_or_check which runs anyhow. [790]
  • Minor usability improvements: [791]
    • Downgraded messages if removal previously completed to INFO:. [792]
    • Show INFO: after setup was successfully completed.
    • ShowINFO: after remove was successfully completed.
  • Run all checks before start. [793] [794]
  • Indentation. [795]
  • Use sal_is_run_with_root instead of extra id calls. [796]
  • Reordering. [797]
  • Implemented more robust checks. [798]
  • Removed if statement when copying wrapper-script-wx. [799]
  • Check for wrapper-script-wx. [800]
  • Fixed AppArmor. [801]
  • Added an option to list all currently configured sandboxes. [802]
  • Pass app_user to bwrap-wrapper. [803]
  • Pass variables to bwrap-wrapper. [804]
  • Implemented proper whitespace handling. [805]
  • Added proper quoting for multiple parameter support. [806]
  • Added usr/share/sandbox-app-launcher/bwrap-wrapper. [807]
  • Created an initial unfinished bwrap-wrapper implementation. [808] [809]

sdwdatearchive.org:

  • Improved sandboxing.
  • Code refactoring.
  • Updated onion time sources.
  • Increased the timeout to 120 seconds to deal with potentially slow onions.
  • Implemented Time Replay Protectionarchive.org. [810]

security-miscarchive.org:

  • pam-abort-on-locked-password: implemented more descriptive error handling. [811] [812]
  • Restricted sudo’s file permissions. [813]
  • config-package-dev: displaced /etc/dkms/framework.conf [814] [815]
  • Modified DKMS configuration file /etc/dkms/framework.conf: lower parallel compilation jobs to 1 if there is less than 2 GB RAM to avoid virtual machine freezing (parallel_jobs=1). [816] [817] [818] [819]
  • Added /etc/dkms/framework.conf.security-misc original. [820] [821] [822]

Other security enhancements:

  • Advanced users can utilize Signify to verify Whonix ™ digital signatures.
  • Updated various security-critical software including APT, electrum, Monero, Tor Browser, Tor Browser Downloader by Whonix Developers and Hardened Malloc.
  • Implemented TCP ISN CPU Information Leak Protectionarchive.org to prevent de-anonymization of Tor onion servicesarchive.org and installed Tirdad kernel module for random ISN generationarchive.org by default. [823] [824] [825] [826] [827] [828]
  • Fixed compilationarchive.org using DKMS on kernel upgrade by adding support for make variable KERNELRELEASE (DKMS sets it).
  • Console lockdownarchive.org: allow members of group console to use console. Everyone else except members of group console-unrestricted are restricted from using console using ancient, unpopular login methods such as using /bin/login over networks, which might be exploitable. [829]
  • Protect Linux user accounts against brute force attacks -- lock user accounts after 50 failed login attempts using pam_tally2.
  • No longer install firejail by default because of fingerprinting reasonsarchive.org.
  • Prevent verbose output during boot to prevent kernel information leaks.
  • Extensive security hardening and updated packages.
  • Improved Thunderbird protocol level leak prevention by enforcing functionality previously provided by TorBirdy. [830] [831]
  • Improved systemd sandboxing for onion-grater. [832]
  • Implemented the OpenSSL security fix for Debian and Tor Browser (OpenSSL 1.1.1d) (CVE-2021-3449archive.org).
  • Added a minimum-time-check feature for better security. [833]
  • Created and implemented hardened-malloc-type-test. [834] [835]

VirtualBox[edit]

  • As at April 2021, the recommended VirtualBox version is 6.1.20.
    • Implemented a Whonix ™ compatibility fix for VirtualBox version 6.1.20. [836] [837]
    • Switched to SATA AHCI virtual storage controller hardware. [838] [839]
  • Upgraded VirtualBox guest additions to version 6.1.14.
  • vm-config-dist: run vbox-guest-installerarchive.org when package virtualbox-guest-additions-isoarchive.org is updated.
  • VirtualBox 6.1.12 upgrade: [840]
  • Reverted to vmsvga grapics controller settings due to issuesarchive.org.
  • Increasedarchive.org Whonix-Gateway default RAM to 1280 MB. Otherwise, VirtualBox guest additions kernel modules fail to compile.
  • Current VirtualBox screen resolution situationarchive.org:
    • Functional VirtualBox VM Window → View → Virtual Screen 1 → resize to resolution
    • Functional VirtualBox VM Window → View → Adjust Window Size
    • A workaround to improve this situation is still required.
    • Added xserver-xorg-video-vmware to kicksecure-desktop-environment-essential-gui because it is required by VirtualBox Graphics Controller VMSVGA for auto resize and resize through VirtualBox settings menu.
    • Again set the VirtualBox Graphics Controller to VMSVGA (equivalent to “VirtualBox → click a VM → Settings → Display → Graphics Controller → VMSVGA → OK”). [842] [843]
    • Increased Whonix VirtualBox Whonix-Gateway video RAM to 128 MB since the previous assignment of only 16 MB RAM can cause resize issues.
    • Updated VirtualBox and VirtualBox guest addition to 6.1.4. The VirtualBox guest addition has been further upgraded to 6.1.6 in a later Whonix release.
  • Added a workaround for the bug causing the VirtualBox screen resolution to be too small; the screen resolution is now 1920x1080 by default for all VMsarchive.org.
  • Configured three (instead of four) virtual CPU cores by default as this can improve stability. [844]
  • Enabled the Debian stable-updates repository by default. [845]
  • Consolidated Whonix packages. [846]
  • Installed fewer unneeded packages such as rsyslog (see footnote). [847]
  • Unbreak VirtualBox clearnet DNS settings when not using DNSCrypt.

Website Improvements[edit]

  • Wiki editing over onion.
  • Using Whonix ™ forums over onion.
  • Mostly fixed onion forum site redirects to clearnet. [848]
  • Implemented the Onion-Locationarchive.org header, which shows the “onion available” message to any Tor Browser user visiting the clearnet version of whonix.org.
  • Fixed a false Mediawiki message that identified Whonix ™ forum logins as insecure over onion (thereby offering a https connection to the onion URL). [849] [850]
  • Implemented Expect-CT security header for whonix.org. [851]
  • Fixed URL with no onion mirror. [852]
  • Reviewed hardenize.comarchive.org results (no clean HSTS-Preload / DNSSEC). [853]
  • Researched DANE TLSA (DNS-based Authentication of Named Entities) for whonix.org. [854]
  • Whonix software signature verification documentation discussion: VirtualBox vs KVM - GPG / signify / codecrypt. [855]
  • Checked broken discourse email replies. [856]
  • Investigated uploaded images not presenting after creating a topic. [857]
  • Documented Testing the Whonix ™ server with test websites such as hardenize.com / securityheaders.com / Mozilla Observatory / SSL Labs / hstspreload.org.
  • Improved documentation chapter Trusting the Whonix ™ Website.
  • Considered drop-www vs yes-www.
  • Considered Hide Server IP.
  • Set up a dedicated server for Kicksecure, with dedicated domain kicksecure.com, homepage, wiki and soon forums. [858]

Footnotes[edit]

  1. https://forums.whonix.org/t/whonix-13-released/2505archive.org
  2. https://phabricator.whonix.org/maniphest/query/TfpGK0Sq8w1j/#Rarchive.org
  3. A handful of issues were fixed in both Whonix ™ 13 and Whonix ™ 14 and backported to both versions.
  4. https://phabricator.whonix.org/T672archive.org
  5. https://phabricator.whonix.org/T314archive.org
  6. https://phabricator.whonix.org/T201archive.org
  7. https://phabricator.whonix.org/T499archive.org
  8. https://phabricator.whonix.org/T666archive.org
  9. https://phabricator.whonix.org/T465archive.org
  10. The same firewall rules are still applied.
  11. https://phabricator.whonix.org/T286archive.org
  12. https://phabricator.whonix.org/T482archive.org
  13. https://phabricator.whonix.org/T480archive.org
  14. https://phabricator.whonix.org/T451archive.org
  15. For instance, tor-arm, restart Tor and other terminal programs.
  16. https://phabricator.whonix.org/T435archive.org
  17. This does not enable transparent proxying by default, but is required in Qubes so tinyproxy traffic can be redirectedarchive.org to 127.0.01 instead of to qubes-netvm-gateway.
  18. https://phabricator.whonix.org/T419archive.org
  19. https://phabricator.whonix.org/T300archive.org
  20. https://phabricator.whonix.org/T200archive.org
  21. https://phabricator.whonix.org/T159archive.org
  22. https://phabricator.whonix.org/T40archive.org
  23. https://phabricator.whonix.org/T158archive.org
  24. https://phabricator.whonix.org/T418archive.org
  25. https://phabricator.whonix.org/T472archive.org
  26. https://phabricator.whonix.org/T764archive.org
  27. https://phabricator.whonix.org/T497archive.org
  28. https://phabricator.whonix.org/T266archive.org
  29. https://phabricator.whonix.org/T528archive.org
  30. This fixes various bugs relating to Tor starting / failing multiple times and qubes-whonix-torified-updates-proxy sometimes failing.
  31. https://phabricator.whonix.org/T724archive.org
  32. https://phabricator.whonix.org/T723archive.org
  33. Qubes R4 RC1.
  34. https://phabricator.whonix.org/T384archive.org
  35. https://phabricator.whonix.org/T671archive.org
  36. https://phabricator.whonix.org/T496archive.org
  37. https://phabricator.whonix.org/T454archive.org
  38. https://phabricator.whonix.org/T452archive.org
  39. https://phabricator.whonix.org/T527archive.org
  40. https://phabricator.whonix.org/T710archive.org
  41. https://phabricator.whonix.org/T498archive.org
  42. https://phabricator.whonix.org/T416archive.org
  43. https://phabricator.whonix.org/T507archive.org
  44. https://phabricator.whonix.org/T433archive.org
  45. The qubes-update-check.service already has improved upgrade notifications.
  46. https://phabricator.whonix.org/T429archive.org
  47. For instance, plasma-widget-folderview, kde-kdm-autologin, split the anon-shared-desktop-kde package and so on.
  48. https://phabricator.whonix.org/T428archive.org
  49. https://phabricator.whonix.org/T491archive.org
  50. https://phabricator.whonix.org/T477archive.org
  51. https://phabricator.whonix.org/T461archive.org
  52. https://phabricator.whonix.org/T414archive.org
  53. https://phabricator.whonix.org/T501archive.org
  54. https://phabricator.whonix.org/T421archive.org
  55. https://phabricator.whonix.org/T417archive.org
  56. https://phabricator.whonix.org/T406archive.org
  57. https://phabricator.whonix.org/T502archive.org
  58. https://www.debian.org/releases/stretch/archive.org
  59. https://www.debian.org/News/2017/20170617archive.org
  60. https://www.debian.org/releases/stable/amd64/release-notes/archive.org
  61. https://www.debian.org/releases/stable/i386/release-notes/archive.org
  62. https://forums.whonix.org/t/apparmor-and-kernel-4-14-18-1-creates-tons-of-kern-log-pop-ups/4811archive.org
  63. https://phabricator.whonix.org/T676archive.org
  64. https://phabricator.whonix.org/T672archive.org
  65. https://phabricator.whonix.org/T587archive.org
  66. https://phabricator.whonix.org/T568archive.org
  67. https://phabricator.whonix.org/T532archive.org
  68. https://phabricator.whonix.org/T557archive.org
  69. The Whonix ™ documentation recommends that advanced users install apparmor-notify to investigate relevant warnings.
  70. https://phabricator.whonix.org/T640archive.org
  71. https://phabricator.whonix.org/T626archive.org
  72. https://phabricator.whonix.org/T592archive.org
  73. https://phabricator.whonix.org/T787archive.org
  74. https://phabricator.whonix.org/T797archive.org
  75. https://phabricator.whonix.org/T462archive.org
  76. https://phabricator.whonix.org/T490archive.org
  77. https://phabricator.whonix.org/T675archive.org
  78. https://phabricator.whonix.org/T700archive.org
  79. https://phabricator.whonix.org/T760archive.org
  80. https://phabricator.whonix.org/T761archive.org
  81. https://phabricator.whonix.org/T643archive.org
  82. https://phabricator.whonix.org/T666archive.org
  83. https://phabricator.whonix.org/T688archive.org
  84. https://phabricator.whonix.org/T686archive.org
  85. https://phabricator.whonix.org/T650archive.org
  86. https://phabricator.whonix.org/T768archive.org
  87. https://phabricator.whonix.org/T648archive.org
  88. https://phabricator.whonix.org/T632archive.org
  89. https://phabricator.whonix.org/T628archive.org
  90. https://phabricator.whonix.org/T627archive.org
  91. https://phabricator.whonix.org/T608archive.org
  92. https://phabricator.whonix.org/T603archive.org
  93. https://phabricator.whonix.org/T601archive.org
  94. gtk3-engines-oxygen.
  95. https://phabricator.whonix.org/T578archive.org
  96. https://phabricator.whonix.org/T548archive.org
  97. https://phabricator.whonix.org/T623archive.org
  98. This also reduces the RAM load caused by too many socat instances.
  99. https://phabricator.whonix.org/T689archive.org
  100. This measure takes place over Tor using a v3 onion. It does not include collection of IP addresses or unique identifiers of any kind, and can be easily disabledarchive.org.
  101. https://phabricator.whonix.org/T551archive.org
  102. https://phabricator.whonix.org/T535archive.org
  103. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=833474archive.org
  104. https://phabricator.whonix.org/T537archive.org
  105. https://phabricator.whonix.org/T192archive.org
  106. https://phabricator.whonix.org/T488archive.org
  107. https://phabricator.whonix.org/T639archive.org
  108. https://phabricator.whonix.org/T762archive.org
  109. https://phabricator.whonix.org/T637archive.org
  110. https://phabricator.whonix.org/T589archive.org
  111. https://phabricator.whonix.org/T563archive.org
  112. https://phabricator.whonix.org/T796archive.org
  113. https://phabricator.whonix.org/T691archive.org
  114. https://github.com/systemd/systemd/issues/5207archive.org
  115. https://phabricator.whonix.org/T686archive.org
  116. https://phabricator.whonix.org/T50archive.org
  117. https://phabricator.whonix.org/T699archive.org
  118. https://forums.whonix.org/t/censorship-circumvention-tor-pluggable-transports/2601archive.org
  119. https://phabricator.whonix.org/T716archive.org
  120. OnionShare is not installed by default in Whonix ™ 14 because it is not in the stretch repository, however it may be manually installed using the available wiki instructions.
  121. https://phabricator.whonix.org/T657archive.org
  122. onion-graterarchive.org:

    Filters out Tor control protocol commands that are dangerous for anonymity such as GETINFO ADDRESS using a whitelist. Acts as a proxy between the client application and Tor.

    For example it allows using Tor Browser's New Identity feature on Anonymity Distribution Workstations, fixes Tor Browser's about:tor default homepage and Tor Button status indicator without exposing commands that are dangerous for anonymity.

  123. https://phabricator.whonix.org/T701archive.org
  124. https://forums.whonix.org/t/onioncircuits-viewing-the-status-and-circuits-of-tor/2539archive.org
  125. https://phabricator.whonix.org/T579archive.org
  126. https://phabricator.whonix.org/T576archive.org
  127. https://phabricator.whonix.org/T574archive.org
  128. https://phabricator.whonix.org/T573archive.org
  129. https://phabricator.whonix.org/T510archive.org
  130. https://phabricator.whonix.org/T503archive.org
  131. https://phabricator.whonix.org/T357archive.org
  132. https://phabricator.whonix.org/T274archive.org
  133. https://phabricator.whonix.org/T561archive.org
  134. https://phabricator.whonix.org/T481archive.org
  135. https://phabricator.whonix.org/T73archive.org
  136. This is no longer recommended, since the The Tor Project has ceased development and stopped building and distributing sandboxed-tor-browser binariesarchive.org.
  137. https://phabricator.whonix.org/T583archive.org
  138. By default, kloak is packaged in Whonix ™ 15 for the Non-Qubes-Whonix platform. Unfortunately Qubes is unsupported (dysfunctional) due to the following Qubes issues:
  139. https://phabricator.whonix.org/T647archive.org
  140. https://phabricator.whonix.org/T617archive.org
  141. https://phabricator.whonix.org/T612archive.org
  142. https://phabricator.whonix.org/T599archive.org
  143. https://phabricator.whonix.org/T764archive.org
  144. Previously both clearnet and onion sources were in use and priority was given to the latter, with v3 onion connections being preferred (clearnet provided a fallback). Onions will not be set by default until OnionBalancearchive.org is available for v3 onions, and the repositories can be reached reliably.
  145. https://phabricator.whonix.org/T590archive.org
  146. https://phabricator.whonix.org/T500archive.org
  147. https://phabricator.whonix.org/T356archive.org
  148. https://phabricator.whonix.org/T610archive.org
  149. https://phabricator.whonix.org/T471archive.org
  150. https://phabricator.whonix.org/T475archive.org
  151. https://phabricator.whonix.org/T559archive.org
  152. https://phabricator.whonix.org/T736archive.org
  153. The default Whonix ™ PDF reader.
  154. https://www.locklizard.com/track-pdf-monitoring/archive.org
  155. https://phabricator.whonix.org/T776archive.org
  156. Until it is determined how to enable kde-folderview in Debian stretch.
  157. https://phabricator.whonix.org/T680archive.org
  158. https://phabricator.whonix.org/T638archive.org
  159. https://phabricator.whonix.org/T598archive.org
  160. https://github.com/Whonix/shared-folder-help/commit/2130d872d4e346bc490e70fca79e572d1d1f86df
  161. https://phabricator.whonix.org/T790archive.org
  162. https://forums.whonix.org/t/reducing-size-of-ova-imagesarchive.org
  163. VirtualBox .ova and libvirt qcow2 raw images.
  164. The Whonix-Gateway ™ is reduced from 1.7 GB to 850 MB, while the Whonix-Workstation ™ is reduced from 2 GB to 1.1 GB.
  165. https://phabricator.whonix.org/T722archive.org
  166. https://phabricator.whonix.org/T714archive.org
  167. grub-live is not installed by default in Whonix ™ 14 and is an optional package only.
  168. https://phabricator.whonix.org/T703archive.org
  169. https://phabricator.whonix.org/T702archive.org
  170. https://github.com/Whonix/anon-meta-packages/commit/a22b1807c79cb1d21447c83ed251c331cf6222f1archive.org
  171. https://phabricator.whonix.org/T408archive.org
  172. https://phabricator.whonix.org/T724archive.org
  173. https://phabricator.whonix.org/T723archive.org
  174. Qubes R4 RC1.
  175. https://phabricator.whonix.org/T651archive.org
  176. https://phabricator.whonix.org/T767archive.org
  177. https://phabricator.whonix.org/T671archive.org
  178. https://phabricator.whonix.org/T620archive.org
  179. https://phabricator.whonix.org/T607archive.org
  180. https://phabricator.whonix.org/T505archive.org
  181. https://phabricator.whonix.org/T781archive.org
  182. https://github.com/Kicksecure/tb-updater/issues/2archive.org
  183. https://phabricator.whonix.org/T789archive.org
  184. https://github.com/QubesOS/qubes-issues/issues/4033archive.org
  185. https://github.com/QubesOS/qubes-issues/issues/4093archive.org
  186. https://github.com/QubesOS/qubes-issues/issues/3469archive.org
  187. https://github.com/QubesOS/qubes-issues/issues/4098archive.org
  188. A persistent configuration now applies upon reboot.
  189. https://github.com/QubesOS/qubes-issues/issues/4095archive.org
  190. https://github.com/QubesOS/qubes-issues/issues/3595archive.org
  191. https://phabricator.whonix.org/T791archive.org
  192. The anon-vm tagarchive.org enforces selected settings from Templates to TemplateBasedVMs which are necessary for anonymity.
  193. https://phabricator.whonix.org/T792archive.org
  194. https://github.com/QubesOS/qubes-issues/issues/4113archive.org
  195. https://github.com/QubesOS/qubes-issues/issues/4055archive.org
  196. The bug caused a version downgrade to APT 1.0.9.8.4
  197. https://github.com/QubesOS/qubes-issues/issues/3882archive.org
  198. https://github.com/QubesOS/qubes-issues/issues/3740archive.org
  199. https://github.com/QubesOS/qubes-issues/issues/2334archive.org
  200. https://github.com/QubesOS/qubes-issues/issues/1156archive.org
  201. https://phabricator.whonix.org/T527archive.org
  202. https://github.com/QubesOS/qubes-issues/issues/3766archive.org
  203. https://github.com/QubesOS/qubes-issues/issues/4063archive.org
  204. https://github.com/QubesOS/qubes-issues/issues/4086archive.org
  205. https://github.com/QubesOS/qubes-issues/issues/4130archive.org
  206. https://phabricator.whonix.org/T619archive.org
  207. https://phabricator.whonix.org/T697archive.org
  208. https://phabricator.whonix.org/T641archive.org
  209. https://github.com/QubesOS/qubes-issues/issues/4080archive.org
  210. https://phabricator.whonix.org/T698archive.org
  211. https://phabricator.whonix.org/T463archive.org
  212. https://phabricator.whonix.org/T726archive.org
  213. https://forums.whonix.org/t/qubes-dispvm-technical-discussion/3232/58archive.org
  214. https://github.com/QubesOS/qubes-issues/issues/3765archive.org
  215. https://phabricator.whonix.org/T788archive.org
  216. https://github.com/QubesOS/qubes-issues/issues/4087archive.org
  217. https://phabricator.whonix.org/T810archive.org
  218. Whonix ™ is licensed under GPLv3. The repository in question can be found herearchive.org.
  219. https://github.com/QubesOS/qubes-issues/issues/4094archive.org
  220. https://phabricator.whonix.org/T521archive.org
  221. https://forums.whonix.org/t/splitting-whonix-documentation-into-a-short-and-long-edition-for-better-usabilityarchive.org
  222. https://phabricator.whonix.org/T811archive.org
  223. For example this simplifies processes when installing additional software safely.
  224. https://www.whonix.org/wiki/Multiple_Qubes-Whonix_Templatesarchive.org
  225. https://phabricator.whonix.org/T580archive.org
  226. https://forums.whonix.org/t/document-recovery-procedure-after-compromisearchive.org
  227. https://phabricator.whonix.org/T544archive.org
  228. This template simplifies instructions for Onion Services.
  229. https://phabricator.whonix.org/T567archive.org
  230. https://www.whonix.org/wiki/Multiple_Whonix-Workstationarchive.org
  231. https://phabricator.whonix.org/T523archive.org
  232. Apache has a large attack surface and some features erode privacy and leak information about a server's configuration.
  233. https://www.whonix.org/wiki/Hidden_Services#Hidden_Webserverarchive.org
  234. https://forums.whonix.org/t/website-fingerprinting-defenses-at-the-application-layerarchive.org?
  235. https://phabricator.whonix.org/T545archive.org
  236. The template reminds Qubes users that newly installed packages must be installed in the Template to be persistent.
  237. The wrapper was integrated into tb-updater and tb-starter.
  238. https://forums.whonix.org/t/todo-research-and-document-how-to-use-tor-browser-for-security-not-anonymity-how-to-use-tbb-using-clearnet/3822archive.org
  239. https://phabricator.whonix.org/T877archive.org
  240. https://phabricator.whonix.org/T597archive.org
  241. https://www.whonix.org/wiki/ZeroNetarchive.org
  242. Including:
  243. This greatly assists with documentation efforts, since documentation does not break and need updating based on a new point release being available.
  244. https://phabricator.whonix.org/T809archive.org
  245. https://phabricator.whonix.org/T870archive.org
  246. Whonix ™ already has a Youtube channel, but Peertube provides a further avenue for information on new/fresh projects.
  247. https://phabricator.whonix.org/T847archive.org
  248. https://phabricator.whonix.org/T846archive.org
  249. https://phabricator.whonix.org/T836archive.org
  250. https://phabricator.whonix.org/T830archive.org
  251. https://phabricator.whonix.org/T839archive.org
  252. https://phabricator.whonix.org/project/board/144/archive.org
  253. https://phabricator.whonix.org/T840archive.org
  254. https://forums.whonix.org/t/i-need-help-to-get-my-apparmor-profile-of-dnscrypt-proxy-to-run/7457archive.org
  255. https://forums.whonix.org/t/why-does-the-tor-browser-apparmor-profile-have-sys-admin-sys-chroot-and-ptrace-capabilties/7409archive.org
  256. https://github.com/Kicksecure/apparmor-profile-torbrowser/pull/6archive.org
  257. The Tor Browser AppArmor profile has capability sys_admin, capability sys_chroot, and ptrace. This looks pretty insecure.

    ptrace will allow the Tor Browser to modify and inspect other running processes.

    sys_admin will allow the Tor Browser to do a whole load of things that it probably shouldn’t be able to.

    sys_chroot will allow the Tor Browser to chroot which can make an attacker able to put a setuid program inside a chroot jail with a fake /etc/passwd and /etc/shadow which can fool it into giving it root access.

  258. https://forums.whonix.org/t/tor-browser-8-wont-launch/5863archive.org
  259. https://github.com/Kicksecure/apparmor-profile-torbrowser/commit/5b1550cc51d73652d63af1fd010d9beb34e2069earchive.org
  260. https://forums.whonix.org/t/whonix-apparmor-profiles-development-discussion/108/682archive.org
  261. https://github.com/Kicksecure/systemcheck/commit/5873f4c3bb1665a6fb92224968805f561aca87e3archive.org
  262. https://github.com/Kicksecure/apparmor-profile-torbrowser/pull/3archive.org
  263. This allows the same apparmor profile to be used for i2p browser (~/.i2pb/i2p-browser) or for a hypothetical ZeroNet browser (~/.zerob/zeronet-browser/) and so on.
  264. https://github.com/Kicksecure/apparmor-profile-torbrowser/commit/21c36545df427bd8943a92279af78e53ea627056archive.org
  265. https://github.com/Kicksecure/apparmor-profile-hexchat/pull/2archive.org
  266. https://phabricator.whonix.org/T855archive.org
  267. whonixcheck runs as user whonixcheck, so a wrapper might be needed which is called using sudo (with a sudoers.d exception for this test).
  268. https://phabricator.whonix.org/T820archive.org
  269. https://forums.whonix.org/t/missing-pinentry-package-whonix-14/5630archive.org
  270. https://github.com/Whonix/whonix-firewall/commit/8d9767a72fdbaac863f8e372a10dfa6f2779ce6farchive.org
  271. https://github.com/Kicksecure/tb-starter/commit/7f3ac3b6d7beb659333f39b0506cd32fb07dc1bbarchive.org
  272. https://github.com/Whonix/onion-grater/commit/70e735dae1c15920c356b07fc6aaf4b9589b465aarchive.org
  273. https://github.com/Kicksecure/open-link-confirmation/commit/30810e6fa96b80a749505ea60e9dfb0d915edf14archive.org
  274. https://github.com/Kicksecure/usability-misc/commit/63c1ba7cae2914bd3bcfe5d7d2e5edf495a79c02archive.org
  275. https://forums.whonix.org/t/bug-not-all-files-form-etc-skel-are-copied-to-home-user/6778archive.org
  276. See: apt security update - DSA 4371-1
  277. https://forums.whonix.org/t/fixed-apt-rce-announced-new-whonix-images-needed-whonix-build-not-safe-at-the-moment/6715archive.org
  278. https://phabricator.whonix.org/T854archive.org
  279. https://phabricator.whonix.org/T400archive.org
  280. Such as --cpuid-portability-level or --cpuidremoveall in VirtualBox, since the attempts have proven futile or even posed security risks.
  281. https://phabricator.whonix.org/T408archive.org
  282. https://phabricator.whonix.org/T881archive.org
  283. https://github.com/Whonix/anon-meta-packages/commit/04851c3ef4a5fa4e4e25917860392273b80a3ebbarchive.org
  284. https://github.com/Kicksecure/repository-dist/commit/24f6479ec1c7015aa50aa2caf1a6d66aec28f429archive.org
  285. https://github.com/Kicksecure/repository-dist/commit/e6de603931735647aa69ab97202a8eb01589a42barchive.org
  286. https://github.com/Kicksecure/systemcheck/commit/2dcc1257f728639772f66f055134ea6ed960012carchive.org
  287. https://github.com/Kicksecure/systemcheck/commit/7f9d648909e790a8d188dda5f83622367fd432c3archive.org
  288. https://github.com/Kicksecure/systemcheck/commit/5111b2765e7e2d0b8d24cdfb5e7c6996da7a1e25archive.org
  289. https://github.com/Kicksecure/sdwdate-gui/commit/964fcb62d1961b52f4b126cc427d429cf2475ef4archive.org
  290. https://github.com/troubadoour/sdwdate-gui/commit/0b7d851476ac5c9d352de537f0ddfea8f1095b34archive.org
  291. https://github.com/Kicksecure/sdwdate-gui/commit/63b9a0b1c7f979362ec114aebed5d62d2138f63farchive.org
  292. https://github.com/Kicksecure/helper-scripts/commit/a87cd4fa6cadc541262a90f810a585fa4c4bdc0barchive.org
  293. https://github.com/Whonix/anon-ws-disable-stacked-tor/commit/1f7bf8ff3af2548cb735ab9450c7395d9d4065cfarchive.org
  294. So arbitrary packaging scripts can be avoided.
  295. https://github.com/Kicksecure/dist-base-files/commit/fe5433f52678597c4e26ca06ecfab4c3619e45dearchive.org
  296. https://forums.whonix.org/t/thunderbird-no-longer-installed-by-default/6505archive.org
  297. Due to breakage that has been experienced; see herearchive.org for details.
  298. https://github.com/Whonix/whonix-welcome-page/pull/5
  299. The landing page was otherwise stuck in the left corner and not centered.
  300. This is useful if trying to avoid unnecessary package installation; for example just installing sdwdate on Debian.
  301. https://github.com/Kicksecure/sdwdate-gui/commit/f9a269b352eeb2965a352c91e0a033576c01f0e1archive.org
  302. https://github.com/Kicksecure/helper-scripts/commit/bb3fab3b3de448ede51417f2b2b2e4760d9a467barchive.org
  303. https://forums.whonix.org/t/calling-1-package-from-whonix-repo-will-pull-all-the-packages/6182/7archive.org
  304. https://forums.whonix.org/t/whonix-langpacks-useful/5692archive.org
  305. https://github.com/Whonix/anon-meta-packages/commit/64db5cf89152d0114aaa331f8321fec061bea2c1archive.org
  306. https://phabricator.whonix.org/T888archive.org
  307. Poll: https://forums.whonix.org/t/user-poll-xfce-vs-kde-kde-deprecation-considered/6235archive.org
  308. https://groups.google.com/g/qubes-devel/c/pkvvm1WNznYarchive.org
  309. https://phabricator.whonix.org/T771archive.org
  310. https://forums.whonix.org/t/onionshare-alternatives/4877/11archive.org
  311. This is because OnionShare is not in Debian stable. magic-wormhole is a great alternative to easily share data between two endpoints, although it requires a uwt wrapper to support stream isolation.
  312. https://github.com/Kicksecure/usability-misc/pull/7archive.org
  313. https://forums.whonix.org/t/use-sudoedit-in-whonix-documentation-and-whonix-software/7599archive.org
  314. https://github.com/Whonix/anon-gw-anonymizer-config/commit/252416d91a2158da3b07f1791416ecc8c261f18carchive.org
  315. One example implementation is to use iptables to force all traffic through those ports. This requires two flashproxy ports -- one for TCP traffic and one for DNS.
  316. https://github.com/Whonix/whonix-firewall/commit/5ffcbb5ad30b04a6c5ea57734a8907cdc08c9b9farchive.org
  317. https://github.com/Whonix/whonix-firewall/commit/6882aa9a449e0b6317f96f35d54ddcfcf56df858archive.org
  318. https://github.com/Whonix/whonix-firewall/commit/5cf35f4ffe9d2f7ff2d2f8200dd0f2ad82ea5f14archive.org
  319. https://forums.whonix.org/t/disable-onions-by-default-due-to-unreliability/6650archive.org
  320. https://github.com/Kicksecure/repository-dist/commit/f04391c5ad438732c5a9ae886b926530e277e9cdarchive.org
  321. https://github.com/Kicksecure/anon-apt-sources-list/commit/8846e18a3bae24ed64fb5e9351f2ef614eaf1566archive.org
  322. This includes small, efficient GUI decompression tools like xarchiver, unxz, unrar and p7zip.
  323. https://forums.whonix.org/t/archive-decompression-tools/6533archive.org
  324. https://github.com/Whonix/anon-meta-packages/pull/19archive.org
  325. https://github.com/Whonix/anon-connection-wizard/pull/22archive.org
  326. https://forums.whonix.org/t/tor-controller-gui-tor-control-panel-testers-wanted/5444archive.org
  327. https://phabricator.whonix.org/T878archive.org
  328. Otherwise this redirects and discloses the traffic to onion addresses.
  329. https://phabricator.whonix.org/T821archive.org
  330. whonixcheck will now always run and check for updates on first boot of Whonix-Workstation since numerous updates will likely be available, including kernel updates.
  331. https://github.com/Kicksecure/systemcheck/commit/4d65231b87b1dbc7827cd47c86f1f4d5476bcda2archive.org
  332. https://github.com/Whonix/commit/47d9bdde4f9985aa8b29d64c2bd81f17addf18b6
  333. https://phabricator.whonix.org/T721archive.org
  334. https://lists.debian.org/debian-security/2017/10/msg00006.htmlarchive.org
  335. https://phabricator.whonix.org/T678archive.org
  336. The optional --onion parameter can also be set through an environment variable export tb_onion=true or in the /etc/torbrowser.d/50_user.conf config with the same syntax.
  337. https://github.com/madaidan/onion-grater/commit/f0312d95bc721580088a10c4230ab10ff97f30f9archive.org
  338. https://github.com/Kicksecure/sdwdate/pull/21archive.org
  339. apt-transport-tor (tor+http) is the default from Whonix ™ 14 onward because it provides better error handling and stream isolation.
  340. https://github.com/Kicksecure/repository-dist/commit/8beb14f2782a2730c07a2b233f44b5ea5df021c2archive.org
  341. https://github.com/Kicksecure/anon-shared-build-apt-sources-tpo/commit/32d6efed5344aaac9de5c3dac04ba1a3d6236905archive.org
  342. https://github.com/Kicksecure/anon-apt-sources-list/commit/d74b8e8abd7832200d57aee8736e8f31084db964archive.org
  343. Disables DCCP, SCTP, RDS and TIPC in case they have unknown vulnerabilities; serious problems were discovered in the past.
  344. https://github.com/Kicksecure/security-misc/pull/7archive.org
  345. https://forums.whonix.org/t/blacklist-uncommon-network-protocols/7391archive.org
  346. https://forums.whonix.org/t/bitcoin-core-onion-grater-profile/6216archive.org
  347. To allow the creation of a mainnet or testnet hidden service and discarding of the private key to keep services ephemeral.
  348. https://github.com/Whonix/onion-grater/pull/1archive.org
  349. https://github.com/Whonix/onion-grater/pull/2archive.org
  350. https://phabricator.whonix.org/T822archive.org
  351. https://forums.whonix.org/t/kdesudo-error-popup-window-sdwdate-guiarchive.org
  352. https://github.com/Whonix/anon-apps-config/commit/008d206ec20c74e0d03926b939522b7036b8693barchive.org
  353. https://phabricator.whonix.org/T737archive.org
  354. https://github.com/Kicksecure/usability-misc/commit/c2a0c84b4a12b5bebc241b65a932b96a33cacedbarchive.org
  355. https://github.com/Whonix/commit/5760a2491cc42482945e3d50ed0ccb33d539d92d
  356. https://github.com/Whonix/commit/98fd2361ec4e1ef73de3660ccb4c21e5ec86bf5f
  357. https://github.com/Whonix/commit/8679c7f1b94e269b8f110743654c2431a0725cc2
  358. https://forums.whonix.org/t/user-poll-xfce-vs-kde-kde-deprecation-considered/6235archive.org
  359. https://phabricator.whonix.org/T738archive.org
  360. https://phabricator.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/T69onion
  361. https://phabricator.whonix.org/T630archive.org
  362. https://phabricator.whonix.org/T705archive.org
  363. https://phabricator.whonix.org/T706archive.org
  364. https://phabricator.whonix.org/T733archive.org
  365. https://phabricator.whonix.org/T734archive.org
  366. https://phabricator.whonix.org/T735archive.org
  367. https://phabricator.whonix.org/T633archive.org
  368. https://github.com/Whonix/pull/423/commits/bb87de2006d5ea6389480d4443b58ea82c11bef2archive.org
  369. https://github.com/Kicksecure/helper-scripts/pull/4archive.org
  370. https://github.com/Whonix/anon-meta-packages/pull/15archive.org
  371. https://github.com/Kicksecure/desktop-config-distarchive.org
  372. https://github.com/Kicksecure/systemcheck/commit/7eec772015948573319e281da67b9b1ffb93e201archive.org
  373. https://github.com/Whonix/anon-meta-packages/commit/fd2570327ea7a4da054c2d3825ff04debc70a557archive.org
  374. So it is not installed on Whonix-Gateway by default.
  375. https://github.com/Whonix/anon-meta-packages/commit/8bfca1d9a9c7a0e76bcd0222f9fd01dd72a0277barchive.org
  376. https://github.com/Whonix/anon-meta-packages/commit/1de173ad50669a575171200d76b0d3e4878fb78barchive.org
  377. https://github.com/Whonix/anon-meta-packages/commit/28582d8272a38b9d0ce7cd234f94a7b983358a64archive.org
  378. https://github.com/Whonix/anon-meta-packages/commit/eaac36060f9fea574c098967b85690d41f122562archive.org
  379. https://github.com/Kicksecure/security-misc/commit/137bc073c5d65988cce832336ebee5c47071e732archive.org
  380. https://github.com/Kicksecure/desktop-config-dist/commit/c8959135d699bc3ce74b95f736cbfbbc8ff391d9archive.org
  381. https://github.com/Kicksecure/desktop-config-dist/commit/0e9daa97e9f9e70120c969aa9c9d52cace46971aarchive.org
  382. https://github.com/Whonix/whonix-firewall/commit/c55b2652eecd214804afb32d89dc8fdf05e31221archive.org
  383. To prevent broken functionality due to missing packages.
  384. https://forums.whonix.org/t/whonix-cli-development/6309archive.org
  385. https://forums.whonix.org/t/whonix-for-arm64-raspberry-pi-rpi/1788archive.org
  386. Virtual ovas and KVM libirt.xz files are both available as a single download containing both VMs.
  387. https://forums.whonix.org/t/unified-whonix-download-rather-than-separate-whonix-gateway-whonix-workstation-download/6851archive.org
  388. https://forums.whonix.org/t/whonix-virtualbox-14-0-1-4-4-unified-ova-downloads-testers-wanted/6979/2archive.org
  389. https://github.com/Kicksecure/security-misc/pull/4archive.org
  390. https://github.com/Whonix/whonix-setup-wizard/commit/7fa64df04025d304fa97458a23f730bcc8aedbd8archive.org
  391. https://github.com/Whonix/anon-meta-packages/commit/701edd4aa46d76b03fc84a482a9046834beb43abarchive.org
  392. https://github.com/Kicksecure/desktop-config-dist/commit/0aba7c2c3676469ea28f7949a5e58795cd529e34archive.org
  393. https://forums.whonix.org/research-disabling-tbb-e10-mutiprocess-for-performance-boost/6431archive.org
  394. https://github.com/Whonix/commit/e75f61f32eee4d947bbeea61d898fcce815b57e5
  395. https://phabricator.whonix.org/T880archive.org
  396. https://forums.whonix.org/t/whonix-xfce-14-0-0-9-6-for-virtualbox-released/6368/14archive.org
  397. https://github.com/Kicksecure/security-misc/commit/008a97d9e7f891a706a277c8e9bb2e3a958d1e63archive.org
  398. https://phabricator.whonix.org/T894archive.org
  399. https://forums.whonix.org/t/tor-browser-in-whonix-blocks-javascript-only-when-started-for-the-first-time-and-in-dispvms/6843archive.org
  400. This was reported to occur in approximately 50 percent of start up cases.
  401. Since it does not report upgrades, even when they are available.
  402. https://phabricator.whonix.org/T373archive.org
  403. Which failed with return code 1.
  404. https://github.com/QubesOS/qubes-issues/issues/4154archive.org
  405. https://github.com/QubesOS/qubes-issues/issues/4155archive.org
  406. https://github.com/QubesOS/qubes-core-admin-addon-whonix/pull/6archive.org
  407. Related to the missing package python3-xcffib.
  408. https://github.com/QubesOS/qubes-issues/issues/4443#issuecomment-436484078archive.org
  409. https://github.com/QubesOS/qubes-issues/issues/3323archive.org
  410. https://github.com/QubesOS/qubes-issues/issues/4340archive.org
  411. https://github.com/QubesOS/qubes-issues/issues/4536archive.org
  412. https://github.com/QubesOS/qubes-builder/pull/81archive.org
  413. https://github.com/QubesOS/qubes-core-admin/pull/221archive.org
  414. https://github.com/QubesOS/qubes-issues/issues/4195archive.org
  415. https://github.com/QubesOS/qubes-issues/issues/4295archive.org
  416. https://phabricator.whonix.org/T858archive.org
  417. https://github.com/QubesOS/qubes-issues/issues/4174archive.org
  418. Some fixes/changes were implemented in both Whonix ™ 14 and 15.
  419. https://www.debian.org/News/2019/20190706archive.org
  420. More than 91 per cent of the source packages included in Debian 10 are reproducible (will build bit-for-bit identical binary packages).
  421. https://phabricator.whonix.org/T899archive.org
  422. https://github.com/Kicksecure/usability-misc/blob/master/usr/bin/scurl/pull/1archive.org
  423. A few fixes were needed, such as:
    • Remove --remote-name and replace it with --remote-name-all.
    • Improve download wrappers and add --remote-header-name.
  424. https://phabricator.whonix.org/T923archive.org
  425. https://phabricator.whonix.org/T890archive.org
  426. For instance, an error would otherwise appear when using Xfce file manager with encrypted USBs.
  427. https://forums.whonix.org/t/have-cryptsetup-installed-by-default-in-whonix/6684/5archive.org
  428. https://forums.whonix.org/t/fixed-apt-rce-announced-new-whonix-images-needed-whonix-build-not-safe-at-the-moment/6715archive.org
  429. https://phabricator.whonix.org/T853archive.org
  430. https://phabricator.whonix.org/T712archive.org
  431. Specifically:
    • Make it simpler (to split urls into chunks of 3).
    • Generate average, total etc. for each pool.
    • Add curl command for the failures (timeouts).
  432. https://phabricator.whonix.org/T850archive.org
  433. https://phabricator.whonix.org/T866archive.org
  434. https://phabricator.whonix.org/T503archive.org
  435. This was completed for whonix-gw-firewall, whonix-ws-firewall, whonixcheck, sdwdate, uwt, onion-grater (Control Port Filter Proxy), rads, open-link-confirmation, tb-starter, tb-updater and anon-ws-disable-stacked-tor.
  436. https://github.com/TNTBOMBOM/sdwdate/commit/2985fc70625ae13aed45225b8c83592575c21a78archive.org
  437. https://forums.whonix.org/t/port-whonix-from-debian-stretch-to-debian-buster/7101archive.org
  438. https://phabricator.whonix.org/T869archive.org
  439. https://forums.whonix.org/t/install-firejail-firetools-by-default/5363/3archive.org
  440. MAT2 only removes metadata from your files, it does not anonymise their content, nor can it handle watermarking, steganography, or any too custom metadata field/system.

  441. https://phabricator.whonix.org/T885archive.org
  442. https://forums.whonix.org/t/add-mat2-to-whonix-15/6489archive.org
  443. zulumount-guiarchive.org is also installed.
  444. https://phabricator.whonix.org/T769archive.org
  445. https://forums.whonix.org/t/zulucrypt-in-whonix-14/4876archive.org
  446. https://phabricator.whonix.org/T595archive.org
  447. https://forums.whonix.org/t/feature-request-onionshare-support/300/7archive.org
  448. https://github.com/Whonix/anon-meta-packages/commit/8d5e892d3b603bb1390d3c152f70f8b8e8bfefefarchive.org
  449. Primarily due to incompatibility with v3 onions.
  450. https://forums.whonix.org/t/remove-ricochet-from-whonix/5009archive.org
  451. https://forums.whonix.org/t/what-about-nyx/6380archive.org
  452. nyx is actually the same project; just the name has changed and the presentation is very similar.
  453. https://phabricator.whonix.org/T798archive.org
  454. https://phabricator.whonix.org/T817archive.org
  455. Using the Jitter RNG core, the rngd provides an entropy source that feeds into the Linux /dev/random device if its entropy runs low. ... Especially during boot time, when the entropy of Linux is low, the Jitter RNGd provides a source of sufficient entropy.

  456. https://phabricator.whonix.org/T848archive.org
  457. https://forums.whonix.org/t/failed-failed-to-start-virtualbox-guest-utils/5975/4archive.org
  458. https://forums.whonix.org/t/reducing-size-of-ova-images/5095archive.org
  459. https://phabricator.whonix.org/T886archive.org
  460. https://github.com/Kicksecure/grub-livearchive.org
  461. https://github.com/Whonix/anon-meta-packages/pull/18archive.org
  462. https://forums.whonix.org/t/installing-whonix-live-mode-in-all-distributed-images/6467archive.org
  463. This means Non-Qubes-Whonix users can boot into live-mode out of the box, without needing to install it.
  464. https://phabricator.whonix.org/T825archive.org
  465. Such as the root password, Whonix ™ home page and so on.
  466. https://forums.whonix.org/t/add-description-to-whonix-vbox-images/5828/1archive.org
  467. https://forums.whonix.org/t/how-do-i-enter-the-whonix-shell-from-cli/7271archive.org
  468. https://phabricator.whonix.org/T782archive.org
  469. The floppy and optical settings were disabled in both the Gateway and Workstation, while the Gateway audio was also disabled.
  470. kloak is a privacy tool that makes keystroke biometrics less effective. This is accomplished by obfuscating the time intervals between key press and release events, which are typically used for identification. This project is experimental.

  471. https://forums.whonix.org/t/kloak-keystroke-anonymization-tool/7089archive.org
  472. See recent pull requests herearchive.org.
  473. https://forums.whonix.org/t/kernel-hardening/7296/9archive.org
  474. The specific changes include:

    Kernel symbols in /proc/kallsyms are hidden to prevent malware from reading them and using them to learn more about what to attack on your system.

    Kexec is disabled as it can be used for live patching of the running kernel.

    The BPF JIT compiler is restricted to the root user and is hardened.

    ASLR effectiveness for mmap is increased.

    The ptrace system call is restricted to the root user only.

    The TCP/IP stack is hardened.

    This package makes some data spoofing attacks harder.

    SACK is disabled as it is commonly exploited and is rarely used.

    This package disables the merging of slabs of similar sizes to prevent an attacker from exploiting them.

    Sanity checks, redzoning, and memory poisoning are enabled.

    The kernel now panics on uncorrectable errors in ECC memory which could be exploited.

    Kernel Page Table Isolation is enabled to mitigate Meltdown and increase KASLR effectiveness.

    SMT is disabled as it can be used to exploit the MDS vulnerability.

    All mitigations for the MDS vulnerability are enabled.

    DCCP, SCTP, TIPC and RDS are blacklisted as they are rarely used and may have unknown vulnerabilities.

  475. https://phabricator.whonix.org/T883archive.org
  476. https://github.com/QubesOS/qubes-template-configs/pull/6/commits/d4f429669b849fc73973e2e557a24cceab47c45earchive.org
  477. https://github.com/QubesOS/qubes-builder/pull/82/commits/64a661241430c6a22ca98bb11370b2a3e3cf0e12archive.org
  478. https://github.com/QubesOS/qubes-issues/issues/4957archive.org
  479. https://github.com/Whonix/qubes-whonix/commit/8d8ab41bbf9c7fa63f3e79b8511d439efe33caebarchive.org
  480. https://github.com/Whonix/qubes-whonix/commit/c08dfed97cfba369ff753b4d96755b47240fffb2archive.org
  481. https://github.com/QubesOS/qubes-issues/issues/4918archive.org
  482. Neither are backups of Tor Browser maintained anymore; previously three backups were stored.
  483. https://phabricator.whonix.org/T858archive.org
  484. timesync-fail-closed means sdwdate did not succeed yet. Networking for all but Tor and sdwdate should still be locked in this scenario.
  485. https://github.com/Kicksecure/apparmor-profile-everythingarchive.org
  486. https://github.com/QubesOS/qubes-issues/issues/5212archive.org
  487. https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581archive.org
  488. https://forums.whonix.org/t/whonix-virtualbox-15-0-0-4-9-point-release/8076archive.org
  489. https://forums.whonix.org/t/whonix-kvm-15-0-0-4-9-point-release/8096archive.org
  490. https://forums.whonix.org/t/whonix-virtualbox-15-0-0-6-6-point-release/8524archive.org
  491. https://forums.whonix.org/t/whonix-kvm-15-0-0-7-1-point-release/8540archive.org
  492. https://forums.whonix.org/t/whonix-kvm-kicksecure-15-0-0-8-7-released-a-qunatum-leap-forward/8921archive.org
  493. https://forums.whonix.org/t/whonix-virtualbox-15-0-0-8-9-point-release-vanguards-tcp-isn-leak-protection-extensive-hardening/8994archive.org
  494. https://forums.whonix.org/t/whonix-virtualbox-15-0-0-9-4-point-release/9157archive.org
  495. https://forums.whonix.org/t/qubes-whonix-15-templatevms-4-0-1-202003070901-point-release/9159archive.org
  496. https://forums.whonix.org/t/whonix-virtualbox-15-0-1-3-4-point-release/9616archive.org
  497. https://github.com/Whonix/compare/15.0.0.9.4-developers-only...15.0.1.3.4-developers-only
  498. https://forums.whonix.org/t/whonix-kicksecure-kvm-15-0-1-3-4-released/9729archive.org
  499. https://forums.whonix.org/t/whonix-kicksecure-kvm-15-0-1-3-9-released/9785archive.org
  500. https://forums.whonix.org/t/whonix-kicksecure-kvm-15-0-1-4-9-released/10167archive.org
  501. https://forums.whonix.org/t/whonix-kicksecure-15-0-1-4-8-for-virtualbox-point-release/10231archive.org
  502. https://forums.whonix.org/t/qubes-whonix-15-templatevms-4-0-6-202009121407-point-release-testers-wanted/10274archive.org
  503. https://forums.whonix.org/t/whonix-15-0-1-5-1-for-virtualbox-point-release/10294archive.org
  504. https://forums.whonix.org/t/whonix-15-0-1-5-4-for-virtualbox-point-release/10835archive.org
  505. https://forums.whonix.org/t/whonix-for-virtualbox-15-0-1-7-2-point-release/11349archive.org
  506. https://forums.whonix.org/t/qubes-whonix-15-templatevms-15-4-0-6-202103292247-point-release/11355archive.org
  507. https://forums.whonix.org/t/whonix-kvm-15-0-1-7-2-point-release-is-out/11458archive.org
  508. https://forums.whonix.org/t/whonix-for-virtualbox-15-0-1-7-3-point-release-includes-virtualbox-6-1-20-compatibility-fix/11496archive.org
  509. https://forums.whonix.org/t/whonix-15-0-1-9-3-for-virtualbox-point-release/11876archive.org
  510. https://forums.whonix.org/t/qubes-whonix-15-templatevms-15-4-0-6-202106242108-point-release/11891archive.org
  511. https://forums.whonix.org/t/whonix-kvm-15-0-1-9-3-released/11923archive.org
  512. https://github.com/Kicksecure/apparmor-profile-everything/compare/f3140ea2153fcee68a901ef0c86d552d6fa0ec3e...ffbe4873836b7bc364f3bfee1fef56ba8fd9b0bearchive.org
  513. https://github.com/Kicksecure/apparmor-profile-everything/compare/ffbe4873836b7bc364f3bfee1fef56ba8fd9b0be...63fdd0312a81f878d266ae9197803ccbd6bc18dfarchive.org
  514. More work is required such as multiple boot modes for better security: persistent user | live user | persistent admin | persistent superadmin | persistent recovery modearchive.org before it is installed by default.
  515. https://github.com/Kicksecure/apparmor-profile-everything/commit/d3eccd40b1547114159ef5309518a75f14800391archive.org
  516. See: Dev/bash.
  517. https://github.com/Kicksecure/apparmor-profile-everything/commit/ded4058ba369e00409c761b2c9a3126beb0f6fb3archive.org
  518. https://github.com/Kicksecure/apparmor-profile-torbrowser/commit/1ae495a91cd2121ebe8b98a798122a5dfa19ed92archive.org
  519. https://forums.whonix.org/t/whonix-apparmor-profiles-development-discussion/108archive.org
  520. https://forums.whonix.org/t/live-mode-etc-apparmor-d-tunables-home-d-live-mode-breaks-aa-enforce/5868archive.org
  521. https://github.com/Kicksecure/helper-scripts/commit/8aabfbbe96595b92d8cc7bf35fb3ca690d9a2313archive.org
  522. https://github.com/Kicksecure/helper-scripts/commit/3ddf9feba6ddebc7657712c6a604c9dfe500889earchive.org
  523. https://forums.whonix.org/t/gpg-recv-keys-fails-no-longer-use-keyservers-for-anything/5607/8archive.org
  524. https://github.com/Whonix/anon-apps-config/commit/8ec996766db99d98e69202a341805a54263b9209archive.org
  525. https://github.com/Kicksecure/anon-connection-wizard/commit/fba74756136ac85b68e64f63311d64107cf5383farchive.org
  526. https://github.com/Kicksecure/anon-connection-wizard/commit/380b4b3411aa9f8a1a31e8a2b2decedc52d431dfarchive.org
  527. https://github.com/Kicksecure/anon-connection-wizard/commit/cb20675cecb5c023dc47e3a8df680c98df544501archive.org
  528. https://github.com/Kicksecure/anon-connection-wizard/commit/47a9303bcb8c34517c90fb4439e03951a029281barchive.org
  529. See: censorship circumvention / Tor pluggable transportsarchive.org.
  530. https://github.com/Kicksecure/anon-connection-wizard/commit/3d1d5ad3f5ec5a9da997c248cdc78ad0c8669533archive.org
  531. See: Whonix Gateway CLI-15.0.1.5.4 - meek-azure bridge "TLS_ERROR"archive.org.
  532. https://github.com/Kicksecure/anon-connection-wizard/commit/2b33df7e051a2d7426b6312ecc9a128f7e7ffa95archive.org
  533. https://github.com/Kicksecure/anon-connection-wizard/commit/56cdf3e3de1753f61827cf402116357b3292a80barchive.org
  534. https://forums.whonix.org/t/anon-connection-wizard-crash/11782archive.org
  535. https://github.com/Whonix/anon-gw-anonymizer-config/commit/57e1b3a3678b3026a2ab30b031f42f4ca7f4f173archive.org
  536. https://github.com/Whonix/anon-gw-anonymizer-config/commit/3242a0fc37b24847a6168cd7563af9ab582dbb4aarchive.org
  537. See forum threads: censorship circumvention / Tor pluggable transportsarchive.org and Whonix Gateway CLI-15.0.1.5.4 - meek-azure bridge "TLS_ERROR" archive.org.
  538. https://github.com/whonix/anon-meta-packages/commit/0ad99f40b5496bf4ddb38aa5aa8ec42e6d923075archive.org
  539. tumbler is a “Recommends:” of ristretto.
  540. Which image viewer to install by default?archive.org
  541. https://github.com/whonix/anon-meta-packages/commit/3e0d2bdceea7046e1120e289e0077d3127057ee5archive.org
  542. https://lists.torproject.org/pipermail/tor-dev/2020-May/014322.htmlarchive.org
  543. OnionShare Whonix integration development discussionarchive.org.
  544. https://github.com/whonix/anon-meta-packages/commit/d95f9ec9333591ad1edd100662c5a71b5cd66f9barchive.org
  545. https://github.com/whonix/anon-meta-packages/commit/7fa7f26037976fea5b48bb1852d7caa5809e3ee2archive.org
  546. https://forums.whonix.org/t/kicksecure-minimal-version/11613/4archive.org
  547. https://github.com/Whonix/anon-ws-disable-stacked-tor/commit/73a4e81dee4a2cb5f0453d024d41f20a307802e8archive.org
  548. https://forums.whonix.org/t/i2p-inside-whonix-workstation-broken/8610/83archive.org
  549. i2p is not yet installed by default because of this reasonarchive.org.
  550. https://github.com/Kicksecure/open-link-confirmation/commit7c8fce21d7146a370adbd3073f25b4602901b813archive.org
  551. https://github.com/whonix/anon-meta-packages/commit/4e6db57c3fba6329dd1f23818523e43fa4e1e98darchive.org
  552. https://github.com/Kicksecure/tb-default-browser/commit/e2a05621ae54cad84dccc293ed43089fcc745b87archive.org
  553. https://github.com/Kicksecure/tb-starter/commit/b5d2280ad445bc1fbdb613424664bf8503e6f395archive.org
  554. https://forums.whonix.org/t/tor-browser-integration/11912archive.org
  555. https://github.com/Kicksecure/tirdad/commit/2fc3c726dd09dbf9cfe0ad51a327d02ce392a16barchive.org
  556. https://github.com/Whonix/anon-gw-anonymizer-config/commit/97baabc4b71abf6395ef0d1815cd63e74b7da050archive.org
  557. fix, don’t lock down network if IPv6 isn’t available and thereby no need to firewall, apparmor profile added in complain modearchive.org.
  558. https://github.com/Whonix/whonix-firewall/commit/24dd32c992a426c43d08e972fb8004614a314f75archive.org
  559. INTERNAL_OPEN_PORTS settingarchive.org
  560. https://github.com/Whonix/whonix-firewall/commit/f8fce1133fbb1408b281dd9175b781f657fa3d5earchive.org
  561. https://github.com/Whonix/whonix-firewall/commit/b5e89fb8e13e8b64006aa65cd39baa2c50abe823archive.org
  562. https://github.com/Whonix/commit/5067d7eca6cfb36b71fe62ff7f3461f87bcdb3f6
  563. https://forums.whonix.org/t/apt-get-error-e-repository-tor-https-cdn-aws-deb-debian-org-debian-security-buster-updates-inrelease-changed-its-suite-value-from-testing-to-stable/7704archive.org
  564. https://forums.whonix.org/t/cannot-use-pkexec/8129archive.org
  565. This also creates a new encrypted swapfile with a random password on every boot.
  566. https://github.com/Whonix/swap-file-creatorarchive.org
  567. https://forums.whonix.org/t/swap-swap-file-whonix-gateway-freezing-during-apt-get-dist-upgrade-encrypted-swap-file-creator/8317archive.org
  568. https://forums.whonix.org/t/noscript-with-security-slider-at-safest-permits-around-30-sites/8160archive.org
  569. https://github.com/Whonix/commit/9fa062aafe9d3d8ad94aa6850225664f914174f0
  570. https://forums.whonix.org/t/keyboard-configuration-debconf-popup-during-apt-get-dist-upgrade/8318archive.org
  571. https://github.com/Kicksecure/legacy-dist/commit/4bb3f9a93cef7a2076a70b986aa2c34d28ae1acfarchive.org
  572. https://github.com/Kicksecure/legacy-dist/commit/4202681132b1f0307cc95ceb3a1ca231fe6d9b3darchive.org
  573. https://forums.whonix.org/t/command-not-found-warningcould-not-open-file-etc-apt-sources-list/7903archive.org
  574. Whonix host operating systemarchive.org
  575. Kernel Hardeningarchive.org
  576. Reverts “Restrict the userfaultfd() syscall to root as it can make heap sprays easier.”
  577. https://duasynt.com/blog/linux-kernel-heap-sprayarchive.org
  578. cannot use pkexecarchive.org
  579. disksd[572]: failed to load module crypto: libbd_crypto.so.2: cannot open shared object file: No such file or directory

  580. onioncircuits started from tor-control-panel by running it under user debian-tor rather than rootarchive.org.
  581. Fix Non-Qubes-Whonix Whonix-Gateway slow bootarchive.org.
  582. Also: check for noexec, remount exec and work on Qubes DispVM exec / noexecarchive.org.
  583. It is also not compatible with apt speedup, see: Speeding up "apt update" with Acquire::Languages=none and Contents-deb::DefaultEnabled=false - It's so much faster!archive.org
  584. For instructions on how to use command-not-found, see here.
  585. https://forums.whonix.org/t/update-torbrowser-does-not-see-version-10-0-6/10711archive.org
  586. https://forums.whonix.org/t/ro-mode-init-live-mode-indicator-not-working/6795/17archive.org
  587. https://forums.whonix.org/t/tox-qtox-whonix-integration/1219/18archive.org no longer installed by default
  588. The key is now hardcoded in package source code.
  589. https://github.com/Whonix/anon-gw-anonymizer-config/commit/520f232dd68dafd9e66f0c78a37ebc3223d691c0archive.org
  590. https://phabricator.whonix.org/T537archive.org
  591. https://github.com/Kicksecure/kicksecure-meta-packages/commit/493155ea1b77c22b3e0e4749105503b42f03d2c7archive.org
  592. tumbler is a “Recommends:” of ristretto.
  593. Which image viewer to install by default?archive.org
  594. https://github.com/Kicksecure/kicksecure-meta-packages/commit/31c50ba43b8acd9477f375f1635b931eaaa599f4archive.org
  595. https://forums.whonix.org/t/kicksecure-minimal-version/11613/4archive.org
  596. https://github.com/Kicksecure/kicksecure-meta-packages/commit/25f3d81398d90653ea632604381b161a63cfadd0archive.org
  597. https://github.com/Kicksecure/kicksecure-meta-packages/commit/6fc4f399b9ae2dab67b062a640be2364d33acb7barchive.org
  598. https://forums.whonix.org/t/kicksecure-minimal-version/11613archive.org
  599. https://github.com/Kicksecure/repository-dist/commit/e1faf410205132c3fa19800febe44f5c8e169998archive.org
  600. https://forums.whonix.org/t/whonix-on-mac-m1-arm/11310archive.org
  601. Build CI builds on Travis CIarchive.org
  602. Integration with APT and packagingarchive.org is not yet complete. Help welcome!
  603. Help is welcome to finish this work.
  604. See: Error. Failed bilding Whonix gateway on physical host.archive.org
  605. In other words, packages can now be built without genmkfile.
  606. https://github.com/Kicksecure/repository-dist/commit/b369b4417083d9f270898d40531c6f04bd91d88barchive.org
  607. https://forums.whonix.org/t/suggest-trustworthy-tor-hidden-services-as-time-sources-for-sdwdate/856/176archive.org
  608. https://forums.whonix.org/t/sdwdate-time-sources-criteria/11035/4archive.org
  609. https://forums.whonix.org/t/suggest-trustworthy-tor-hidden-services-as-time-sources-for-sdwdate/856/191archive.org
  610. MAX_FAILURE_RATIO=0.7 was previously set, see: https://forums.whonix.org/t/suggest-trustworthy-tor-hidden-services-as-time-sources-for-sdwdate/856/191archive.org
  611. https://github.com/Kicksecure/sdwdate/commit/2173934e555975c61db81b54da259aacca87cfbdarchive.org
  612. https://github.com/Kicksecure/sdwdate/commit/05bee21d01827644376713990c4246f4f29bdb52archive.org
  613. https://github.com/Kicksecure/sdwdate/commit/0d546e5f2f53805c1cd21fe936f0f352da98c6f9archive.org
  614. https://github.com/Kicksecure/sdwdate/commit/f20463362bc15f2f6bf70e6d1199620644f89855archive.org
  615. https://github.com/Kicksecure/sdwdate/commit/eff69c4bfe6dfe91e9558cd85d952236f40dbdfearchive.org
  616. https://github.com/Kicksecure/sdwdate/commit/d4c94e61d548a1e362741f6ee31ac3f0a7cd1b4barchive.org
  617. https://github.com/Kicksecure/sdwdate/commit/149835c753b937eee8854a50a35e0d61da37073carchive.org
  618. https://github.com/Kicksecure/sdwdate/commit/85fcd64b5e9c8c0a51682ef3d1083bf80c54901barchive.org
  619. https://github.com/Kicksecure/sdwdate/commit/154008697f6530c3609d8de2509e3a6436691fa5archive.org
  620. https://github.com/Kicksecure/sdwdate/commit/41e714f326d45773c90c9cba667967aa866c46aaarchive.org
  621. https://github.com/Kicksecure/sdwdate/commit/fd5cadd6c79287fea165f62c9937a0be0cae2f85archive.org
  622. https://github.com/Kicksecure/sdwdate/commit/3759520aac6f13d5882f9450a54f49a5afa938cbarchive.org
  623. https://forums.whonix.org/t/apply-systemd-sandboxing-by-default-to-some-services/7590/58archive.org
  624. https://github.com/Kicksecure/sdwdate/commit/4d1aeac0fa2e119bc7e0277175acd86aa45503c6archive.org
  625. https://github.com/Kicksecure/developer-meta-files/commit/1a8f1c6916683f76c611895cb9f3349a66fa0e29archive.org
  626. See: Whonix moving from GitHub to GitLabarchive.org.
  627. The current developers-only version and next stable version of Whonix can be built completely from GitLab.
  628. https://forums.whonix.org/t/whonix-networking-implementation-developer-documentation-feedback-wanted/8274archive.org
  629. https://forums.whonix.org/t/whonix-experimental-for-how-long/5206/6archive.org
  630. Old: “Whonix is experimental software. Do not rely on it for strong anonymity.” New: “Whonix is a research project.”
  631. vanguards - Additional protections for Tor Onion Servicesarchive.org
  632. https://github.com/Kicksecure/anon-apt-sources-list/commit/478336061969596efe9b7ddc3b36c51afb51139aarchive.org
  633. https://github.com/Kicksecure/anon-apt-sources-list/commit/4832b9233b923624aa5df742e302576bdbd1882barchive.org
  634. https://github.com/Kicksecure/anon-apt-sources-list/commit/4832b9233b923624aa5df742e302576bdbd1882barchive.org
  635. https://github.com/Kicksecure/anon-apt-sources-list/commit/a7429c32d94c406e4f00478fa095989fb98e4546archive.org
  636. Since it is not used on https://onion.debian.orgarchive.org.
  637. https://github.com/Kicksecure/anon-apt-sources-list/commit/e3a261a3ab032f964c65c47a3187d6f4624f01f4archive.org
  638. https://gitweb.torproject.org/builders/tor-browser-build.git/tree/projects/tor-browser/Bundle-Data/PTConfigs/bridge_prefs.jsarchive.org
  639. This is not usually required.
  640. Quote Tor manual: ‘Files starting with a dot are ignored.’
  641. Quote Tor manual: ‘Files on subfolders are ignored.’
  642. Added electrum-4.1.2-x86_64.AppImage. See: https://github.com/Kicksecure/binaries-freedom/commit/8ba7669ec2177434619d449b0190bd44ee0d2da0archive.org
  643. https://github.com/Kicksecure/binaries-freedom/commit/368a6667fb8c4d162cfeb20bcd5b91d6a02d29f8archive.org
  644. https://github.com/Kicksecure/binaries-freedom/commit/6e7ef0e7468f03a99fb32c0a5aefb4c7016ed404archive.org
  645. https://github.com/Kicksecure/binaries-freedom/commit/c5905a63a1934db3a7fe628dc2f69092e2f539f9archive.org
  646. https://github.com/Kicksecure/helper-scripts/commit/5b0c3c7e9526691ce1b0e27bf51ef6994596963farchive.org
  647. Due to apt-key deprecation by Debian; see apt-key Deprecation / Apt 2.2 changesarchive.org.
  648. https://github.com/Kicksecure/genmkfile/commit/c2c649bc91cddc4fa1884213cc0b6bed14d43f2farchive.org
  649. https://phabricator.whonix.org/T965archive.org
  650. Cannot access encrypted USB drive with Thunar in Whonix 15archive.org
  651. Whonix host operating systemarchive.org
  652. Whonix Xfce Developmentarchive.org
  653. Use sudoedit in Whonix ™ documentation and Whonix softwarearchive.org
  654. https://github.com/Kicksecure/helper-scripts/commit/ab21083cf0330f081172ca060b1fa996b6387442archive.org
  655. https://github.com/Kicksecure/helper-scripts/commit/fa66630cbb81e99cbfe34326bd14558cc26b8e97archive.org
  656. https://github.com/Kicksecure/helper-scripts/commit/1ac0cdca37dcaa073caebdccce58ff4c7f47f4aearchive.org
  657. This AppArmor bug is likely fixed in Debian bullseye.
  658. https://github.com/Kicksecure/helper-scripts/commit/9aa8fe97277d7bdbdf8530c796b512345b6bed8farchive.org
  659. https://gitlab.com/kicksecure/monero-gui/-/commit/7aee0082903927991367008810d38cfb3f4870f5archive.org
  660. Remove Whonix specificityarchive.org (default config file) from onion-grater (Whitelisting filter for dangerous Tor control protocol commands).
  661. https://github.com/Whonix/onion-grater/commit/9539d88c7e0b8336b74586d8c93821cad946fc90archive.org
  662. https://github.com/Whonix/onion-grater/commit/f72b60124841b29440eaa46d1233bb0c11e411f6archive.org
  663. https://github.com/Whonix/onion-grater/commit/97b8feb8dcc739eb4ffd67528fa12c6ff425384barchive.org
  664. https://github.com/Whonix/onion-grater/commit/465180909f97a2853eaa0192c024af0a979bb080archive.org
  665. Onion Services Authenticationarchive.org
  666. https://forums.whonix.org/t/full-system-apparmor-policy-testers-wanted/10381/83archive.org
  667. https://github.com/Kicksecure/sdwdate-gui/commit/b0aef886b6eda84e9d787868f10b0f105402863barchive.org
  668. whonixcheck connectivity check code checks Tor as well as sdwdate. Due to slow Tor/onion speed it often times out. Improving that code is difficult, so sdwdate-gui is used instead as a solution that provides better visual feedback to users.
  669. https://github.com/Kicksecure/security-misc/commit/41734ec523eb3cd233fe4651b9807222c8ccb1d5archive.org
  670. Restrict Hardware Information to Root - Testers Wanted!archive.org
  671. https://github.com/Kicksecure/systemcheck/commit/577da7d2e5aa122b2ac0fd87ade605c9747f181darchive.org
  672. https://github.com/Kicksecure/systemcheck/pull/15archive.org
  673. https://forums.whonix.org/t/one-time-popup-notification-of-whonix-15-deprecation-once-whonix-16-was-released/11720/3archive.org
  674. https://github.com/Kicksecure/systemcheck/commit/41fd10a4929448e820533910a3bdd5026199afe4archive.org
  675. https://forums.whonix.org/t/one-time-popup-notification-of-whonix-15-deprecation-once-whonix-16-was-released/11720archive.org
  676. https://github.com/Kicksecure/systemcheck/commit/fa28f533b77b0232342dac81bd8b437cb01418aearchive.org
  677. https://github.com/Kicksecure/systemcheck/commit/2703fc9f692115c04d1525ad36c9ff22dde20b76archive.org
  678. This reports if the output of command dpkg --audit is non-empty, which would indicate in most cases a previously interrupted upgrade.
  679. https://github.com/Kicksecure/systemcheck/commit/7f006875d930004295a9d7eed1cfdb0522d27586archive.org
  680. https://github.com/Kicksecure/systemcheck/commit/a1be8de3360d0377073acc9298d68d79b70f5543archive.org
  681. https://github.com/Kicksecure/systemcheck/commit/6a928ddd1345decc552db1391742d46ca54fe482archive.org
  682. https://github.com/Kicksecure/tor-control-panel/commit/39c0d67c7b536cbf9dbf4cb7306161ce63d41ef6archive.org
  683. https://github.com/Kicksecure/tor-control-panel/commit/115b65e34785793b37a6f8f87f70195c5cbfeb99archive.org
  684. tor_0.4.2.6-1~d10.buster+1_amd64.deb from deb.torproject.org
  685. Tor 0.4.25 release how can we upgradearchive.org
  686. Onion Services DDOS Defense Tor 0.4.2.5archive.org
  687. https://github.com/Kicksecure/tb-updater/commit/6900f4d100a8b71572f055a61bec557fa633c5cearchive.org
  688. https://github.com/Kicksecure/tb-updater/commit/1bf4af07d859c89c66880d7376c1707841022b77archive.org
  689. https://forums.whonix.org/t/arm64-tor-browser-maintainer/11786archive.org
  690. https://github.com/Kicksecure/tb-updater/commit/e0ad939dc0d8978198d0a85df6f2ff63947c0f6carchive.org
  691. https://forums.whonix.org/t/arm64-tor-browser-maintainer/11786archive.org
  692. https://github.com/Kicksecure/tb-updater/commit/129ee59b2768b902b6ad6f8ff58fc738ab3b3c02archive.org
  693. https://github.com/Kicksecure/tb-updater/commit/285fa1a3569395a722486cb80a999e3d370efdcbarchive.org
  694. https://forums.whonix.org/t/arm64-tor-browser/11806archive.org
  695. https://forums.whonix.org/t/arm64-tor-browser-maintainer/11786archive.org
  696. https://github.com/Kicksecure/tb-updater/commit/36bbe964ddd40f3d81bfeb005db056ecf5095c78archive.org
  697. https://forums.whonix.org/t/tor-browser-downloader-gpg-download-signature-could-not-be-verified/11794archive.org
  698. https://github.com/Kicksecure/tb-updater/commit/5c31abf6b689e1506624cecaaa90986080433c01archive.org
  699. https://github.com/Kicksecure/tb-updater/commit/ab0143d84c018563d553a124ca05adac9e79419a#r51740265archive.org
  700. https://github.com/Kicksecure/tb-updater/commit/8310c98af8791ab0985ba67cad6720cf8ecbac38archive.org
  701. https://github.com/Kicksecure/tb-updater/commit/e4f848d8fe084d528ddec94a7cbca12cae7c5bb2archive.org
  702. https://github.com/Kicksecure/tb-updater/commit/eb6ba9b1c48afc0a394b26e1c331564948a53bd1archive.org
  703. https://github.com/Kicksecure/systemcheck/pull/15archive.org
  704. Speeding up "apt update" with Acquire::Languages=none and Contents-deb::DefaultEnabled=false - It's so much faster!archive.org.
  705. https://github.com/Kicksecure/usability-misc/commit/d5347a7a13f73a94e6cc2cc8764ec97324c1729darchive.org
  706. https://github.com/Whonix/uwt/commit/21aa111631f17e71b989636f62748d5f77d37c30archive.org
  707. Whonix Workstation XFCE-15.0.1.5.4 - sudo git - uwtwrapper uwt wrapper ERROR: /usr/bin/git.anondist-orig does not exist.archive.org
  708. https://github.com/Whonix/uwt/commit/7e6b623ffaf2d7359774904d1344387c7f746432archive.org
  709. Whonix Workstation XFCE-15.0.1.5.4 - sudo git - uwtwrapper uwt wrapper ERROR: /usr/bin/git.anondist-orig does not exist.archive.org
  710. https://forums.whonix.org/t/serial-console-in-virtualbox/8021archive.org
  711. This helps for recovery efforts and simplifies setting up the kernel boot parameters inside the VM.
  712. https://forums.whonix.org/t/send-sysrq-commands-to-virtualbox-usability-helper-virtualbox-send-sysrq/8369archive.org
  713. See also: Serial Console.
  714. https://github.com/Kicksecure/libvirt-dist/commit/f88e3b3876e5ed11b998fd7502ccaade4a57789farchive.org
  715. torrc.d cleanerarchive.org
  716. https://forums.whonix.org/t/whonix-build-script-now-optionally-supports-installing-packages-from-whonix-remote-repository-rather-than-building-packages-locally/8107archive.org
  717. https://forums.whonix.org/t/disable-or-change-sudo-lecture-at-frist-run-we-trust-you-have-received-the-usual-lecture-from-the-local-system-administrator-it-usually-boils-down-to-these-three-things/8323archive.org
  718. https://github.com/Kicksecure/dist-base-files/commit/a929f1c438a9ac2a7cc01926e30b8d210debe442archive.org
  719. https://github.com/Kicksecure/dist-base-files/blob/master/usr/share/derivative-base-files/sudo-default-password-lecturearchive.org
  720. Merge upstream changesarchive.org.
  721. Improved Debian host supportarchive.org.
  722. Usability, output enhancementsarchive.org.
  723. Added compatibilityarchive.org with restrict hardware information to root for Live Mode Indicator Systray.
  724. Fixed Live Mode Indicator Systrayarchive.org to detect ro-mode-init.
  725. Packaging enhancements, no longer depend on genmkfile, fix, use same version number as upstream (2.0)archive.org.
  726. dsudo - add sudo askpass wrapper for automated testingarchive.org.
  727. This means as long as the password is set to changeme, it is possible to use dsudo and not be asked to enter the default password.
  728. Packaging enhancements, no longer depend on genmkfile, can be build using standard Debian packaging tools, apparmor enhancementsarchive.org.
  729. Refactoring /usr/lib/qubes-whonix/init/network-proxy-setuparchive.org.
  730. This replaces grub-output-verbose.
  731. This is a sane default that works with default /etc/hosts without generating warnings about a wrong hostname when using sudo. /etc/hostname is not managed by any configuration package and can be changed.
  732. This might be re-introduced later as an opt-in package, see: Use DNSCrypt by default in Kicksecure? (not Whonix!)archive.org
  733. See: enable Debian stable-updates repository by defaultarchive.org.
  734. This avoids a grave usability issue whereby users cannot choose ISO in VirtualBox first start wizard (which asks for which ISO to boot).
  735. https://forums.whonix.org/t/no-longer-add-virtual-dvd-drive-to-vm-by-default/9337archive.org
  736. https://github.com/Kicksecure/usability-misc/commit/d8a390c2c546e560c9b31c483b9ab4bcc1f0b067archive.org
  737. https://github.com/Kicksecure/helper-scripts/commit/5ffcd6d28454195889c8dd208a35a5d405524430archive.org
  738. Due to apt-key deprecation by Debian. Only GPG binary format is understood by Debian’s APT; see: apt-key Deprecation / Apt 2.2 changesarchive.org.
  739. https://github.com/Kicksecure/security-misc/compare/a99dfd067ac8a43bdcd779cf57b3533bdaa404fb...163e20b886f298cb9d3aca54c14f66991001b396archive.org
  740. By default, Debian utilizes User Private Groups (UPG)archive.org. Also see: /usr/share/pam-configs/usergroups-security-misc
  741. For example, this affects those running “chmod o-rwx /home/user” during package installation or an upgrade.
  742. This is only performed once for each folder in the parent /home folder, so users who wish to relax file permissions can do so. This action protects files in the user's home folder which were previously created with lax file permissions prior to the installation of this package.
  743. See: unlock instructions. This means it is possible to have short, easy-to-remember, "weak" passwords for the user user account, while still preventing compromised non-root users from bruteforcing it.
  744. This makes it harder to load a malicious module.
  745. See: /etc/modprobe.d/uncommon-network-protocols.conf
  746. Forum discussionarchive.org.
  747. See: debian/security-misc.postinst
  748. Disable SUID Binariesarchive.org
  749. https://github.com/Whonix/anon-apps-config/compare/a6a6c2ed3c58ef5b023866a8aed4ae1996d93420...9cbfad0aa30ce2014b65d997007baa3bf26005ca#diff-44b21d78d2546f10b7f1ba806e28e1f1archive.org
  750. It is disabled by default for now during testing and can optionally be enabled by running systemctl enable permission-hardening.service as root.
  751. This is interesting when using security-misc or Kicksecure.
  752. This is interesting when using security-misc on the host or using Kicksecure ™ as the host operating system.
  753. Should all kernel patches for CPU bugs be unconditionally enabled? Vs Performance vs Applicabilityarchive.org
  754. RDRAND receptionarchive.org
  755. https://twitter.com/pid_eins/status/1149649806056280069archive.org
  756. Run “sudo touch /etc/remount-disable”. To opt-in noexec, run “sudo touch /etc/noexec” and reboot (easiest). Alternatively file /usr/local/etc/remount-disable or file /usr/local/etc/noexec could be used.
  757. (re-)mount home (and other?) with noexec (and nosuid among other useful mount options) for better security?archive.org
  758. More work neededarchive.org. Help welcome!
  759. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma"
  760. https://mjg59.dreamwidth.org/54433.htmlarchive.org
  761. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94archive.org
  762. Such as CVE-2017-2636archive.org.
  763. https://lkml.org/lkml/2019/4/15/890archive.org
  764. Sets dev.tty.ldisc_autoload=0
  765. https://github.com/Kicksecure/hardened-kernel/commit/1fdfc87335534e627a29b6cc8d140c5634ce9dd5archive.org
  766. This reverts the following commitarchive.org.
  767. See: KVM Command Line Interface (CLI)
  768. https://forums.whonix.org/t/whonix-moving-from-github-to-gitlab/9676archive.org
  769. https://github.com/Kicksecure/anon-shared-build-apt-sources-tpo/commit/0153003e7f3d1f7e2788e0ba697290a04f5017d3archive.org
  770. http://apow7mjfryruh65chtdydfmqfpj5btws7nbocgtaovhvezgccyjazpqd.onion/onion
  771. This does not yet apply to Qubes-Whonix.
  772. Qubes issuearchive.org.
  773. This is a purposeful security feature and there are no user freedom restrictions; read more here.
  774. See: gpg --recv-keys fails / no longer use keyservers for anythingarchive.org.
  775. https://forums.whonix.org/t/use-sudoedit-in-whonix-documentation-and-whonix-software/7599archive.org
  776. Running any editor as root is insecure. sudoedit copies the file to a temporary location, edits it as a normal user and then overwrites the original using sudo.
  777. https://forums.whonix.org/t/restrict-hardware-information-to-root/7329/2archive.org
  778. CVE-2020-8516 Hidden Service deanonymizationarchive.org
  779. enable vanguards by defaultarchive.org
  780. install by defaultarchive.org
  781. Also available in Qubes OS Debian templates and Qubes-Whonix with use of an in-VM kernel.
  782. LKRG will likely be installed by default in Whonix and Kicksecure ™ in one of the next stable releases.
  783. This is quick and easy. For example: “dpkg-buildpackage -b”
  784. Since LKRG now supports module parameters and VirtualBox host supportarchive.org, it can be automatically started after installation since it would no longer kill VirtualBox VMs running on a host.
  785. https://github.com/Kicksecure/sandbox-app-launcher/commit/24ca2da82bc90add9cc1fe38ccb826714c4127fdarchive.org
  786. https://github.com/Kicksecure/sandbox-app-launcher/commit/f939fe8b579063478576e8fab02e3468a09dd03carchive.org
  787. System-wide sandboxing framework - sandbox-app-launcherarchive.org.
  788. https://github.com/Kicksecure/sandbox-app-launcher/commit/133558cc97d3ee0523f555a53dfb2c9a1cd5daa8archive.org
  789. https://github.com/Kicksecure/sandbox-app-launcher/commit/a9a760071be1266157e989178e898d685a0de01aarchive.org
  790. https://github.com/Kicksecure/sandbox-app-launcher/commit/83b68c672277269207e9bb0a0ca6b2e5a3517a33archive.org
  791. https://github.com/Kicksecure/sandbox-app-launcher/commit/cc319021ad289c78ffcde4889809f4757dac3840archive.org
  792. This is not an issue worth notifying users about.
  793. https://github.com/Kicksecure/sandbox-app-launcher/commit/1f181df1709b63e113397c94ea29b425d01d1b7farchive.org
  794. System-wide sandboxing framework - sandbox-app-launcherarchive.org.
  795. https://github.com/Kicksecure/sandbox-app-launcher/commit/f176e5e5a2b3e0f621424472e9991544d8cd5172archive.org
  796. https://github.com/Kicksecure/sandbox-app-launcher/commit/392aabdb4f6c293f076ecc2c08e69db3f7441a92archive.org
  797. https://github.com/Kicksecure/sandbox-app-launcher/commit/2e5de688bfa7d280882f7f86ff502934b9b0cf6farchive.org
  798. https://github.com/Kicksecure/sandbox-app-launcher/commit/984d90dd15992e482c35bba701cc6fff770ab467archive.org
  799. https://github.com/Kicksecure/sandbox-app-launcher/commit/b818157203ff1ecba84e07e9565457db7153528aarchive.org
  800. https://github.com/Kicksecure/sandbox-app-launcher/commit/e763f9122041800f15d5c4903701c3d7f7bf05b6archive.org
  801. https://github.com/Kicksecure/sandbox-app-launcher/commit/203f411b9201b7a3b8a78de5854bdbb73d32f7c2archive.org
  802. https://github.com/Kicksecure/sandbox-app-launcher/commit/29c44641b00aebb12450a7a153c8ba9059dfaf99archive.org
  803. https://github.com/Kicksecure/sandbox-app-launcher/commit/088e4a0170f817e99851db0a886cab9f2982fd92archive.org
  804. https://github.com/Kicksecure/sandbox-app-launcher/commit/c4fd64dcf572db1ba6dd10ae06da9bfd0c181e75archive.org
  805. https://github.com/Kicksecure/sandbox-app-launcher/commit/41a88bad2885b01e95c89c633bd5311636e58a6earchive.org
  806. https://github.com/Kicksecure/sandbox-app-launcher/commit/820aa9a2864281e2a2c842c101389edfa88f6940archive.org
  807. https://github.com/Kicksecure/sandbox-app-launcher/commit/12657eec166f8732fbc8fb45c4e50fcfc2a2b055archive.org
  808. https://forums.whonix.org/t/system-wide-sandboxing-framework-sandbox-app-launcher/9008/359archive.org
  809. https://github.com/Kicksecure/sandbox-app-launcher/commit/fd0469807144edfe69fe0dbe9579a3b94235453aarchive.org
  810. A minimum unixtime timestamp is utilized so that if sdwdate onion services later provide false time information due to a bug or attack, the clock is never set to a much earlier date (like 1980) or an earlier date than the release date.
  811. https://forums.whonix.org/t/restrict-root-access/7658/1archive.org
  812. https://github.com/Kicksecure/security-misc/commit/74e39cbf690dae2bf72bd9f152ea91c364f5feffarchive.org
  813. https://github.com/Kicksecure/security-misc/commit/97d8db3f74b9fc00c8f4416cb72966e62c7de88earchive.org
  814. https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/58archive.org
  815. https://github.com/Kicksecure/security-misc/commit/6e759f9196412b1742db1e4c68a70867e1ad8629archive.org
  816. This does not necessarily belong in security-misc. However, it is likely security-misc will need to modify /etc/dkms/framework.conf in the future to enable kernel module signing.
  817. https://forums.whonix.org/t/linux-kernel-runtime-guard-lkrg-linux-kernel-runtime-integrity-checking-and-exploit-detection/8477/26archive.org
  818. https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/58archive.org
  819. https://github.com/Kicksecure/security-misc/commit/e2afd00627b097f75467cd0e2fe7e15977141026archive.org
  820. From https://github.com/dell/dkms/blob/master/dkms_framework.confarchive.org and https://raw.githubusercontent.com/dell/dkms/master/dkms_framework.confarchive.org
  821. https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/58archive.org
  822. https://github.com/Kicksecure/security-misc/commit/3ba3b371873d221db6845fb0fe52191b8b349b0aarchive.org
  823. TCP ISN CPU Information Leaks can be used de-anonymize Tor onion services. tirdad fixes that.
  824. An analysis of TCP secure SN generation in Linux and its privacy issuesarchive.org
  825. Tirdad kernel module for random ISN generationarchive.org
  826. Tor Project bug report: Add research idea for Linux TCP Initial Sequence Numbers may aid correlationarchive.org
  827. Research paper: Hot or not: revealing hidden services by their clock skewarchive.org
  828. Whonix ticketarchive.org
  829. See CVE-2001-0797, using pam_access.
  830. See torbirdy deprecated - replacement requiredarchive.org.
  831. This was ported from Tails to anon-apps-config by Whonix developer HulaHoop. Sincere appreciation is expressed to Tails for the torbirdy replacement!
  832. https://github.com/Whonix/onion-grater/commit/1fd8701dd6197b3325b83ad03bfd9ecedbcbdee6archive.org
  833. https://github.com/Kicksecure/helper-scripts/commit/7ad34f8c7594d0ddcce4be12a660e2d0463649b9archive.org
  834. https://github.com/Kicksecure/helper-scripts/commit/0ae844a0b26e8d03b41eccc9d37ec0124bce7587archive.org
  835. https://github.com/Kicksecure/helper-scripts/commit/a536530ad078e29381ff9ced69ec26b3b840c88barchive.org
  836. https://github.com/Whonix/derivative-maker/commit/9e6f38ed35132cd908bfa7f9408f1d74b389b2a9archive.org
  837. See forum thread: Whonix VirtualBox - failed to start - NS_ERROR_FAILURE (0x80004005) - The VM session was aborted.archive.org and the wiki: Failed to open a session for the virtual machine.
  838. https://github.com/Whonix/derivative-maker/commit/9e6f38ed35132cd908bfa7f9408f1d74b389b2a9archive.org
  839. It is speculated this setting might lead the to the issue High I/O causing filesystem corruption; unfortunately it is unavoidable and there is presently no other solution due to this VirtualBox host software bugarchive.org. If it manifests, refer to the wiki link for possible workarounds.
  840. In earlier release updates, VirtualBox was upgraded to version 6.1.2; see Get VirtualBox from Debian sid and recompile for Debian busterarchive.org
  841. Related: VirtualBox Guest Additions ISO Freedom vs Non-Freedom
  842. Quote VirtualBox manualarchive.org:

    VMSVGA: Use this graphics controller to emulate a VMware SVGA graphics device. This is the default graphics controller for Linux guests.

  843. This has better desktop resolution in CLI (virtual terminal) mode. When it was previously disabled, this led to a black screenarchive.org on 15.0.0.6.6 and 15.0.0.7.1.
  844. https://www.virtualbox.org/ticket/19500archive.org
  845. https://forums.whonix.org/t/enable-debian-stable-updates-repository-by-default/9382archive.org
  846. https://forums.whonix.org/t/consolidating-whonix-packages/1945archive.org
  847. https://forums.whonix.org/t/whonix-default-packages-review-mmdebstrap-varriant-related-risk-of-regressions/9254archive.org
  848. https://forums.whonix.org/t/onion-forum-site-redirects-to-clearnet/197/13archive.org
  849. https://forums.whonix.org/t/wiki-miss-offer-secure-connection-while-the-connection-over-onion/10349/7archive.org
  850. Mediawiki thinks the connection is insecure since it does not have internal concepts onion traffic. I am now sending http request X-Forwarded-Proto: https for onion to let mediawiki know that it’s a secure connection.

  851. https://forums.whonix.org/t/expect-ct-security-header-for-whonix-org/10286/3archive.org
  852. https://forums.whonix.org/t/url-with-no-onion-mirror/10341archive.org
  853. https://forums.whonix.org/t/no-clean-hsts-preload-dnssec/10255archive.org
  854. https://forums.whonix.org/t/dane-tlsa-dns-based-authentication-of-named-entities-for-whonix-org/10218/2archive.org
  855. https://forums.whonix.org/t/whonix-software-signature-verification-documentation-discussion-virtualbox-vs-kvm-gpg-signify-codecrypt/10043/22archive.org
  856. https://forums.whonix.org/t/discourse-reply-by-e-mail-broken-2/9970/3archive.org
  857. https://forums.whonix.org/t/uploaded-images-doesnt-show-up-after-creating-topic/5623archive.org
  858. This website is not yet public; a significant effort is required to rewrite the wiki for Kicksecure.