Actions

Whonix Old Stable and Earlier Releases

From Whonix

About this Whonix Old Stable and Earlier Releases Page
Support Status stable
Difficulty easy
Maintainer torjunkie
Support Support

Whonix ™ 13 Changelog[edit]

Whonix ™ 13 was released on May 31, 2016. [1] Whonix ™ 13 contains many small security and usability improvements, features and bug fixes. [2] [3]

Descriptions of changes in Whonix ™ 12 and earlier versions can be found on sourceforge.net.

All Platforms[edit]

AppArmor[edit]

  • Fixed the Tor Browser AppArmor profile to allow correct functionality. [4]
  • Resolved AppArmor conflicts affecting Pidgin, Chromium and Evince. [5]
  • Merged AppArmor profiles for sdwdate, timesync and whonix-check into their corresponding packages and now install them by default. [6]

Bug Fixes[edit]

  • Fixed broken whonix-setup-wizard functionality. [7]

Code[edit]

  • Updated Whonix ™ code for Tor Browser tb-updater. [8]
  • Refactored the Whonix ™ socks redirection firewall rules to reduce their size and use less script code. [9] [10]
  • Refactored Whonix ™ code so that scripts only use configuration files that end with the .conf extension. [11]

Improved Functionality and Usability[edit]

  • Modified whonixcheck to test for slow or fast system clocks which prevent Tor from properly connecting. [12]
  • Implemented an explicit check for timekeeping watchdog kernel messages in whonixcheck, so users are warned about clock jumps which prevent / time-out Tor connections. [13]
  • Enforced maximized terminal windows for xdg desktop users. [14] [15]
  • Enabled Transparent Proxy Ports for Whonix-Gateway ™ by default (except for Whonix ™-Firewall). [16] [17]
  • Configured Whonix ™ to use /etc/skel instead of writing to the home folder directly to maintain forward compatibility with Qubes. Further, this allows for proper error-handling where "user" is hardcoded in Whonix ™, and a newly created account with a different name has been used. [18]
  • Deprecated the timesync progress bar and replaced it with a tray icon using sdwdate-gui to improve usability and reduce confusion. [19]
  • Created a stable-proposed-updates repository for users who want to help in testing Whonix ™ fixes, without resorting to the testers repository which comes with many more changes. [20]
  • Moved the WhonixBackupScript to the usability-misc package to make it more accessible. [21]
  • Replaced XChat with HexChat, since the former is no longer actively maintained, and created a new AppArmor profile to contain it. [22]
  • Implemented a VPN_FIREWALL feature as part of whonix-ws-firewall. [23]

Security Enhancements[edit]

  • Created a security-misc package that turns off Nautilus and Dolphin file previews by default, since this poses security risks. [24]
  • A known, good version of Tor is now maintained and uploaded to the Whonix ™ repository from deb.torproject.org [25]
  • Uploaded the Tor 0.3.2.9 major (stable) release to the Whonix ™ repository to enable full v3 onion functionality for both hosting of onion services and access to v3 onion addresses in Tor Browser. [26]
  • Extended the lifetime of the Whonix ™ signing key. [27]
  • Sourced new onion services webservers for the sdwdate feature, which ensures the system's clock is correctly set for security, privacy and anonymity purposes. [28]

Qubes-Whonix ™[edit]

Bug Fixes[edit]

  • Fixed qubes-whonix-firewall systemd service start. [29] [30]
  • Resolved whonixcheck fixes for Qubes R4. [31]
  • Corrected false positive failure messages for the updates proxy test in Qubes R4. [32] [33]
  • Disabled qubes-SetDateTime / qubes.SyncNtpClock in Qubes-Whonix ™ VMs since it interfered with timesync. [34]
  • Resolved accumulation of old Tor Browser instances in /var/cache/tb-binary/.tb/ which caused users to run into full disk error messages. [35]
  • Resolved an occasional error message whereby Whonix ™ templates incorrectly reported they were not connected to the Whonix-Gateway ™ ProxyVM. [36]
  • Resolved the broken anon-ws-disable-stackedtor function in Qubes-Whonix ™. [37]
  • Enforced the opening of all links from sys-whonix, whonix-gw and whonix-ws in the anon-whonix AppVM to prevent error messages. [38]

Builds[edit]

  • Corrected the build failure of Whonix-Workstation ™ template in Qubes-Whonix ™ R3.2 and added the qubes-template-whonix to continuous integration service TravisCI. [39]
  • Resolved Whonix ™ template build failures in Qubes R4 related to Tor Browser downloads. [40]
  • Changed the Qubes-Whonix ™ build process to install Whonix ™ from the Whonix ™ binary APT repository. This simplifies code, results in faster builds, removes build dependencies inside the template, and reduces the overall template size. [41]
  • Allowed the Whonix ™ build script to run as root and reworked user_name. [42]

Code[edit]

  • Removed fetching of Whonix ™ source code in qubes-template-whonix. [43]
  • Removed the qubes-update-check system service from Qubes-Whonix ™ TemplateVMs, since it was unnecessary. [44] [45]
  • Reworked / removed a number of installed packages in Qubes-Whonix ™ which are only required for the Non-Qubes-Whonix ™ desktop. [46] [47]
  • Removed the default username and password in the Qubes-Whonix ™ terminal, because it is not required. [48]

Improved Functionality and Usability[edit]

  • Ported whonixcheck and tb-updater to Qubes' qrexec-based updates proxy, since TemplateVMs are non-networked by default in Qubes R4. [49]
  • Changed the tb-updater configuration to use Qubes updates proxy, since Qubes R4 sets the NetVM of TemplateVMs to none by default. [50]
  • Implemented the ability to install Whonix-Workstation ™ and Whonix-Gateway ™ from dom0 with a sudo apt-get install whonix-(workstation|gateway) feature. [51]
  • Ported the bind-directories functionality upstream to Qubes. [52]
  • Implemented the new bind-directories functionality in Qubes-Whonix ™. [53]
  • Implemented a check for whether the whonix-gw ProxyVM (sys-whonix) has a NetVM which is set to "none", with a warning shown if this is the case. [54]
  • Implemented a new feature so that following an update of the Whonix-Workstation ™ TemplateVM, newly created AppVMs based on the updated TemplateVM come with an up-to-date version of Tor Browser. [55]
  • Modified whonixcheck to check if: Whonix-Gateway ™ is running in a NetVM or ProxyVM; Whonix-Workstation ™ is running in an AppVM; and to skip the test if a TemplateVM is detected. [56]

Security Enhancements[edit]

  • Prevented /usr/lib/qubes/qubes-setup-dnat-to-ns from running in Qubes-Whonix ™ to stop it from modifying firewall rules. [57]

Whonix ™ 14 Changelog[edit]

Whonix ™ 14 was released on August 6, 2018. Significantly, Whonix ™ 14 is based on the Debian stretch (Debian 9) distribution which was released in mid-2017, instead of Debian jessie (Debian 8). [58] Users now have access to numerous updated and new software packages, a more modern branch of GnuPG, and more. [59] [60] [61]

All Platforms[edit]

AppArmor[edit]

  • Fixed the whonixcheck AppArmor profile to remove continuous denied messages relating to signal. [62]
  • Fixed the AppArmor profile for obfs4proxy to enable correct functioning of Tor Bridges in Whonix-Gateway ™. [63]
  • Fixed the Tor Browser AppArmor profile to allow correct functionality. [64]
  • Corrected the tor-controlport-filter AppArmor profile to ensure correct functioning. [65]
  • Removed the Pidgin AppArmor profile, since Pidgin is recommended against for security reasons. [66]
  • Hardened the Control Port Filter AppArmor profile. [67]
  • Disabled installation of apparmor-notify (AppArmor notifications) by default, thereby removing the reporting of mostly harmless denied messages. [68] [69]

Bug Fixes[edit]

  • Corrected the broken whonix-setup-wizard autostart on Whonix-Gateway ™. [70]
  • Fixed sdwdate-gui freezing when using right-click in the menu. [71]
  • Fixed dependency issues which prevented the whonix-setup-wizard gui from starting. [72]
  • Implemented the correct Tor --verify command for Whonix-Gateway ™ torrc configuration checks to prevent the reporting of false positives. [73]
  • Modified the uwt wrapper script to correctly handle symbolic links. [74]
  • Changed the Whonix-Gateway ™ firewall prerouting rules for socks ports so they do not interfere with trans port traffic. [75]
  • Modified whonixcheck to first test if network interfaces are up to prevent the test from failing unnecessarily. [76]
  • Fixed a whonixcheck whonix-firewall check race condition. [77]

Builds[edit]

  • Resolved genmkfile build dependencies for building Whonix-Workstation ™ and Whonix-Gateway ™. [78]
  • Confirmed the new and upgraded Whonix ™ 14 builds are identical. [79] [80]
  • Fixed debian/control parsing with respect to make_deb_build_dependencies / make_deb_runtime_dependencies. [81]

Code[edit]

  • Updated Whonix ™ code for Tor Browser tb-updater. [82]
  • Changed the bindp compile to postinstall to make it cross-platform (Qubes, 64-bit, 32-bit). [83]
  • Rewrote sclockadj in C and updated the sdwdate package to compile sclockadj. [84] [85]
  • Implemented symlinks for onion-grater profiles to maintain functionality following profile upgrades. [86]
  • Enhanced onion checking in sdwdate to improve the unit test. [87]
  • Ported msgcollector to python3 and python3-pyqt5. [88]
  • Ported whonix-setup-wizard to python3. [89]
  • Ported python-guimessages to python3. [90]
  • Rewrote sdwdate to ensure python exceptions are written to the journal. [91]
  • Rewrote control-port-filter-python to ensure exceptions are written to the journal. [92]
  • Re-added some non-essential packages to Whonix ™ that were removed from Debian stretch. [93] [94]
  • Ported helper-scripts so they instead use Tor authentication cookies. [95]
  • Ported whonixcheck check_tor_socks_port_reachability.bsh to use the Tor unix domain socket socks file. [96]
  • Ported anon-ws-disable-stacked-tor to systemd socket activation to remove unnecessary, idle socat listeners. [97] [98]
  • Removed auditd configuration folder parsing /etc/audit/rules.d/ by default, since the feature has been implemented upstream.
  • Implemented anonymous counting of Whonix ™ users via the whonixcheck Whonix ™ News function. [99] [100]
  • Implemented, but did not activate changes to the Whonix ™ firewall so: sdwdate is stopped before suspend; timesync-fail-closed mode is set before suspend; sdwdate is restarted after resume; and Whonix ™ firewall enters full mode after resume following successful sdwdate activation. [101]
  • Configured auditd to process the configuration folder /etc/audit/rules.d/ by default to aid debugging. [102] [103]
  • Implemented monitoring of changes to /var/lib/tor/lock access rights via auditd to aid debugging. [104]
  • Modified anon-ws-disable-stacked-tor to maintain Tor Browser functionality with Unix domain socket files redirection and prevent Tor over Tor scenarios. [105]
  • Configured whonixcheck to test for failed daemons. [106]
  • Implemented a sdwdate sd_notify systemd watchdog. [107]
  • Disabled systemd-resolved and instead implemented a /lib/systemd/system/systemd-resolved.service.d/ drop-in. [108]
  • Ported /usr/sbin/service to systemctl as the latter runs non-interactively. [109]
  • Disabled timedatectl network time synchronization in Debian stretch to prevent conflicts with sdwdate. [110]
  • Removed brltty, brltty-speechd and brltty-x11 since they create a local listener port which may conflict with onion-grater. [111]
  • Modified anon-ws-disable-stacked-tor systemd-unit-files-generator so it is configurable. [112]
  • Rewrote slockadj3 in C and determined how to prevent spamming of sclockadj3 time changes to logs. [113] [114] [115] [116]

Improved Functionality and Usability[edit]

  • Implemented the major new Anon Connection Wizard feature to simplify connections to the Tor network via a Tor bridge and/or a proxy. [117]
  • Integrated the Tor Pluggable Transport meek_lite. [118]
  • Integrated anon-connection-wizard into whonix-setup-wizard, so that the latter can now start the former. [119]
  • Removed the Control Port Filter Proxy script from anon-ws-disable-stacked-tor since it is no longer required for proper Tor connections or Tor Browser functions (its functionality is now replaced by onion-grater). This means Ricochet, Zeronet and OnionShare are now compatible with Whonix ™. [120] [121] [122]
  • Installed necessary dependencies for proper ZeroNet functionality. [123]
  • Installed onioncircuits by default in Whonix-Gateway ™. [124]
  • Added --list-interface to tor-controlport-filter, as it works better with dynamic IP addresses. [125]
  • Added a /etc/tor-controlport-filter.d configuration extension feature. [126]
  • Fixed the control-port-filer-python configuration to rewrite HS_DESC replies by Tor, so OnionShare is supported. [127]
  • Merged the tor-controlport-filter by Tails for various enhancements. [128]
  • Implemented more user-friendly error messages (instead of tb-starter error handlers) when non-Whonix ™ related Tor Browser issues cause start-tor-browser to fail and exit zero. [129]
  • Implemented sane built-in defaults for whonix-gw-firewall, whonix-ws-firewall, whonixcheck, sdwdate, uwt, onion-grater, rads, open-link-confirmation, tb-starter and tb-updater, even if configuration files do not exist. [130]
  • Changed uwt to set AllowOutboundLocalhost / AllowInbound which can help make servers utilizing Tor onion services work. [131]
  • Implemented a sd_notify watchdog feature for onion-grater so the service is restarted if it appears to be running, but has became unresponsive. [132]
  • Created a bindp Whonix ™ package to enable Whonix-Workstation ™ applications that use Tor ephemeral onion services to bind on all interfaces as necessary. [133]
  • Modified sdwdate to check if the clock is changed "behind the back" of the program and suggest a manual user fix. [134]
  • Improved default torsocks information / warning messages when wrapped commands are invoked to reduce user confusion. [135]
  • Both Non-Qubes-Whonix ™ and Qubes-Whonix ™ are now compatible with the Tor Project's sandboxed Tor Browser. [136]

Security Enhancements[edit]

  • Confirmed functionality of the kloak anti-keystroke deanonymization tool in Whonix ™. [137] [138]
  • Identified more reliable onion servers as appropriate time sources for sdwdate, which enables correct network time synchronization for anonymity-focused distributions. [139]
  • Implemented Tails' Control Port Filter Proxy in Whonix ™ and merged recent changes since it was forked. [140] [141]
  • Fixed security and hardening (stack canary) issues with the bindp libindp.so package (which were merged upstream). [142]
  • Uploaded Tor version 0.3.3.9 (stable) release to the Whonix ™ repository to enable full v3 onion functionality for both hosting of onion services and access to v3 onion addresses in Tor Browser. [143]
  • Onion sources are now preferred for Whonix ™ updates/upgrades for greater security. Note: this change has been reverted due to the unreliable nature of onion connections at present - see footnote. [144]
  • Disabled the apt-timer in Debian stretch to prevent auto updates, thereby preventing the attendant security risks associated with background updates without user input. [145]
  • Disabled nautilus previews by default due to the security risks. [146]
  • Implemented uwt to set TORSOCKS_ISOLATE_PID in Debian Stretch so all uwt wrapped applications are stream isolated. [147]
  • Implemented tor+http / apt-transport-tor rather than Acquire::BlockDotOnion "false" for better security and stream isolation. [148]
  • Disabled the systemd DNS resolver feature in order to reduce the attack surface and to remove the potential for adverse anonymity impacts. [149]
  • Established a dedicated Whonix ™.org repository, with appropriate redirects from Whonix ™ mirrors. [150]
  • Removed the DHCP client from Whonix-Gateway ™ and switched to a static network configuration so the dhclient is no longer present on all interfaces, including the internal network. [151]
  • Disabled VLC metadata collection by default. [152]
  • Disabled "Obey DRM limitations" in Okular, [153] since Digital Rights Management (DRM) can be used as a tracking vector. [154] [155]

Non-Qubes-Whonix[edit]

Info Desktop shortcuts are no longer available in Non-Qubes-Whonix ™. [156]

Bug Fixes[edit]

  • Increased the Whonix-Gateway ™ VRAM in VirtualBox from 8 to 16 MB to avoid error messages and possible video problems when using full screen mode. [157]
  • Corrected sdwdate-gui systray so it properly registers in kde systray and does not appear as a gap in the Entry column. [158]
  • Corrected the sdwdate-gui tray icon so it is visible in Debian stretch. [159]
  • Corrected the virtualization detection method to properly recognize KVM. [160]

Builds[edit]

  • Reduced the size of the default, binary Whonix ™ images by approximately 50 per cent using zerofree. [161] [162] [163] [164]

Code[edit]

  • Removed kmix-disable-autostart since it is no longer required to make sure the clipboard history icon is loaded into the system tray. [165]

Improved Functionality and Usability[edit]

  • Created the grub-live package which can run Whonix ™ as a live system. [166] [167]
  • Added Kscreen to Whonix ™ by default in order to allow DPI scaling and other basic desktop features of Plasma 5. [168]
  • Removed the VirtualBox shared folder and confirmed automounting of shares is enabled in Debian stretch. [169]

Security Enhancements[edit]

  • Removed okular from anon-shared-applications-kde to anon-workstation-default-applications so it is not installed on Whonix-Gateway ™. [170]
  • Hide the CPUID in VirtualBox 5 by setting generic values via HostCPUID. [171]

Qubes-Whonix ™[edit]

Bug Fixes[edit]

  • Implemented whonixcheck fixes for Qubes R4. [172]
  • Corrected false positive failure messages for the updates proxy test in Qubes R4. [173] [174]
  • Resolved non-functionality of Tor Browser due to jemalloc corruption. [175]
  • Resolved segfaults in Tor Browser caused by excessive string length in the XDG_CONFIG_DIRS environment variable. [176]
  • Resolved accumulation of old Tor Browser instances in /var/cache/tb-binary/.tb/ which caused users to run into full disk error messages. [177]
  • Corrected dependencies in the qubes-whonix package to resolve issues when upgrading to Debian stretch. [178]
  • Fixed a corridor lintian warning on Debian related to systemd documentation. [179]
  • Resolved error messages associated with tput using an empty TERM environment variable. [180]
  • Resolved the failure of tb-updater to copy Tor Browser into the user's home directory on first VM startup in Qubes R4. [181] [182] [183]
  • Implemented the correct appmenus for Qubes-Whonix ™ 14 TemplateVMs and fixed missing appmenu entries. [184] [185]
  • Resolved the false positive timedatectl error message when using whonixcheck. [186]
  • Corrected the absent 'Connected to Tor.' message, which arose due to a missing notification daemon. [187]
  • Resolved non-persistence of files in /usr/local, such as the Tor configuration file. [188] [189]
  • Implemented a qvm-features-request whonix-ws=1, so that newly created Whonix-Workstation ™ AppVMs inherit the anon-vm tag. [190] [191] [192]
  • Created qubes-core-admin-addon-whonix to enforce the anon-vm tag for newly created Whonix-Workstation ™ AppVMs. [193]
  • Removed redundant warning messages affecting Whonix-Workstation ™ DisposableVMs that related to the first invocation of an open-link-confirmation. [194]
  • Fixed an apt-get package issue whereby some users were downgraded to a known vulnerable version. [195] [196]
  • Corrected an aptitude update failure which affected all Qubes-Whonix ™ VMs. [197]
  • Installed Tor Browser by default in Whonix-Workstation ™-DisposableVMs, as it was previously missing upon VM launch. [198]
  • Fixed the periodic failure of Whonix-Workstation ™ AppVMs to start correctly, which prevented the launch of any user applications. [199]
  • Fixed an error which caused /etc in Qubes-Whonix ™ templates to be owned by user:user [200]

Builds[edit]

  • Corrected the build failure of the Whonix-Workstation ™ template in Qubes-Whonix ™ R3.2 and added qubes-template-whonix to the continuous integration service TravisCI. [201]
  • Removed older unstable Whonix ™ 14 builds from Qubes' unstable repository. [202]
  • Resolved unexpected build failures. [203]
  • Removed Whonix ™ 14 templates from Qubes' unstable repository, since testing versions now reside in qubes-templates-community-testing. [204]
  • Backported versioning of Whonix ™ template names from Qubes R4 to Qubes R3.2 to simplify the installation procedure for users on the earlier platform. [205]

Code[edit]

  • Removed cups and system-config-printer from Whonix-Workstation ™, since printing capabilities are better suited to alternate VMs and this also removes a local TCP listener that is otherwise created. [206]
  • Corrected anon-meta-packages compatibility for Qubes R3.2 and R4. [207]
  • Installed pulseaudio-qubes for audio support and removed pulseaudio and VLC from sys-whonix. [208]
  • Created a qvm-features-request whonix-gw=1 as a prerequisite for sdwdate-gui-qubes. [209]

Improved Functionality and Usability[edit]

  • Confirmed full Qubes-Whonix ™ compatibility with Qubes R4. [210]
  • Confirmed Qubes-Whonix-Workstation has full DispVM support. [211]
  • Created a tb-updater storage path for Qubes R4 so new AppVMs and DisposableVMs have a copy of the latest Tor Browser version. [212] [213]
  • Created Qubes-Whonix ™ 14 SaltStack state files with flexible versioning for future releases. [214] [215]
  • Modified Qubes-Whonix ™ Salt code so the repository is not hard-coded, allowing users to choose either the qubes-templates-community or qubes-templates-community-testing repository. [216]

Licensing[edit]

  • Added a COPYING file to the Qubes-Whonix ™ template repository to assure users they are covered by a free software license. [217] [218]

Security Enhancements[edit]

  • Added Qubes-Whonix ™ tags on domain-load rather than upon VM creation to avoid missing tags for users that upgrade. [219]

Whonix ™ 14 Updates[edit]

As Whonix ™ is now a rolling distribution, users will benefit from regular small security and usability improvements, features and bug fixes as they enter the Whonix ™ stable repository. Those will be announced here.

Documentation[edit]

Website Fixes and Outreach[edit]

  • Website fixes: implemented the proposed download directory structure as well as download redirects, stable download links and permalinks. [243]
  • Implemented numerous mediawiki fixes for better website presentation. [244]
  • Opened a Peertube video channel. [245] [246]
  • Updated Release Announcements to collate all places where this should be posted. [247]
  • Post Whonix release announcements in crypto currency Reddit forums. [248]
  • Researched social media strategies to increase Whonix ™ awareness. [249]
  • Established mirroring of all Whonix ™ announcements. [250]
  • Bookmarked the outreach workboard. [251] [252]
  • Signed the Whonix ™ developer team up to various developer mailing lists. [253]

All Platforms[edit]

AppArmor[edit]

  • Corrected the dnscrypt-proxy AppArmor profile for full functionality. [254]
  • Removed unnecessary and extensive capabilities from the Tor Browser AppArmor profile. [255] [256] [257]
  • Amended the Tor Browser AppArmor profiles so 8.* versions correctly launch. [258] [259]
  • Added capability sys_module to whonixcheck because it is required for ifconfig. [260] [261]
  • Added a wildcard for non-Tor or modified Tor Browser Bundles. [262] [263]
  • Deprecated /etc/apparmor.d/home.tor-browser.start-tor-browser due to broken functionality. [264]
  • Added various permissions to the XChat AppArmor profile for greater functionality. [265]

Bug Fixes[edit]

  • Implemented an automated /var/lib/tor permission fix. [266] [267]
  • Installed the missing pinentry-qt package so Enigmail decryption is functional. [268] [269]
  • Fixed the Whonix custom firewall settings start menu entry in Whonix XFCE. [270]
  • Fixed the false-positive "Tor Browser not installed" message in tb-starter. [271]
  • Onion-grater: fix Tor control auth cookie authentication even if HashedControlPassword is set. [272]
  • Fixed output when using open-link-confirmation. [273]
  • Change etc/.skel to etc/skel/Downloads in all code. [274] [275]

Builds[edit]

  • Released new Whonix 14 builds to address the APT security update bug. [276] [277]

Code[edit]

  • whonixcheck: grep journal for "fail", "error" and "denied". [278]
  • Re-implemented Tor Browser local version number detection. [279]
  • Decided against virtualizer configurations which attempt to hide the CPU model. [280] [281] [282]
  • Moved kcalc, okular, gwenview, kgpg, libkf5kipi31.0.0 and libkf5kipi-data from hardened-desktop-applications-kde to non-qubes-whonix-workstation-kde and qubes-whonix-workstation. [283]
  • Simplified code by using apt-key rather than custom code when adding a gpg key. [284]
  • Fixed the mime type in whonix-repository. [285]
  • Refactored the whonixcheck code and included an option to show "sudo apt-get-update-plus dist-upgrade" if it is available. [286] [287]
  • Ported the IP check in whonixcheck to https://check.torproject.org/api/ip [288]
  • sdwdate-gui: permission lockdown, fixed merge conflicts, avoidance of 'clock is fast' false positives and other miscellaneous fixes. [289] [290] [291] [292]
  • anon-ws-disable-stacked-tor: set 'restart' rather than 'start' to support running scripts. [293]
  • Added a mechanism to add variables to Debian packaging maintainance scripts. [294] [295]
  • Thunderbird is no longer installed by default in Whonix ™. [296] [297]
  • Beautified the Whonix landing page for Tor Browser v8.0+. [298] [299]
  • Implemented use of /usr/lib/helper-scripts/terminal-wrapper rather than hardcoding Konsole. [300] [301] [302] [303]
  • Deprecated anon-workstation-extra-applications, anon-workstation-langpack-common and anon-shared-desktop-langpack-kde. [304] [305]

Improved Functionality and Usability[edit]

  • Changed (Qubes-)Whonix default applications from KDE to XFCE. [306] [307] [308]
  • Installed magic-wormhole by default as an OnionShare alternative. [309] [310] [311]
  • Set mousepad as the default editor for sudoedit. [312] [313]
  • Added support for XFCE, thunar and gksudo in Whonix-Gateway. [314]
  • Allow multiple flashproxy ports in Whonix firewall. [315] [316] [317] [318]
  • Disabled Whonix ™ onion apt sources by default due to unreliability. [319] [320] [321]
  • Added a new branch for compression/decompression tools. [322] [323] [324]
  • Implemented support for the new Snowflake pluggable transport in Anon-Connection-Wizard. [325]
  • Implemented the Tor Controller GUI in Whonix ™ with various fixes. [326]

Security Enhancements[edit]

  • Removed mapaddress entries in torrc for 1.1.1.1 and 2.2.2.2 due to the fingerprinting risk. [327] [328]
  • Run whonixcheck in Whonix-Workstation on first time boot. [329] [330]
  • Added a spectre/meltdown test to whonixcheck. [331] [332]
  • Enforce connections to deb.debian.org instead of us.debian.org and now use https (SSL/TLS) by default, as well as fixing build --connection onion. [333] [334]
  • Implemented optional tb-updater onion mirrors download support. [335] [336]
  • Corrected systemd hardening for onion-grater. [337]
  • Added systemd sandboxing for sdwdate. [338]
  • Enforced tor+http in apt sources lists to make use of apt-transport-tor. [339] [340] [341] [342]
  • Disabled uncommon network protocols for improved security. [343] [344] [345]
  • Added a Bitcoin Core onion-grater profile. [346] [347] [348] [349]

Non-Qubes-Whonix[edit]

Bug Fixes[edit]

  • Disabled KDE session restoration to prevent VirtualBox error notifications upon boot in either Whonix-Gateway or Whonix-Workstation. [350] [351] [352]
  • Start the KDE desktop session login with an empty session / resolve the kdesudo error popup window related to sdwdate-gui. [353]
  • Fixed the Whonix-Gateway XFCE / CLI keyboard layout error. [354]
  • Fixed a lintian error for sdwdate-gui / missing xml files for specific desktop environments. [355] [356] [357]

Code[edit]

  • Closed all KDE-related requests and bug fixes following the shift to XFCE. [358] This includes:
    • Change default application to not use kmail. [359]
    • Change KDE theme and KDE mouse theme. [360]
    • Disable the Baloo file indexer. [361]
    • Add /media to desktop icons. [362]
    • Add /media to pinned places in Dolphin. [363]
    • Disable/remove KDE system and network settings. [364]
    • Disable web shortcuts. [365]
    • settings-plasma search/configure search configurations from Whonix-Gateway. [366]
    • Non-Qubes-Whonix KDE plasma 5 fixes. [367]
  • Implemented numerous XFCE fixes: Whonix builds, desktop shortcuts, xfce4-terminal, related meta-packages and general fixes. [368] [369] [370] [371] [372]
  • Created a configuration file for Whonix XFCE Desktop. [373]
  • Updated the check for installed meta packages for Whonix XFCE and Whonix CLI. [374]
  • Removed pulseaudio from hardened-desktop-applications-xfce. [375]
  • Removed Ristretto from hardened-desktop-applications-xfce. [376] [377]
  • Deprecated non-qubes-vm-enhancements-gui. [378] [379]
  • Merged whonix-shared-packages-recommended-cli into whonix-shared-packages-dependencies-cli. [380]
  • Port to and take ownership of /etc/xdg/xfce4/xfconf/xfce-perchannel-xml [381] [382] [383]
  • Modified whonix-firewall to remove the old IP 192.168.0.10 reference in non-qubes-whonix-gateway. [384]
  • Minimized VirtualBox Whonix-Gateway CLI differences with non-qubes-whonix-workstation cli. [385] [386]

Improved Functionality and Usability[edit]

  • Implemented Whonix for arm64 / Raspberry Pi (RPi). [387]
  • Implemented a unified Whonix download rather than separate Whonix-Gateway / Whonix-Workstation downloads. [388] [389] [390]
  • Re-enabled hidden files and volume management. [391]
  • Whonix Setup Wizard: added instructions on how to change keyboard layout in XFCE. [392]
  • Added mupdf and Ristretto to non-qubes-whonix-workstation-xfce. [393]
  • Show the pulseaudio plugin by default. [394]
  • Increased Whonix-Workstation VRAM in Non-Qubes-Whonix to 2GB to improve performance. [395] [396]

Security Enhancements[edit]

  • Disabled maximizing of the Tor Browser window when moving to the top of the screen. [397] [398]
  • Disabled previews / thumbnails in Thunar for better security. [399]

Qubes-Whonix ™[edit]

Bug Fixes[edit]

  • Corrected Tor Browser in whonix-ws-14 based VMs sometimes blocking JavaScript on first start. [400] [401] [402]
  • Qubes templates: removed the broken graphical updater (Apper). [403] [404]
  • Resolved the command failure when running qubesctl state.sls qvm.anon-whonix. [405] [406]
  • Added missing Whonix tags anon-vm / anon-gateway to user-created, Whonix-based VMs. [407] [408]
  • Fixed failure of Whonix-Gateway to respond after an update. [409] [410]
  • Corrected an update error caused by an expired release file. [411]
  • Corrected a false whonixcheck notification about outdated packages after performing an in-place upgrade. [412]

Builds[edit]

  • Amended builder.conf so template build commands are not ignored. [413]
  • Deprecated Whonix 13. [414]

Code[edit]

  • Set $tag:anon-vm $anyvm deny in template-whonix-ws.sls. [415]
  • Removed the default installation of emacs and vim. [416]
  • Modified the Spectre / Meltdown check so it only runs in Qubes R4 and above. [417]

Security Enhancements[edit]

  • Confirmed Qubes-Whonix TemplateMVs cannot upgrade in timesync-fail-closed mode. [418]
  • Confirmed the efficacy of jitterentropy random number generation in Xen. [419]

Footnotes[edit]

  1. https://www.whonix.org/blog/whonix-13-released
  2. https://phabricator.whonix.org/maniphest/query/TfpGK0Sq8w1j/#R
  3. A handful of issues were fixed in both Whonix ™ 13 and Whonix ™ 14 and backported to both versions.
  4. https://phabricator.whonix.org/T672
  5. https://phabricator.whonix.org/T314
  6. https://phabricator.whonix.org/T201
  7. https://phabricator.whonix.org/T499
  8. https://phabricator.whonix.org/T666
  9. https://phabricator.whonix.org/T465
  10. The same firewall rules are still applied.
  11. https://phabricator.whonix.org/T286
  12. https://phabricator.whonix.org/T482
  13. https://phabricator.whonix.org/T480
  14. https://phabricator.whonix.org/T451
  15. For instance, tor-arm, restart Tor and other terminal programs.
  16. https://phabricator.whonix.org/T435
  17. This does not enable transparent proxying by default, but is required in Qubes so tinyproxy traffic can be redirected to 127.0.01 instead of to qubes-netvm-gateway.
  18. https://phabricator.whonix.org/T419
  19. https://phabricator.whonix.org/T300
  20. https://phabricator.whonix.org/T200
  21. https://phabricator.whonix.org/T159
  22. https://phabricator.whonix.org/T40
  23. https://phabricator.whonix.org/T158
  24. https://phabricator.whonix.org/T418
  25. https://phabricator.whonix.org/T472
  26. https://phabricator.whonix.org/T764
  27. https://phabricator.whonix.org/T497
  28. https://phabricator.whonix.org/T266
  29. https://phabricator.whonix.org/T528
  30. This fixes various bugs relating to Tor starting / failing multiple times and qubes-whonix-torified-updates-proxy sometimes failing.
  31. https://phabricator.whonix.org/T724
  32. https://phabricator.whonix.org/T723
  33. Qubes R4 RC1.
  34. https://phabricator.whonix.org/T384
  35. https://phabricator.whonix.org/T671
  36. https://phabricator.whonix.org/T496
  37. https://phabricator.whonix.org/T454
  38. https://phabricator.whonix.org/T452
  39. https://phabricator.whonix.org/T527
  40. https://phabricator.whonix.org/T710
  41. https://phabricator.whonix.org/T498
  42. https://phabricator.whonix.org/T416
  43. https://phabricator.whonix.org/T507
  44. https://phabricator.whonix.org/T433
  45. The qubes-update-check.service already has improved upgrade notifications.
  46. https://phabricator.whonix.org/T429
  47. For instance, plasma-widget-folderview, kde-kdm-autologin, split the anon-shared-desktop-kde package and so on.
  48. https://phabricator.whonix.org/T428
  49. https://phabricator.whonix.org/T491
  50. https://phabricator.whonix.org/T477
  51. https://phabricator.whonix.org/T461
  52. https://phabricator.whonix.org/T414
  53. https://phabricator.whonix.org/T501
  54. https://phabricator.whonix.org/T421
  55. https://phabricator.whonix.org/T417
  56. https://phabricator.whonix.org/T406
  57. https://phabricator.whonix.org/T502
  58. https://www.debian.org/releases/stretch/
  59. https://www.debian.org/News/2017/20170617
  60. https://www.debian.org/releases/stable/amd64/release-notes/
  61. https://www.debian.org/releases/stable/i386/release-notes/
  62. https://forums.whonix.org/t/apparmor-and-kernel-4-14-18-1-creates-tons-of-kern-log-pop-ups/4811
  63. https://phabricator.whonix.org/T676
  64. https://phabricator.whonix.org/T672
  65. https://phabricator.whonix.org/T587
  66. https://phabricator.whonix.org/T568
  67. https://phabricator.whonix.org/T532
  68. https://phabricator.whonix.org/T557
  69. The Whonix ™ documentation recommends that advanced users install apparmor-notify to investigate relevant warnings.
  70. https://phabricator.whonix.org/T640
  71. https://phabricator.whonix.org/T626
  72. https://phabricator.whonix.org/T592
  73. https://phabricator.whonix.org/T787
  74. https://phabricator.whonix.org/T797
  75. https://phabricator.whonix.org/T462
  76. https://phabricator.whonix.org/T490
  77. https://phabricator.whonix.org/T675
  78. https://phabricator.whonix.org/T700
  79. https://phabricator.whonix.org/T760
  80. https://phabricator.whonix.org/T761
  81. https://phabricator.whonix.org/T643
  82. https://phabricator.whonix.org/T666
  83. https://phabricator.whonix.org/T688
  84. https://phabricator.whonix.org/T686
  85. https://phabricator.whonix.org/T650
  86. https://phabricator.whonix.org/T768
  87. https://phabricator.whonix.org/T648
  88. https://phabricator.whonix.org/T632
  89. https://phabricator.whonix.org/T628
  90. https://phabricator.whonix.org/T627
  91. https://phabricator.whonix.org/T608
  92. https://phabricator.whonix.org/T603
  93. https://phabricator.whonix.org/T601
  94. gtk3-engines-oxygen.
  95. https://phabricator.whonix.org/T578
  96. https://phabricator.whonix.org/T548
  97. https://phabricator.whonix.org/T623
  98. This also reduces the RAM load caused by too many socat instances.
  99. https://phabricator.whonix.org/T689
  100. This measure takes place over Tor using a v3 onion. It does not include collection of IP addresses or unique identifiers of any kind, and can be easily disabled.
  101. https://phabricator.whonix.org/T551
  102. https://phabricator.whonix.org/T535
  103. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=833474
  104. https://phabricator.whonix.org/T537
  105. https://phabricator.whonix.org/T192
  106. https://phabricator.whonix.org/T488
  107. https://phabricator.whonix.org/T639
  108. https://phabricator.whonix.org/T762
  109. https://phabricator.whonix.org/T637
  110. https://phabricator.whonix.org/T589
  111. https://phabricator.whonix.org/T563
  112. https://phabricator.whonix.org/T796
  113. https://phabricator.whonix.org/T691
  114. https://github.com/systemd/systemd/issues/5207
  115. https://phabricator.whonix.org/T686
  116. https://phabricator.whonix.org/T50
  117. https://phabricator.whonix.org/T699
  118. https://forums.whonix.org/t/censorship-circumvention-tor-pluggable-transports/2601
  119. https://phabricator.whonix.org/T716
  120. OnionShare is not installed by default in Whonix ™ 14 because it is not in the stretch repository, however it may be manually installed using the available wiki instructions.
  121. https://phabricator.whonix.org/T657
  122. onion-grater:

    Filters out Tor control protocol commands that are dangerous for anonymity such as GETINFO ADDRESS using a whitelist. Acts as a proxy between the client application and Tor.

    For example it allows using Tor Browser's New Identity feature on Anonymity Distribution Workstations, fixes Tor Browser's about:tor default homepage and Tor Button status indicator without exposing commands that are dangerous for anonymity.

  123. https://phabricator.whonix.org/T701
  124. https://forums.whonix.org/t/onioncircuits-viewing-the-status-and-circuits-of-tor/2539
  125. https://phabricator.whonix.org/T579
  126. https://phabricator.whonix.org/T576
  127. https://phabricator.whonix.org/T574
  128. https://phabricator.whonix.org/T573
  129. https://phabricator.whonix.org/T510
  130. https://phabricator.whonix.org/T503
  131. https://phabricator.whonix.org/T357
  132. https://phabricator.whonix.org/T274
  133. https://phabricator.whonix.org/T561
  134. https://phabricator.whonix.org/T481
  135. https://phabricator.whonix.org/T73
  136. This is no longer recommended, since the The Tor Project has ceased development and stopped building and distributing sandboxed-tor-browser binaries.
  137. https://phabricator.whonix.org/T583
  138. By default, kloak is packaged in Whonix ™ 15 for the Non-Qubes-Whonix platform. Unfortunately Qubes-Whonix is unsupported (dysfunctional) due to the following Qubes issues:
  139. https://phabricator.whonix.org/T647
  140. https://phabricator.whonix.org/T617
  141. https://phabricator.whonix.org/T612
  142. https://phabricator.whonix.org/T599
  143. https://phabricator.whonix.org/T764
  144. Previously both clearnet and onion sources were in use and priority was given to the latter, with v3 onion connections being preferred (clearnet provided a fallback). Onions will not be set by default until OnionBalance is available for v3 onions, and the repositories can be reached reliably.
  145. https://phabricator.whonix.org/T590
  146. https://phabricator.whonix.org/T500
  147. https://phabricator.whonix.org/T356
  148. https://phabricator.whonix.org/T610
  149. https://phabricator.whonix.org/T471
  150. https://phabricator.whonix.org/T475
  151. https://phabricator.whonix.org/T559
  152. https://phabricator.whonix.org/T736
  153. The default Whonix ™ PDF reader.
  154. https://www.locklizard.com/track-pdf-monitoring/
  155. https://phabricator.whonix.org/T776
  156. Until it is determined how to enable kde-folderview in Debian stretch.
  157. https://phabricator.whonix.org/T680
  158. https://phabricator.whonix.org/T638
  159. https://phabricator.whonix.org/T598
  160. https://github.com/Whonix/shared-folder-help/commit/2130d872d4e346bc490e70fca79e572d1d1f86df
  161. https://phabricator.whonix.org/T790
  162. http://forums.whonix.org/t/reducing-size-of-ova-images
  163. VirtualBox .ova and libvirt qcow2 raw images.
  164. The Whonix-Gateway ™ is reduced from 1.7 GB to 850 MB, while the Whonix-Workstation ™ is reduced from 2 GB to 1.1 GB.
  165. https://phabricator.whonix.org/T722
  166. https://phabricator.whonix.org/T714
  167. grub-live is not installed by default in Whonix ™ 14 and is an optional package only.
  168. https://phabricator.whonix.org/T703
  169. https://phabricator.whonix.org/T702
  170. https://github.com/Whonix/anon-meta-packages/commit/a22b1807c79cb1d21447c83ed251c331cf6222f1
  171. https://phabricator.whonix.org/T408
  172. https://phabricator.whonix.org/T724
  173. https://phabricator.whonix.org/T723
  174. Qubes R4 RC1.
  175. https://phabricator.whonix.org/T651
  176. https://phabricator.whonix.org/T767
  177. https://phabricator.whonix.org/T671
  178. https://phabricator.whonix.org/T620
  179. https://phabricator.whonix.org/T607
  180. https://phabricator.whonix.org/T505
  181. https://phabricator.whonix.org/T781
  182. https://github.com/Whonix/tb-updater/issues/2
  183. https://phabricator.whonix.org/T789
  184. https://github.com/QubesOS/qubes-issues/issues/4033
  185. https://github.com/QubesOS/qubes-issues/issues/4093
  186. https://github.com/QubesOS/qubes-issues/issues/3469
  187. https://github.com/QubesOS/qubes-issues/issues/4098
  188. A persistent configuration now applies upon reboot.
  189. https://github.com/QubesOS/qubes-issues/issues/4095
  190. https://github.com/QubesOS/qubes-issues/issues/3595
  191. https://phabricator.whonix.org/T791
  192. The anon-vm tag enforces selected settings from TemplateVMs to TemplateBasedVMs which are necessary for anonymity.
  193. https://phabricator.whonix.org/T792
  194. https://github.com/QubesOS/qubes-issues/issues/4113
  195. https://github.com/QubesOS/qubes-issues/issues/4055
  196. The bug caused a version downgrade to apt-get 1.0.9.8.4
  197. https://github.com/QubesOS/qubes-issues/issues/3882
  198. https://github.com/QubesOS/qubes-issues/issues/3740
  199. https://github.com/QubesOS/qubes-issues/issues/2334
  200. https://github.com/QubesOS/qubes-issues/issues/1156
  201. https://phabricator.whonix.org/T527
  202. https://github.com/QubesOS/qubes-issues/issues/3766
  203. https://github.com/QubesOS/qubes-issues/issues/4063
  204. https://github.com/QubesOS/qubes-issues/issues/4086
  205. https://github.com/QubesOS/qubes-issues/issues/4130
  206. https://phabricator.whonix.org/T619
  207. https://phabricator.whonix.org/T697
  208. https://phabricator.whonix.org/T641
  209. https://github.com/QubesOS/qubes-issues/issues/4080
  210. https://phabricator.whonix.org/T698
  211. https://phabricator.whonix.org/T463
  212. https://phabricator.whonix.org/T726
  213. https://forums.whonix.org/t/qubes-dispvm-technical-discussion/3232/58
  214. https://github.com/QubesOS/qubes-issues/issues/3765
  215. https://phabricator.whonix.org/T788
  216. https://github.com/QubesOS/qubes-issues/issues/4087
  217. https://phabricator.whonix.org/T810
  218. Whonix ™ is licensed under GPLv3. The repository in question can be found here.
  219. https://github.com/QubesOS/qubes-issues/issues/4094
  220. https://phabricator.whonix.org/T521
  221. https://forums.whonix.org/t/splitting-whonix-documentation-into-a-short-and-long-edition-for-better-usability
  222. https://phabricator.whonix.org/T811
  223. For example this simplifies processes when installing additional software safely.
  224. https://www.whonix.org/wiki/Multiple_Whonix-Workstations#Multiple_Qubes-Whonix_TemplateVMs
  225. https://phabricator.whonix.org/T580
  226. https://forums.whonix.org/t/document-recovery-procedure-after-compromise
  227. https://phabricator.whonix.org/T544
  228. This template simplifies instructions for Onion Services.
  229. https://phabricator.whonix.org/T567
  230. https://www.whonix.org/wiki/Multiple_Whonix-Workstation
  231. https://phabricator.whonix.org/T523
  232. Apache has a large attack surface and some features erode privacy and leak information about a server's configuration.
  233. https://www.whonix.org/wiki/Hidden_Services#Hidden_Webserver
  234. https://forums.whonix.org/t/website-fingerprinting-defenses-at-the-application-layer?
  235. https://phabricator.whonix.org/T545
  236. The template reminds Qubes users that newly installed packages must be installed in the TemplateVM to be persistent.
  237. The wrapper was integrated into tb-updater and tb-starter.
  238. https://forums.whonix.org/t/todo-research-and-document-how-to-use-tor-browser-for-security-not-anonymity-how-to-use-tbb-using-clearnet/3822
  239. https://phabricator.whonix.org/T877
  240. https://phabricator.whonix.org/T597
  241. https://www.whonix.org/wiki/ZeroNet
  242. Including:
  243. This greatly assists with documentation efforts, since documentation does not break and need updating based on a new point release being available.
  244. https://phabricator.whonix.org/T809
  245. https://phabricator.whonix.org/T870
  246. Whonix ™ already has a Youtube channel, but Peertube provides a further avenue for information on new/fresh projects.
  247. https://phabricator.whonix.org/T847
  248. https://phabricator.whonix.org/T846
  249. https://phabricator.whonix.org/T836
  250. https://phabricator.whonix.org/T830
  251. https://phabricator.whonix.org/T839
  252. https://phabricator.whonix.org/project/board/144/
  253. https://phabricator.whonix.org/T840
  254. https://forums.whonix.org/t/i-need-help-to-get-my-apparmor-profile-of-dnscrypt-proxy-to-run/7457
  255. https://forums.whonix.org/t/why-does-the-tor-browser-apparmor-profile-have-sys-admin-sys-chroot-and-ptrace-capabilties/7409
  256. https://github.com/Whonix/apparmor-profile-torbrowser/pull/6
  257. The Tor Browser AppArmor profile has capability sys_admin, capability sys_chroot, and ptrace. This looks pretty insecure.

    ptrace will allow the Tor Browser to modify and inspect other running processes.

    sys_admin will allow the Tor Browser to do a whole load of things that it probably shouldn’t be able to.

    sys_chroot will allow the Tor Browser to chroot which can make an attacker able to put a setuid program inside a chroot jail with a fake /etc/passwd and /etc/shadow which can fool it into giving it root access.

  258. https://forums.whonix.org/t/tor-browser-8-wont-launch/5863
  259. https://github.com/Whonix/apparmor-profile-torbrowser/commit/5b1550cc51d73652d63af1fd010d9beb34e2069e
  260. https://forums.whonix.org/t/whonix-apparmor-profiles-development-discussion/108/682
  261. https://github.com/Whonix/whonixcheck/commit/5873f4c3bb1665a6fb92224968805f561aca87e3
  262. https://github.com/Whonix/apparmor-profile-torbrowser/pull/3
  263. This allows the same apparmor profile to be used for i2p browser (~/.i2pb/i2p-browser) or for a hypothetical ZeroNet browser (~/.zerob/zeronet-browser/) and so on.
  264. https://github.com/Whonix/apparmor-profile-torbrowser/commit/21c36545df427bd8943a92279af78e53ea627056
  265. https://github.com/Whonix/apparmor-profile-xchat/pull/2
  266. https://phabricator.whonix.org/T855
  267. whonixcheck runs as user whonixcheck, so a wrapper might be needed which is called using sudo (with a sudoers.d exception for this test).
  268. https://phabricator.whonix.org/T820
  269. https://forums.whonix.org/t/missing-pinentry-package-whonix-14/5630
  270. https://github.com/Whonix/whonix-firewall/commit/8d9767a72fdbaac863f8e372a10dfa6f2779ce6f
  271. https://github.com/Whonix/tb-starter/commit/7f3ac3b6d7beb659333f39b0506cd32fb07dc1bb
  272. https://github.com/Whonix/onion-grater/commit/70e735dae1c15920c356b07fc6aaf4b9589b465a
  273. https://github.com/Whonix/open-link-confirmation/commit/30810e6fa96b80a749505ea60e9dfb0d915edf14
  274. https://github.com/Whonix/usability-misc/commit/63c1ba7cae2914bd3bcfe5d7d2e5edf495a79c02
  275. https://forums.whonix.org/t/bug-not-all-files-form-etc-skel-are-copied-to-home-user/6778
  276. See: apt security update - DSA 4371-1
  277. https://forums.whonix.org/t/fixed-apt-rce-announced-new-whonix-images-needed-whonix-build-not-safe-at-the-moment/6715
  278. https://phabricator.whonix.org/T854
  279. https://phabricator.whonix.org/T400
  280. Such as --cpuid-portability-level or --cpuidremoveall in VirtualBox, since the attempts have proven futile or even posed security risks.
  281. https://phabricator.whonix.org/T408
  282. https://phabricator.whonix.org/T881
  283. https://github.com/Whonix/anon-meta-packages/commit/04851c3ef4a5fa4e4e25917860392273b80a3ebb
  284. https://github.com/Whonix/whonix-repository/commit/24f6479ec1c7015aa50aa2caf1a6d66aec28f429
  285. https://github.com/Whonix/whonix-repository/commit/e6de603931735647aa69ab97202a8eb01589a42b
  286. https://github.com/Whonix/whonixcheck/commit/2dcc1257f728639772f66f055134ea6ed960012c
  287. https://github.com/Whonix/whonixcheck/commit/7f9d648909e790a8d188dda5f83622367fd432c3
  288. https://github.com/Whonix/whonixcheck/commit/5111b2765e7e2d0b8d24cdfb5e7c6996da7a1e25
  289. https://github.com/Whonix/sdwdate-gui/commit/964fcb62d1961b52f4b126cc427d429cf2475ef4
  290. https://github.com/troubadoour/sdwdate-gui/commit/0b7d851476ac5c9d352de537f0ddfea8f1095b34
  291. https://github.com/Whonix/sdwdate-gui/commit/63b9a0b1c7f979362ec114aebed5d62d2138f63f
  292. https://github.com/Whonix/helper-scripts/commit/a87cd4fa6cadc541262a90f810a585fa4c4bdc0b
  293. https://github.com/Whonix/anon-ws-disable-stacked-tor/commit/1f7bf8ff3af2548cb735ab9450c7395d9d4065cf
  294. So arbitrary packaging scripts can be avoided.
  295. https://github.com/Whonix/anon-base-files/commit/fe5433f52678597c4e26ca06ecfab4c3619e45de
  296. https://forums.whonix.org/t/thunderbird-no-longer-installed-by-default/6505
  297. Due to breakage that has been experienced; see here for details.
  298. https://github.com/Whonix/whonix-welcome-page/pull/5
  299. The landing page was otherwise stuck in the left corner and not centered.
  300. This is useful if trying to avoid unnecessary package installation; for example just installing sdwdate on Debian.
  301. https://github.com/Whonix/sdwdate-gui/commit/f9a269b352eeb2965a352c91e0a033576c01f0e1
  302. https://github.com/Whonix/helper-scripts/commit/bb3fab3b3de448ede51417f2b2b2e4760d9a467b
  303. https://forums.whonix.org/t/calling-1-package-from-whonix-repo-will-pull-all-the-packages/6182/7
  304. https://forums.whonix.org/t/whonix-langpacks-useful/5692
  305. https://github.com/Whonix/anon-meta-packages/commit/64db5cf89152d0114aaa331f8321fec061bea2c1
  306. https://phabricator.whonix.org/T888
  307. Poll: https://forums.whonix.org/t/user-poll-xfce-vs-kde-kde-deprecation-considered/6235
  308. https://groups.google.com/forum/#!topic/qubes-devel/pkvvm1WNznY
  309. https://phabricator.whonix.org/T771
  310. https://forums.whonix.org/t/onionshare-alternatives/4877/11
  311. This is because OnionShare is not in Debian stable. magic-wormhole is a great alternative to easily share data between two endpoints, although it requires a uwt wrapper to support stream isolation.
  312. https://github.com/Whonix/usability-misc/pull/7
  313. https://forums.whonix.org/t/use-sudoedit-in-whonix-documentation/7599
  314. https://github.com/Whonix/anon-gw-anonymizer-config/commit/252416d91a2158da3b07f1791416ecc8c261f18c
  315. One example implementation is to use iptables to force all traffic through those ports. This requires two flashproxy ports -- one for TCP traffic and one for DNS.
  316. https://github.com/Whonix/whonix-firewall/commit/5ffcbb5ad30b04a6c5ea57734a8907cdc08c9b9f
  317. https://github.com/Whonix/whonix-firewall/commit/6882aa9a449e0b6317f96f35d54ddcfcf56df858
  318. https://github.com/Whonix/whonix-firewall/commit/5cf35f4ffe9d2f7ff2d2f8200dd0f2ad82ea5f14
  319. https://forums.whonix.org/t/disable-onions-by-default-due-to-unreliability/6650
  320. https://github.com/Whonix/whonix-repository/commit/f04391c5ad438732c5a9ae886b926530e277e9cd
  321. https://github.com/Whonix/anon-apt-sources-list/commit/8846e18a3bae24ed64fb5e9351f2ef614eaf1566
  322. This includes small, efficient GUI decompression tools like xarchiver, unxz, unrar and p7zip.
  323. https://forums.whonix.org/t/archive-decompression-tools/6533
  324. https://github.com/Whonix/anon-meta-packages/pull/19
  325. https://github.com/Whonix/anon-connection-wizard/pull/22
  326. https://forums.whonix.org/t/tor-controller-gui-tor-control-panel-testers-wanted/5444
  327. https://phabricator.whonix.org/T878
  328. Otherwise this redirects and discloses the traffic to onion addresses.
  329. https://phabricator.whonix.org/T821
  330. whonixcheck will now always run and check for updates on first boot of Whonix-Workstation since numerous updates will likely be available, including kernel updates.
  331. https://github.com/Whonix/whonixcheck/commit/4d65231b87b1dbc7827cd47c86f1f4d5476bcda2
  332. https://github.com/Whonix/Whonix/commit/47d9bdde4f9985aa8b29d64c2bd81f17addf18b6
  333. https://phabricator.whonix.org/T721
  334. https://lists.debian.org/debian-security/2017/10/msg00006.html
  335. https://phabricator.whonix.org/T678
  336. The optional --onion parameter can also be set through an environment variable export tb_onion=true or in the /etc/torbrowser.d/50_user.conf config with the same syntax.
  337. https://github.com/madaidan/onion-grater/commit/f0312d95bc721580088a10c4230ab10ff97f30f9
  338. https://github.com/Whonix/sdwdate/pull/21
  339. apt-transport-tor (tor+http) is the default from Whonix ™ 14 onward because it provides better error handling and stream isolation.
  340. https://github.com/Whonix/whonix-repository/commit/8beb14f2782a2730c07a2b233f44b5ea5df021c2
  341. https://github.com/Whonix/anon-shared-build-apt-sources-tpo/commit/32d6efed5344aaac9de5c3dac04ba1a3d6236905
  342. https://github.com/Whonix/anon-apt-sources-list/commit/d74b8e8abd7832200d57aee8736e8f31084db964
  343. Disables DCCP, SCTP, RDS and TIPC in case they have unknown vulnerabilities; serious problems were discovered in the past.
  344. https://github.com/Whonix/security-misc/pull/7
  345. https://forums.whonix.org/t/blacklist-uncommon-network-protocols/7391
  346. https://forums.whonix.org/t/bitcoin-core-onion-grater-profile/6216
  347. To allow the creation of a mainnet or testnet hidden service and discarding of the private key to keep services ephemeral.
  348. https://github.com/Whonix/onion-grater/pull/1
  349. https://github.com/Whonix/onion-grater/pull/2
  350. https://phabricator.whonix.org/T822
  351. https://forums.whonix.org/t/kdesudo-error-popup-window-sdwdate-gui
  352. https://github.com/Whonix/anon-apps-config/commit/008d206ec20c74e0d03926b939522b7036b8693b
  353. https://phabricator.whonix.org/T737
  354. https://github.com/Whonix/usability-misc/commit/c2a0c84b4a12b5bebc241b65a932b96a33cacedb
  355. https://github.com/Whonix/Whonix/commit/5760a2491cc42482945e3d50ed0ccb33d539d92d
  356. https://github.com/Whonix/Whonix/commit/98fd2361ec4e1ef73de3660ccb4c21e5ec86bf5f
  357. https://github.com/Whonix/Whonix/commit/8679c7f1b94e269b8f110743654c2431a0725cc2
  358. https://forums.whonix.org/t/user-poll-xfce-vs-kde-kde-deprecation-considered/6235
  359. https://phabricator.whonix.org/T738
  360. https://phabricator.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/T69
  361. https://phabricator.whonix.org/T630
  362. https://phabricator.whonix.org/T705
  363. https://phabricator.whonix.org/T706
  364. https://phabricator.whonix.org/T733
  365. https://phabricator.whonix.org/T734
  366. https://phabricator.whonix.org/T735
  367. https://phabricator.whonix.org/T633
  368. https://github.com/Whonix/whonix-ws-desktop-shortcuts/pull/1
  369. https://github.com/Whonix/whonix-gw-desktop-shortcuts/pull/2
  370. https://github.com/Whonix/Whonix/pull/423/commits/bb87de2006d5ea6389480d4443b58ea82c11bef2
  371. https://github.com/Whonix/helper-scripts/pull/4
  372. https://github.com/Whonix/anon-meta-packages/pull/15
  373. https://github.com/Whonix/whonix-xfce-desktop-config
  374. https://github.com/Whonix/whonixcheck/commit/7eec772015948573319e281da67b9b1ffb93e201
  375. https://github.com/Whonix/anon-meta-packages/commit/fd2570327ea7a4da054c2d3825ff04debc70a557
  376. So it is not installed on Whonix-Gateway by default.
  377. https://github.com/Whonix/anon-meta-packages/commit/8bfca1d9a9c7a0e76bcd0222f9fd01dd72a0277b
  378. https://github.com/Whonix/anon-meta-packages/commit/1de173ad50669a575171200d76b0d3e4878fb78b
  379. https://github.com/Whonix/anon-meta-packages/commit/28582d8272a38b9d0ce7cd234f94a7b983358a64
  380. https://github.com/Whonix/anon-meta-packages/commit/eaac36060f9fea574c098967b85690d41f122562
  381. https://github.com/Whonix/security-misc/commit/137bc073c5d65988cce832336ebee5c47071e732
  382. https://github.com/Whonix/whonix-xfce-desktop-config/commit/c8959135d699bc3ce74b95f736cbfbbc8ff391d9
  383. https://github.com/Whonix/whonix-xfce-desktop-config/commit/0e9daa97e9f9e70120c969aa9c9d52cace46971a
  384. https://github.com/Whonix/whonix-firewall/commit/c55b2652eecd214804afb32d89dc8fdf05e31221
  385. To prevent broken functionality due to missing packages.
  386. https://forums.whonix.org/t/whonix-cli-development/6309
  387. https://forums.whonix.org/t/whonix-for-arm64-raspberry-pi-rpi/1788
  388. Virtual ovas and KVM libirt.xz files are both available as a single download containing both VMs.
  389. https://forums.whonix.org/t/unified-whonix-download-rather-than-separate-whonix-gateway-whonix-workstation-download/6851
  390. https://forums.whonix.org/t/whonix-virtualbox-14-0-1-4-4-unified-ova-downloads-testers-wanted/6979/2
  391. https://github.com/Whonix/security-misc/pull/4
  392. https://github.com/Whonix/whonix-setup-wizard/commit/7fa64df04025d304fa97458a23f730bcc8aedbd8
  393. https://github.com/Whonix/anon-meta-packages/commit/701edd4aa46d76b03fc84a482a9046834beb43ab
  394. https://github.com/Whonix/whonix-xfce-desktop-config/commit/0aba7c2c3676469ea28f7949a5e58795cd529e34
  395. https://forums.whonix.org/research-disabling-tbb-e10-mutiprocess-for-performance-boost/6431
  396. https://github.com/Whonix/Whonix/commit/e75f61f32eee4d947bbeea61d898fcce815b57e5
  397. https://phabricator.whonix.org/T880
  398. https://forums.whonix.org/t/whonix-xfce-14-0-0-9-6-for-virtualbox-released/6368/14
  399. https://github.com/Whonix/security-misc/commit/008a97d9e7f891a706a277c8e9bb2e3a958d1e63
  400. https://phabricator.whonix.org/T894
  401. https://forums.whonix.org/t/tor-browser-in-whonix-blocks-javascript-only-when-started-for-the-first-time-and-in-dispvms/6843
  402. This was reported to occur in approximately 50 percent of start up cases.
  403. Since it does not report upgrades, even when they are available.
  404. https://phabricator.whonix.org/T373
  405. Which failed with return code 1.
  406. https://github.com/QubesOS/qubes-issues/issues/4154
  407. https://github.com/QubesOS/qubes-issues/issues/4155
  408. https://github.com/QubesOS/qubes-core-admin-addon-whonix/pull/6
  409. Related to the missing package python3-xcffib.
  410. https://github.com/QubesOS/qubes-issues/issues/4443#issuecomment-436484078
  411. https://github.com/QubesOS/qubes-issues/issues/3323
  412. https://github.com/QubesOS/qubes-issues/issues/4340
  413. https://github.com/QubesOS/qubes-issues/issues/4536
  414. https://github.com/QubesOS/qubes-builder/pull/81
  415. https://github.com/QubesOS/qubes-core-admin/pull/221
  416. https://github.com/QubesOS/qubes-issues/issues/4195
  417. https://github.com/QubesOS/qubes-issues/issues/4295
  418. https://phabricator.whonix.org/T858
  419. https://github.com/QubesOS/qubes-issues/issues/4174

No comments for now due to spam. Use Whonix forums instead.


Random News:

Please contribute by helping to answer Whonix questions.


https | (forcing) onion

Follow: Twitter | Facebook | gab.ai | Stay Tuned | Whonix News

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian. Debian is a registered trademark owned by Software in the Public Interest, Inc.

Whonix ™ is produced independently from the Tor® anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.