Page MenuHomePhabricator
Create Task
Maniphest T998

Whonix without systemD
Closed, WontfixPublic
Actions

Description

Hello,

Please let me know, may be a manual exists about how to switch Whonix to Devuan base and still keep all or most security enhancements of the Whonix project and eliminate systemD from it at the same time?

It has so many security features I am missing including hardened kernel, but unfortunately it uses systemD which is a very serious unacceptable flaw.

May be just installing a few packages mentioned on:
https://web.archive.org/web/20200705173024/https://www.whonix.org/wiki/Whonix_Packages_for_Debian_Hosts
can do the thing? Though I am not sure about the hardened kernel from Whonix, is there an easy method to borrow its kernel with all its hacks and tunes to Devuan?

Details

Impact
Normal

Event Timeline

sanyo triaged this task as Wishlist priority.Jul 5 2020, 6:33 PM
sanyo created this task.
Herald added subscribers: entr0py, Patrick. · View Herald TranscriptJul 5 2020, 6:33 PM
sanyo updated the task description. (Show Details)Jul 5 2020, 6:34 PM
sanyo updated the task description. (Show Details)
Patrick closed this task as Wontfix.Jul 6 2020, 10:01 AM
Patrick claimed this task.

There's no manual.

Too much work. For an idea how much see:

https://forums.whonix.org/t/porting-whonix-to-void-linux/9369

Also discussion on systemd:
https://forums.whonix.org/t/fixing-the-desktop-linux-security-model/9172

Related, discussion on which operating system Whonix is based on:
https://www.whonix.org/wiki/Dev/Operating_System

hardened-kernel

  • Linux doesn't have any dependencies on systemd and we won't introduce superfluous dependencies either.
  • I don't see why it wouldn't work on any other Debian based Linux distributions.
  • Wouldn't even know what would be reducing comparability with any other non-Debian based Linux distributions.
  • For status of hardened-kernel see: https://www.whonix.org/wiki/Hardened-kernel
  • Anyone welcome to contribute/port.

easy: Not easy for me.

sanyo added a comment.Jul 6 2020, 6:26 PM

I guess it shall not be any harder to port Whonix to Devuan than porting it to original Debian.

And I need only console mode for services and daemons like anonymization router, chat, etc.

No any need for a desktop. X11. etc.

sanyo added a comment.EditedJul 6 2020, 6:29 PM

May I know, what do you think about Whonix vs OpenBSD in terms of security for a headless server without any GUI?

And why there are no any public leaks of more recent releases from grsecurity? Would not it be legal provided the kernel is GPLed?

Could not someone create a website like:
https://wpcrack.in/join-the-club-now/

It is the same idea, since Wordpress is GPLed, most its addons are GPLed too and it is legal to redistribute them for a cheaper price.

Since grsecurity is less popular than Wordpress they could set a price tag like $100-200 USD per year just to support expenses to find a new nominal LLC to purchase further updates to always a new company each time after earlier used company is banned by grsecurity, say once per 1-3 years. They could make a lag of releasing updates like a year behind of the grsec mainline, so the ban would occur only after subscription is already exhausted. It would be like a group buy campaigns.

Patrick added a comment.Jul 7 2020, 9:53 AM
In T998#20144, @sanyo wrote:

May I know, what do you think about Whonix vs OpenBSD in terms of security for a headless server without any GUI?

mentioned here:
https://www.whonix.org/wiki/Dev/Operating_System

And why there are no any public leaks of more recent releases from grsecurity? Would not it be legal provided the kernel is GPLed?

off-topic

sanyo added a comment.EditedJul 7 2020, 6:05 PM

Btw, Devuan is almost the same Debian with systemD removed from it.
Devuan even uses the same Debian binary repository with a few substitutions/replacements by its own Devuan packages just to eliminate nasty systemD.

sanyo added a comment.Jul 7 2020, 8:23 PM

A few more questions:

  1. Does systemD track user at least by his personal machine GUID ?
  1. Can systemD be operated by invisible virtualization bootkits, trojans and hardware backdoors in negative rings of the CPU just to phone home via many programs nailed hardly to systemD ?

Do you still think after that systemD allows to make an anonymization distribution?

sanyo added a comment.EditedAug 23 2020, 12:56 PM

It is important to understand, that systemD is actually much more than simply an init system:

systemD is only named "init system" just for marketing purposes to hide true (in)security hell promoted by it, IMHO actually systemD is much more like a second kernel running in parallel with general kernel and providing many new unified API for easy phoning home, remote control of many desktop program's data, etc.

More details are described here

Many spare/odd (if they would be without systemd) software processes are running, not desired ports listening, main kernel options silently changed without permission, may be something else unpredictable, it is like a living on a volcano.

If systemD would be just another init system, it would not take years from Devuan to throw it out of the distribution and replace with another true init system like OpenRC or any other like it.

http://dev1galaxy.org/viewtopic.php?pid=21594#p21594

Whonix OLD Issue Tracker · PLEASE DO NOT POST NEW TICKETS HERE · OLD Issue Tracker - Unread Notifications · OLD Issue Tracker - Feed · OLD Issue Tracker - Open Issues · NEW Issue Tracker · Homepage · Blog · Forum · Legal · Imprint · Privacy Policy · Terms of Use · Disclaimer