madaidan (madaidan):
madaidan added a comment.
> We need to re-check this for Whonix Host. Since it gets installed using calamares (which handles partitioning) there could be an unwanted swap partition. I can test it for that too. Where do I download it?
Maybe there is no need. It's just when Tails has a ticket, we should
check it at Whonix too. Thank you for looking into this, too!
The way it is now looks fine. Why would it need to be changed?
We need to re-check this for Whonix Host. Since it gets installed using calamares (which handles partitioning) there could be an unwanted swap partition.
Seems quite hacky. What's the root cause for failing?
Could you please review this? @HulaHoop
Seems quite hacky. What's the root cause for failing?
Thanks for testing! Would have been surprising if there was.
madaidan (madaidan):
madaidan added a comment.
> https://lists.ubuntu.com/archives/apparmor/2016-February/009371.html says it is used for various things so it might break some things. Wouldn't using a fake machine-id e.g. a bunch of zeroes fix this?
https://lists.ubuntu.com/archives/apparmor/2016-February/009371.html says it is used for various things so it might break some things.
In T582#18461, @madaidan wrote:Would it cause any issues if the machine-id was just deleted or replaced with a bunch of 0s?
Would it cause any issues if the machine-id was just deleted or replaced with a bunch of 0s?
My pull request enables all of these except martian packet logging which I doubt would be useful on Whonix.
You can create directories in tor-browser_en-US/Browser/TorBrowser/Data/Browser/ called (profile_name).default. Here will be all the configurations for the profile. It should have a custom user.js with proxy settings using privoxy and setting network.proxy.no_proxies_on to 0.
Alternatively, you could change the home page to the program's interface e.g. 127.0.0.1:7657 for I2P and start the browser with a script that creates a popup box using zenity or similar that tells the user the information.
Maybe disable it just for package upgrades?
There is none. You can run swapon -s or cat /proc/swaps to verify.
No, I mean the upstream repository thunar-volman by XFCE developers.
madaidan (madaidan):
madaidan added a comment.
> Can you see from thunar-volman source code where defaults are configured? Would be good to watch for future versions. debian/thunar-volman.xml has all the default settings for auto-mounting if that's what you mean.
Can you see from thunar-volman source code where defaults are configured? Would be good to watch for future versions.
Debian buster package thunar-volman (thunar-volman-0.9.1) contains a file debian/thunar-volman.xml
Automounting can be configured in /etc/xdg/xfce4/xfconf/xfce-perchannel-xml/thunar-volman.conf
More kernel hardening:
https://github.com/Whonix/security-misc/pull/5
Related thread on general kernel hardening:
Does this work for you? @tempest
HulaHoop (HulaHoop):
HulaHoop added a comment.
https://gitlab.freedesktop.org/spice/spice-protocol/issues/8
In T817#18429, @HulaHoop wrote:user@host:~/jitterentropy-20140131/tests_userspace/timing$ ./jitterentropy-inittest
Pass 10000 - Fail 0 - Rounds 10000foldtime.O0
foldtime.O2https://anonfile.com/g8E9mal5n6/foldtime_O2
https://anonfile.com/63H8m6l9nb/foldtime_O0
user@host:~/jitterentropy-20140131/tests_userspace/timing$ ./jitterentropy-inittest
Pass 10000 - Fail 0 - Rounds 10000
Issue was discussed by Libvirt devs on RedHat bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1320263#c4
I even linked to a secure clipboard proposal that would have given a secure clipboard functionality by copying Qubes style interaction. It went no where and was closed as WONTFIX.
No such package anymore.
@Patrick I have set it to a temporary redirect now (302). In my tests in Firefox, the request is not being cached (server sends back the 302 each time according to Nginx logs)
Hardened Debian Linux has been added to Google Season of Docs project ideas.
i would say purge xpra , if someone want xpra he can install it easily.
apt-file list xpra | grep desktop
In T869#18260, @TNTBOMBOM wrote:There is one issue with installing xpra:
- it will install xpra browser (unwanted in Whonix)
- also it has ability to connect to an outside xpra servers (unwanted in Whonix)
launch xpra GUI or from terminal and you will find all these stuff.
also another reason why CoyIM wont come back in the near future:
Works great! Thanks @mig5!
There is one issue with installing xpra:
Merged.
I also added the cli version to the non-qubes-vm-enhancements-cli section. It is a dep of a gui install but not vice versa. Zulucrypt plugin package was added there too since enchancements-cli is a subset of enhancements-gui.
I suggest not permanent redirection, otherwise browsers may cache old version.
Edited above comment a few times to fix syntax
Added this to /etc/nginx/sites-enabled/download.whonix.org.conf:
In T895#18241, @mig5 wrote:It doesn't strike me as too hard to just add a 'current' symlink pointing to the latest release?
Could you please test https://github.com/smuellerDD/jitterentropy-rngd/issues/6#issuecomment-483191719 in Qubes / VirtualBox? @TNTBOMBOM
Should remove coyim. Reason:
In T769#18244, @HulaHoop wrote:
- Add zulucrypt to Whonix including its extensions?
zulucrypt works in Buster. Tomb does not.
Answer by jitterentropy developer:
https://github.com/smuellerDD/jitterentropy-rngd/issues/6#issuecomment-483191719
Another approach might be to use Nginx redirects (and a shell script or something, to maintain changes as new versions come out), so that URLs like https://download.whonix.org/ova/current/Whonix-XFCE-current.ova redirect to https://download.whonix.org/ova/14.0.1.4.4/Whonix-XFCE-14.0.1.4.4.ova . Useful?
It doesn't strike me as too hard to just add a 'current' symlink pointing to the latest release?
consider installing jitterentropy-rngd to improve entropy collection
https://github.com/QubesOS/qubes-issues/issues/4169
ask Xen developers about Efficacy of jitterentropy RNG in Xen
https://github.com/QubesOS/qubes-issues/issues/4174
Since we no longer install any KDE applications by default (such as dolphin; ark), no dependency pulls phonon anymore so in extension nothing pulls vlc anything anymore. Therefore this is no longer needed.
Awesome!