Page MenuHomePhabricator

refactoringProject
ActivePublic

Members (1)

Watchers

  • This project does not have any watchers.

Recent Activity

Dec 3 2018

HulaHoop added a comment to T509: Consider nftables as a replacement for iptables.

https://researchut.com/post/migrating-firewall-to-nftables/

Dec 3 2018, 6:02 PM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research

Jun 20 2018

HulaHoop added a comment to T509: Consider nftables as a replacement for iptables.

nftables transition info:

Jun 20 2018, 3:03 PM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research

Jun 18 2018

Patrick updated the task description for T509: Consider nftables as a replacement for iptables.
Jun 18 2018, 4:23 PM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research

Feb 5 2017

Patrick updated the task description for T509: Consider nftables as a replacement for iptables.
Feb 5 2017, 5:56 PM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research
Patrick updated the task description for T509: Consider nftables as a replacement for iptables.
Feb 5 2017, 5:45 PM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research
Patrick added a project to T509: Consider nftables as a replacement for iptables: iptables.
Feb 5 2017, 3:34 PM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research

Jan 31 2017

Patrick updated the task description for T509: Consider nftables as a replacement for iptables.
Jan 31 2017, 9:23 PM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research

Jan 30 2017

marmarek added a comment to T509: Consider nftables as a replacement for iptables.

Please note that Qubes 4.0 will use nftables (if available):
https://github.com/QubesOS/qubes-issues/issues/974#issuecomment-251825457

Jan 30 2017, 12:06 PM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research
Patrick updated the task description for T509: Consider nftables as a replacement for iptables.
Jan 30 2017, 11:05 AM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research
Patrick updated the task description for T509: Consider nftables as a replacement for iptables.
Jan 30 2017, 11:04 AM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research

Jan 18 2017

Patrick closed T369: /dev/shm, shared memory 'sem_open: Permission denied', prevent writing to /etc/fstab as Invalid.

Whonix's build script is no longer used to build Qubes-Whonix, so this is not required.

Jan 18 2017, 9:22 AM · Whonix 14, Debian version 9 codename Stretch, refactoring, bug, Whonix
Patrick added a project to T369: /dev/shm, shared memory 'sem_open: Permission denied', prevent writing to /etc/fstab: Whonix 14.
Jan 18 2017, 6:58 AM · Whonix 14, Debian version 9 codename Stretch, refactoring, bug, Whonix

Dec 16 2016

HulaHoop closed T577: Accelerating the Build Script as Resolved.
Dec 16 2016, 4:18 AM · build, bash, research, refactoring, Whonix
HulaHoop added a comment to T577: Accelerating the Build Script.

Still acceleration required?

Dec 16 2016, 4:17 AM · build, bash, research, refactoring, Whonix

Dec 15 2016

Patrick added a comment to T577: Accelerating the Build Script.

Still acceleration required?

Dec 15 2016, 1:22 AM · build, bash, research, refactoring, Whonix

Dec 14 2016

HulaHoop added a comment to T577: Accelerating the Build Script.

Thanks. The outdated section linked to confused me but I got it now.

Dec 14 2016, 10:14 PM · build, bash, research, refactoring, Whonix
Patrick added a comment to T577: Accelerating the Build Script.

--install-to-root is deprecated. That's --target root for a few releases now. For physical isolation.

Dec 14 2016, 6:23 PM · build, bash, research, refactoring, Whonix
HulaHoop added a comment to T577: Accelerating the Build Script.

Looked it up: --install-to-root only relevant if building on the host

Dec 14 2016, 11:00 AM · build, bash, research, refactoring, Whonix
HulaHoop added a comment to T577: Accelerating the Build Script.

Did you try using an apt-cache yet as per build documentation, chapter apt cache?

Dec 14 2016, 10:47 AM · build, bash, research, refactoring, Whonix

Dec 13 2016

Patrick added a comment to T577: Accelerating the Build Script.

avoid downloading the same things twice

Dec 13 2016, 11:44 AM · build, bash, research, refactoring, Whonix
HulaHoop updated the task description for T577: Accelerating the Build Script.
Dec 13 2016, 12:58 AM · build, bash, research, refactoring, Whonix
HulaHoop updated the task description for T577: Accelerating the Build Script.
Dec 13 2016, 12:54 AM · build, bash, research, refactoring, Whonix
HulaHoop created T577: Accelerating the Build Script.
Dec 13 2016, 12:51 AM · build, bash, research, refactoring, Whonix

Aug 30 2016

Patrick closed T549: use sudo --non-interactive for better error handling as Resolved.
Aug 30 2016, 11:37 PM · refactoring, Whonix 14, Whonix

Aug 25 2016

Patrick created T549: use sudo --non-interactive for better error handling.
Aug 25 2016, 6:27 PM · refactoring, Whonix 14, Whonix

Jun 27 2016

Patrick closed T152: profile rule deduplication of apparmor-profile-sdwdate and apparmor-profile-timesync by creating an sdwdate AppArmor abstraction file as Resolved.

timesync and apparmor-profile-timesync were deprecated so this task in invalid.

Jun 27 2016, 7:00 PM · refactoring, Whonix, AppArmor
Patrick assigned T152: profile rule deduplication of apparmor-profile-sdwdate and apparmor-profile-timesync by creating an sdwdate AppArmor abstraction file to troubadour.
Jun 27 2016, 7:00 PM · refactoring, Whonix, AppArmor

May 12 2016

Patrick added a comment to T509: Consider nftables as a replacement for iptables.

Yes, one day, nftables may be a good idea. Also, one day, IPv6 support may not be avoided if it is so widespread that Whonix would stand out without having IPv6 support.

May 12 2016, 12:30 AM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research
Patrick added projects to T509: Consider nftables as a replacement for iptables: whonix-gw-firewall, whonix-ws-firewall, vpn-firewall.
May 12 2016, 12:25 AM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research
HulaHoop created T509: Consider nftables as a replacement for iptables.
May 12 2016, 12:15 AM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research

Apr 28 2016

Patrick closed T465: refactor socks redirection firewall rules as Resolved.

The diff looks sane.

Apr 28 2016, 6:11 AM · refactoring, Whonix 13, whonix-gw-firewall, Whonix
Patrick added a comment to T465: refactor socks redirection firewall rules.

Whonix 12. iptables-save-deterministic

*mangle
:PREROUTING ACCEPT [0,0]
:INPUT ACCEPT [0,0]
:FORWARD ACCEPT [0,0]
:OUTPUT ACCEPT [0,0]
:POSTROUTING ACCEPT [0,0]
COMMIT
*nat
:PREROUTING ACCEPT [0,0]
:INPUT ACCEPT [0,0]
:OUTPUT ACCEPT [0,0]
:POSTROUTING ACCEPT [0,0]
:PR-QBS-SERVICES - [0,0]
-A PREROUTING -j PR-QBS-SERVICES
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9052 -j REDIRECT --to-ports 9052
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9050 -j REDIRECT --to-ports 9050
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9100 -j REDIRECT --to-ports 9100
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9101 -j REDIRECT --to-ports 9101
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9102 -j REDIRECT --to-ports 9102
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9103 -j REDIRECT --to-ports 9103
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9104 -j REDIRECT --to-ports 9104
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9105 -j REDIRECT --to-ports 9105
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9106 -j REDIRECT --to-ports 9106
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9107 -j REDIRECT --to-ports 9107
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9108 -j REDIRECT --to-ports 9108
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9109 -j REDIRECT --to-ports 9109
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9110 -j REDIRECT --to-ports 9110
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9111 -j REDIRECT --to-ports 9111
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9112 -j REDIRECT --to-ports 9112
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9113 -j REDIRECT --to-ports 9113
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9114 -j REDIRECT --to-ports 9114
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9115 -j REDIRECT --to-ports 9115
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9116 -j REDIRECT --to-ports 9116
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9117 -j REDIRECT --to-ports 9117
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9118 -j REDIRECT --to-ports 9118
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9119 -j REDIRECT --to-ports 9119
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9120 -j REDIRECT --to-ports 9120
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9121 -j REDIRECT --to-ports 9121
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9122 -j REDIRECT --to-ports 9122
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9123 -j REDIRECT --to-ports 9123
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9124 -j REDIRECT --to-ports 9124
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9125 -j REDIRECT --to-ports 9125
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9150 -j REDIRECT --to-ports 9150
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9152 -j REDIRECT --to-ports 9152
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9153 -j REDIRECT --to-ports 9153
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9154 -j REDIRECT --to-ports 9154
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9155 -j REDIRECT --to-ports 9155
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9156 -j REDIRECT --to-ports 9156
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9157 -j REDIRECT --to-ports 9157
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9158 -j REDIRECT --to-ports 9158
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9159 -j REDIRECT --to-ports 9159
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9160 -j REDIRECT --to-ports 9160
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9161 -j REDIRECT --to-ports 9161
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9162 -j REDIRECT --to-ports 9162
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9163 -j REDIRECT --to-ports 9163
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9164 -j REDIRECT --to-ports 9164
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9165 -j REDIRECT --to-ports 9165
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9166 -j REDIRECT --to-ports 9166
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9167 -j REDIRECT --to-ports 9167
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9168 -j REDIRECT --to-ports 9168
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9169 -j REDIRECT --to-ports 9169
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9170 -j REDIRECT --to-ports 9170
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9171 -j REDIRECT --to-ports 9171
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9172 -j REDIRECT --to-ports 9172
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9173 -j REDIRECT --to-ports 9173
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9174 -j REDIRECT --to-ports 9174
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9175 -j REDIRECT --to-ports 9175
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9176 -j REDIRECT --to-ports 9176
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9177 -j REDIRECT --to-ports 9177
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9178 -j REDIRECT --to-ports 9178
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9179 -j REDIRECT --to-ports 9179
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9180 -j REDIRECT --to-ports 9180
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9181 -j REDIRECT --to-ports 9181
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9182 -j REDIRECT --to-ports 9182
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9183 -j REDIRECT --to-ports 9183
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9184 -j REDIRECT --to-ports 9184
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9185 -j REDIRECT --to-ports 9185
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9186 -j REDIRECT --to-ports 9186
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9187 -j REDIRECT --to-ports 9187
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9188 -j REDIRECT --to-ports 9188
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9189 -j REDIRECT --to-ports 9189
-A PREROUTING -i vif+ -p udp -m udp --dport 53 -j REDIRECT --to-ports 5300
-A PREROUTING -i vif+ -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040
-A OUTPUT -p udp -m owner --uid-owner 999 -m conntrack --ctstate NEW -j DNAT --to-destination 10.137.3.1:5300
-A OUTPUT -p tcp -m owner --uid-owner 999 -m conntrack --ctstate NEW -j DNAT --to-destination 10.137.3.1:9040
-A OUTPUT -m owner --uid-owner 107 -j RETURN
-A OUTPUT -m owner --uid-owner 1001 -j RETURN
-A OUTPUT -m iprange --dst-range 127.0.0.0-127.0.0.24 -j RETURN
-A OUTPUT -m iprange --dst-range 10.137.0.0-10.137.255.255 -j RETURN
-A PR-QBS-SERVICES -d 10.137.255.254/32 -i vif+ -p tcp -m tcp --dport 8082 -j REDIRECT
COMMIT
*filter
:INPUT DROP [0,0]
:FORWARD DROP [0,0]
:OUTPUT DROP [0,0]
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -f -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -i vif+ -p tcp -m tcp --dport 8082 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j DROP
-A INPUT -i vif+ -p udp -m udp --dport 5300 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9040 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9052 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9050 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9100 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9101 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9102 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9103 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9104 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9105 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9106 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9107 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9108 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9109 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9110 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9111 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9112 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9113 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9114 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9115 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9116 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9117 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9118 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9119 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9120 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9121 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9122 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9123 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9124 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9125 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9150 -j ACCEPT
-A INPUT -i vif+ -p tcp -m multiport --dports 9152:9159 -j ACCEPT
-A INPUT -i vif+ -p tcp -m multiport --dports 9160:9169 -j ACCEPT
-A INPUT -i vif+ -p tcp -m multiport --dports 9170:9179 -j ACCEPT
-A INPUT -i vif+ -p tcp -m multiport --dports 9180:9189 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -o vif+ -p tcp -m tcp --sport 8082 -j ACCEPT
-A OUTPUT -m conntrack --ctstate INVALID -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -m state --state INVALID -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -f -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -m iprange --dst-range 127.0.0.0-127.0.0.24 -j ACCEPT
-A OUTPUT -m iprange --dst-range 10.137.0.0-10.137.255.255 -j ACCEPT
-A OUTPUT -m owner --uid-owner 107 -j ACCEPT
-A OUTPUT -m owner --uid-owner 1001 -j ACCEPT
-A OUTPUT -j REJECT --reject-with icmp-admin-prohibited
COMMIT
Apr 28 2016, 6:11 AM · refactoring, Whonix 13, whonix-gw-firewall, Whonix

Apr 21 2016

Patrick added a comment to T465: refactor socks redirection firewall rules.

Whonix 13. iptables-save-deterministic

Apr 21 2016, 9:01 PM · refactoring, Whonix 13, whonix-gw-firewall, Whonix

Apr 20 2016

Patrick closed T461: Installation from Repository / proverbial "sudo apt-get install whonix" as Resolved.

This is done. Further work being tracked in T498.

Apr 20 2016, 12:29 AM · Whonix 13, Whonix, refactoring, anon-meta-packages, whonixcheck, enhancement
Patrick closed T416: allow running Whonix build script as root, rework user_name as Resolved.

This is covered by T498.

Apr 20 2016, 12:18 AM · build, Whonix, refactoring, Whonix 13

Apr 15 2016

Patrick added a comment to T461: Installation from Repository / proverbial "sudo apt-get install whonix".
more robust handling of /etc/hostname
Apr 15 2016, 3:16 AM · Whonix 13, Whonix, refactoring, anon-meta-packages, whonixcheck, enhancement
Patrick added a comment to T461: Installation from Repository / proverbial "sudo apt-get install whonix".
added install-from-local-repository script
Apr 15 2016, 1:39 AM · Whonix 13, Whonix, refactoring, anon-meta-packages, whonixcheck, enhancement

Apr 8 2016

HulaHoop added a comment to T461: Installation from Repository / proverbial "sudo apt-get install whonix".

systemd-nspawn talked about as a drop in replacement for chroot in build environments:

Apr 8 2016, 7:54 PM · Whonix 13, Whonix, refactoring, anon-meta-packages, whonixcheck, enhancement
Patrick added a comment to T461: Installation from Repository / proverbial "sudo apt-get install whonix".
In T461#8647, @marmarek wrote:
  1. download of tor, tor-geoipdb, deb.torproject.org-keyring not possible (T472). If we have no networking during that stage... Which is on one hand a very good thing, so we do not depend on it.

Just for installation it shouldn't be a problem - we can simply add deb.torproject.org repo for the time of apt-get --download-only install .... But it doesn't help in anyway how to keep track on tor package later.

Apr 8 2016, 5:26 PM · Whonix 13, Whonix, refactoring, anon-meta-packages, whonixcheck, enhancement
marmarek added a comment to T461: Installation from Repository / proverbial "sudo apt-get install whonix".
  1. download of tor, tor-geoipdb, deb.torproject.org-keyring not possible (T472). If we have no networking during that stage... Which is on one hand a very good thing, so we do not depend on it.
Apr 8 2016, 2:39 AM · Whonix 13, Whonix, refactoring, anon-meta-packages, whonixcheck, enhancement
Patrick added a comment to T461: Installation from Repository / proverbial "sudo apt-get install whonix".

current blockers:

Apr 8 2016, 2:18 AM · Whonix 13, Whonix, refactoring, anon-meta-packages, whonixcheck, enhancement
marmarek added a comment to T461: Installation from Repository / proverbial "sudo apt-get install whonix".

We concluded earlier already we don't want to have a debian package hosting Tor Browser tarballs (tb-binary). (Mentioned in T417.) We might reconsider if not avoidable.

Apr 8 2016, 2:12 AM · Whonix 13, Whonix, refactoring, anon-meta-packages, whonixcheck, enhancement
Patrick added a comment to T461: Installation from Repository / proverbial "sudo apt-get install whonix".

I yet have to actually try apt-get install whonix-... and see how it goes. Will work on this next.

Apr 8 2016, 1:26 AM · Whonix 13, Whonix, refactoring, anon-meta-packages, whonixcheck, enhancement

Apr 7 2016

marmarek added a comment to T461: Installation from Repository / proverbial "sudo apt-get install whonix".

Great! This will allow major reduction of duplicated data on installation ISO (Debian base packages, Whonix gw/ws common packages). And also result in smaller Whonix templates (no build depends installed there).
As for the cleanup - that's fine - it can be done using salt management stack.

Apr 7 2016, 11:12 PM · Whonix 13, Whonix, refactoring, anon-meta-packages, whonixcheck, enhancement
Patrick added a comment to T461: Installation from Repository / proverbial "sudo apt-get install whonix".
  • Chroot scripts were reduced to a minimum.
  • They are no longer relevant for installation of Whonix from repository using apt-get install whonix-gatewayetc.
  • Non-Qubes-Whonix: chroot scripts are still relevant for building Non-Qubes-Whonix images using Whonix's build script. To my knowledge, there is no sane way to run the cleanup chroot script from within a Debian package maintainer script.
  • Qubes-Whonix: chroot-scripts are mostly irrelevant. Mostly. When the whonix-gateway or whonix-workstation package gets installed into a Qubes Debian template - with the purpose of morphing it into Whonix - perhaps while running on top of the Qubes installer DVD - then the cleanup of the template would be up to the script doing that. It could do so by running /usr/lib/anon-dist/chroot-scripts-post.d/80_cleanup or otherwise.
Apr 7 2016, 9:30 PM · Whonix 13, Whonix, refactoring, anon-meta-packages, whonixcheck, enhancement
Patrick added a comment to T461: Installation from Repository / proverbial "sudo apt-get install whonix".
merged chroot scripts from anon-shared-build-sanity-checks and anon-shared-build-remember-sources
Apr 7 2016, 9:11 PM · Whonix 13, Whonix, refactoring, anon-meta-packages, whonixcheck, enhancement
Patrick added a comment to T461: Installation from Repository / proverbial "sudo apt-get install whonix".
check for nonfree packages during
Apr 7 2016, 8:58 PM · Whonix 13, Whonix, refactoring, anon-meta-packages, whonixcheck, enhancement
Patrick added a comment to T461: Installation from Repository / proverbial "sudo apt-get install whonix".

There are only 4 chroot scripts left.

Apr 7 2016, 3:08 AM · Whonix 13, Whonix, refactoring, anon-meta-packages, whonixcheck, enhancement
Patrick added a comment to T461: Installation from Repository / proverbial "sudo apt-get install whonix".
fixed logging version of the package as build version
Apr 7 2016, 2:32 AM · Whonix 13, Whonix, refactoring, anon-meta-packages, whonixcheck, enhancement
Patrick added a comment to T461: Installation from Repository / proverbial "sudo apt-get install whonix".
cleanup, got rid of obsolete /usr/lib/anon-dist/chroot-scripts-pre.d/20_sanity_checks
Apr 7 2016, 2:06 AM · Whonix 13, Whonix, refactoring, anon-meta-packages, whonixcheck, enhancement