Build Configuration

Kicksecure Build Configuration. APT Repository, Onion Sources, APT Cache, VM Settings, Skip Steps, Source Code Changes
Note: All of the following build configuration steps are optional.
Introduction
Usually the build configuration does not need to be changed. Kicksecure built from source code comes with safe defaults. Whonix's APT Repository will not be used.
The most interesting build configurations (Terminal-Only, NoDefaultApps etc.) are documented in the following chapters.
If you are interested, click on Expand on the right.
If build configurations were used earlier, it might be better to delete the build configuration folder. A few example filenames may have changed since the last build.
sudo rm -r /etc/buildconfig-dist.d
Alternatively, experts can manually examine the /etc/buildconfig-dist.d folder and change its contents to suit their preferences.
/etc/buildconfig-dist.d is a modular flexible .d style configuration folder.
Less popular build configurations are documented in the buildconfig.d folder and on the Dev/Source_Code_Intro#Build_Configuration page, but it is less user-friendly.
To avoid typos, it is best to copy and paste text when creating build configuration files. Take care that editors do not capitalize variable names which are supposed to be lower case during copy and paste procedures.
Platforms Choice
Advanced users can create 32-bit instead of 64-bit builds.
If you are interested, click on Expand on the right.
To build Kicksecure 14 32-bit, add the following build parameter.
--arch i386
- kFreeBSD is entirely untested and most likely needs additional work (see footnotes). [3]
- Kicksecure for arm64 development discussion:
https://forums.whonix.org/t/whonix-for-arm64-raspberry-pi-rpi/723
Kicksecure APT Repository
Kicksecure:
Kicksecure APT Repository is disabled by default [6] for builds from source code for reasons of Trust. Users can decide to update Kicksecure Debian packages by building them from source code (greater security). Alternatively, Kicksecure APT repository can be enabled right after building or after booting the build for the first time (greater convenience) using Kicksecure repository tool. To use the latter method which sacrifices security for convenience, click on Expand on the right side.
Do you want to opt-in Kicksecure APT Repository?
The easy way to add Kicksecure stable
repository the following command line option can be used.
--repo true
Other settings can be set using an environment variable or build configuration. Below are examples using an environment variable.
DERIVATIVE_APT_REPOSITORY_OPTS='--enable --repository stable' DERIVATIVE_APT_REPOSITORY_OPTS='--enable --repository testers' DERIVATIVE_APT_REPOSITORY_OPTS='--enable --repository developers' DERIVATIVE_APT_REPOSITORY_OPTS='--enable --codename bookworm'
Add an environment variable as one normally does on that specific Linux platform. For example, to enable the Kicksecure stable repository during build, you could set DERIVATIVE_APT_REPOSITORY_OPTS
by interjecting it between sudo
and the ./derivative-maker
command. Below is an example. Do not use [...]
. Replace it with other chosen build parameters (such as --build
, --target
etc.) after ./derivative-maker
.
sudo DERIVATIVE_APT_REPOSITORY_OPTS='--enable --repository stable' ./derivative-maker [...]
APT Onion Build Sources
For better build security, you can also use onions apt sources for building Kicksecure.
If you are interested, click on Expand on the right.
This does not ensure all of Whonix's build process will be torified!
Kicksecure 14 and above only:
--connection onion
Torified or Host APT Cache
Using an apt cache will greatly improve build speed when building several times in a row (e.g. when debugging, during development).
If you are interested, click on Expand on the right.
torified apt-cacher-ng
The following torified apt-cacher-ng setup only has to be applied, if you are building using onion apt sources using --connection onion
.
However, if you are building behind a Tor transparent proxy such as Kicksecure, you can use the simpler clearnet apt-cacher-ng instructions below instead.
Install apt-cacher-ng-, torsocks and tor.
sudo apt install apt-cacher-ng torsocks tor
Create folder apt-cacher-ng systemd drop-in folder /lib/systemd/system/apt-cacher-ng.service.d
.
sudo mkdir -p /lib/systemd/system/apt-cacher-ng.service.d
Open file /lib/systemd/system/apt-cacher-ng.service.d/50_user.conf
in an editor with root rights.
Kicksecure for Qubes
NOTE: When using Kicksecure for Qubes, this needs to be done inside the Template.
Others and Alternatives
- This is just an example. Other tools could achieve the same goal.
- If this example does not work for you or if you are not using Kicksecure, please refer to this link.
sudoedit /lib/systemd/system/apt-cacher-ng.service.d/50_user.conf
Add.
[Service] ExecStart=torsocks /usr/sbin/apt-cacher-ng SocketPath=/run/apt-cacher-ng/socket -c /etc/apt-cacher-ng ForeGround=1
Save.
Reload systemd.
sudo systemctl daemon-reload
Restart apt-cacher-ng.
sudo systemctl apt-cacher-ng restart
clearnet apt-cacher-ng
sudo apt install apt-cacher-ng
Be sure to have a firewall, so the whole internet can not use the apt-cacher-ng service.
Prepend REPO_PROXY=http://127.0.0.1:3142
before the build command.
sudo REPO_PROXY=http://127.0.0.1:3142 ./derivative-maker ...
When building inside a non-Whonix VM, an apt cache can be used on the host. In that case, adjust the IP accordingly and manually test that it is reachable. When building inside a (Kicksecure) VM, just install the apt cache inside the VM and point to a localhost apt cache.
From 14.0.1.0.7-developers-only and above Whonix automatically uses apt-cacher-ng.
VM Settings
Such as image size, RAM, filesystem, hostname and password.
This is only relevant for VM builds.
Several examples are below. Values can be changed to suit user preferences.
VirtualBox's --vmsize option (virtual RAM).
--vmram 128
VirtualBox's --vram option (virtual video RAM).
--vram 12
grml-debootstrap's --vmsize option.
--vmsize 200G
grml-debootstrap's --filesystem option.
--file-system ext4
grml-debootstrap's --hostname option. [7]
--hostname host
grml-debootstrap's --password option.
--os-password changeme
grml-debootstrap's --debopt option.
--debopt "--verbose"
Build Variables Changes Template:Build Documentation Build Configuration
Skip Steps
--sanity-tests false
Source Code Changes
This is only required if changes were made to the Whonix source folder! In that case click on Expand on the right.
This is not required if only a customized build configuration was added to the /etc/buildconfig-dist.d.d folder.
If changes were made to the Whonix source code, it is the easiest to use the following build parameter.
--allow-uncommitted true
Or if not building from a git tag, it is the easiest to use the following build parameter.
--allow-untagged true
Otherwise, changes must be committed to git first, before creating a git tag.
Footnotes[edit]
- ↑
State of official 64-bit builds
.
- ↑
Don't get confused by the term
amd64
. It runs on both, Intel and AMD.amd64
is only how Debian names the kernel. It works equally well on Intel and AMD. - ↑
kFreeBSD (32-bit).
--arch kfreebsd-i386 --kernel kfreebsd-image --headers kfreebsd-headers
kFreeBSD (64-bit).
--arch kfreebsd-amd64 --kernel kfreebsd-image --headers kfreebsd-headers
- ↑ https://github.com/grml/grml-debootstrap/pull/13
- ↑ In this case, try installing the packages linux-image-amd64 and linux-headers-amd64 on your host, then boot the amd64 kernel by choosing it in the boot menu. The whole system does not require re-installation; just be sure to boot with an amd64 kernel. Alternatively, consider to re-install your host using amd64.
- ↑
Since Kicksecure
7.3.3
- ↑ The dist-base-files
package will change this later on.