Kicksecure ™

Download

Debian morph to Kicksecure (Hardware) Windows (VM) Linux (VM) Mac (VM) VirtualBox (VM) KVM (VM) Qubes (VM) USB ISO (coming soon) More options Source Code

About

Overview Features Why Open Source? Project Activities Contributors Mission & Vision

Docs

Documentation FAQ Troubleshooting

Community

Forums Contribute

Support

Free Plus Premium Contact

Tools Upload file Special pages Recent changes Print Version Page meta What links here Related changes Page information

Page Read Edit History Move Protection Unwatch Watch Delete Purge

User Preferences Watchlist Contributions Logout Create account Login

Donate

Kicksecure Development Notes on GNOME

For user documentation, see Other Desktop Environments instead!

This page is not intended for users or non-developers.

Security[edit]

• GNOME Website Extensions:
  • GNOME allows installing extensions through an 'Install' button on its website. Example: https://extensions.gnome.org/extension/1160/dash-to-panel/
  • Does it perform digital software signature verification?
• Security Risks in Default Installation: The standard GNOME setup includes numerous features, which may lead to security vulnerabilities.
  • File Download Vulnerabilities: Simple file downloads have in the past resulted in remote code execution.
  • Link Click Vulnerabilities: Clicking a link on a website has in the past led to remote code execution.
    • Related Blog Post: See the blog post: https://github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641/
    • Demonstration Video: Watch the short video here: https://github.blog/wp-content/uploads/2023/10/CVE-2023-43641-poc.mp4
  • Tracker-Miner Daemon Concerns: GNOME runs tracker-miner, a daemon that parses all user-downloaded files, which in the past was had such vulnerabilities. Such daemons should not run by default.
  • Compromised Theoretical Security: Theoretical security benefits from Wayland are undermined by poor security practices.
• Social Account Integration: Privacy and security concerns about integrating social accounts.

Reasons Against Using a Minimal Desktop Environment Without Its Bad Stuff[edit]

While it might be theoretically possible to avoid GNOME's undesirable aspects by selectively using only core packages like the window manager and systray, this approach is not without significant drawbacks.

Selectively using GNOME components, such as the window manager and systray, and concurrently issuing warnings about other standard GNOME functionalities, presents a contradiction and practical challenges. This methodology seems counterintuitive: utilizing only specific parts of GNOME (like the window manager and systray) while also having to add warnings and disclaimers against its standard, documented features in user documentation and support requests.

For example, GNOME's recommended method for installing the Clipboard Indicator involves visiting extensions.gnome.org Clipboard Indicator and clicking 'Install'. However, this raises a question: what is the secure alternative that bypasses browser interactions and includes digital software verification? As of this writing, this remains unclear.

For instance, consider a user query:

Is it safe to install gnome-clocks?"

Hypothetical user support request.

No, it is not recommended due to its dependency on geoclue-2.0. This dependency not only expands the attack surface but also has privacy concerns. Currently, instructions to mitigate these risks remain undocumented."

Hypothetical reply.

Such an approach would lead to inconsistency and confusion for users, undermining the practicality of using a minimal GNOME setup.

No comparable issues exist for Xfce. Users have the advantage of leveraging both Debian and Xfce documentation, along with resources from third parties, to customize and utilize Xfce effectively.

Usability[edit]

Systray Absence: By default, GNOME does not include a systray.

How can it be added?

• For typical GNOME users, the recommended method is to visit: AppIndicator Support and click the 'Install' button.
• Command line: For users who want to install from the command line, packages.debian.org or from source code while performing digital software signatures verification: Unknown.
• Linux distributions: For Linux distributions using a build script, the process remains unclear. (Clicking buttons is inappropriate for Linux distribution build scripts.) Should a solution for command line become available, it might also provide insight into this scenario.

Trademark[edit]

https://foundation.gnome.org/logo-and-trademarks/

https://wiki.gnome.org/Foundation/SoftwarePolicy

Software projects which are included in GNOME Circle are not official GNOME software. As such, they cannot use the GNOME trademarks to identify themselves.

Qubes[edit]

Qubes' Stance on GNOME: Qubes has also decided against using GNOME: https://github.com/QubesOS/qubes-issues/issues/1806#issuecomment-1768557436

Related[edit]

• Discussion on Porting to Wayland: https://forums.whonix.org/t/port-to-wayland/17380
• Security Concerns: https://github.com/Kicksecure/security-misc/issues/168

---

Unfinished: This wiki is a work in progress. Please do not report broken links until this notice is removed, use Search Engines First and contribute improving this wiki.

Kicksecure A secure by default operating system with the latest security research in place.

Dark mode

Follow us on social media

FREE  ·  PLUS  ·  PREMIUM Support

At Kicksecure we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint 2012-2024 ENCRYPTED SUPPORT LP

Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!