TODO

sudo journalctl --boot -u sdwdate-gui-qubes@0-1443-1000.service | cat
Dec 04 08:59:46 sys-net systemd[1]: Starting sdwdate-gui-qubes@0-1443-1000.service - sdwdate graphical user interface - Qubes socket proxy (PID 1443/UID 1000)...
Dec 04 08:59:57 sys-net systemd[1]: sdwdate-gui-qubes@0-1443-1000.service: Failed with result 'protocol'.
Dec 04 08:59:57 sys-net systemd[1]: Failed to start sdwdate-gui-qubes@0-1443-1000.service - sdwdate graphical user interface - Qubes socket proxy (PID 1443/UID 1000).

• Patrick: Fixed. But still more issues.

[WARNING] [systemcheck] systemd units check result: 1 systemd units failed to load. These might be stuck in state failed, activating or deactivating. Output of leaprun read-systemctl-logs-failed-units-pretty:

########################################
  UNIT                                  LOAD   ACTIVE     SUB   JOB   DESCRIPTION
● sdwdate-gui-qubes@1-1483-1000.service loaded activating start start sdwdate graphical user interface - Qubes socket proxy (PID 1483/UID 1000)

Legend: LOAD   → Reflects whether the unit definition was properly loaded.
        ACTIVE → The high-level unit activation state, i.e. generalization of SUB.
        SUB    → The low-level unit activation state, values depend on unit type.
        JOB    → Pending job for the unit.

1 loaded units listed.
########################################

[root ~]# systemctl status sdwdate-gui-qubes@1-1483-1000.service
○ sdwdate-gui-qubes@1-1483-1000.service - sdwdate graphical user interface - Qubes socket proxy
     Loaded: loaded (/usr/lib/systemd/system/sdwdate-gui-qubes@.service; static)
     Active: inactive (dead)

Dec 04 09:24:22 sys-net systemd[1]: Starting sdwdate-gui-qubes@1-1483-1000.service - sdwdate graphical user interface - Qubes socket proxy (PID 1483/UID 1000)...
Dec 04 09:24:32 sys-net systemd[1]: Started sdwdate-gui-qubes@1-1483-1000.service - sdwdate graphical user interface - Qubes socket proxy (PID 1483/UID 1000).
Dec 04 09:24:32 sys-net systemd[1]: sdwdate-gui-qubes@1-1483-1000.service: Deactivated successfully.
zsh: exit 3     systemctl status sdwdate-gui-qubes@1-1483-1000.service

[root ~]# journalctl --boot -u sdwdate-gui-qubes@1-1483-1000.service | cat
Dec 04 09:24:22 sys-net systemd[1]: Starting sdwdate-gui-qubes@1-1483-1000.service - sdwdate graphical user interface - Qubes socket proxy (PID 1483/UID 1000)...
Dec 04 09:24:32 sys-net systemd[1]: Started sdwdate-gui-qubes@1-1483-1000.service - sdwdate graphical user interface - Qubes socket proxy (PID 1483/UID 1000).
Dec 04 09:24:32 sys-net systemd[1]: sdwdate-gui-qubes@1-1483-1000.service: Deactivated successfully.
[root ~]# 

• systemd probably does not like that a Type=notify unit can exit

systemctl --no-legend --no-pager --no-block --state=failed,activating,deactivating list-units ● sdwdate-gui-qubes@49-1483-1000.service loaded 

activating start start sdwdate graphical user interface - Qubes socket proxy (PID 1483/UID 1000) can we avoid getting stuck in that state?

• sanitize-string
  • please add pipe support
  • currently: "sanitize-string: Usage: sanitize-string string [max_length]",
    • would be better to have string length as mandatory first argument? Perhaps nolimit as a keyword? Please update code base.
• strip-html
  • please add pipe support
• integrate minimally into tests
• Aaron: Done, commits pushed to helper-scripts and all repositories that used sanitize-string or strip-html (in either library or executable form).
• Patrick: Merged.
• small lint issue: https://github.com/Kicksecure/helper-scripts/actions/runs/19847500678/job/56867679739
  • Aaron: Fixed.
• Should sanitize-string act like stcatn, i.e. always ensure there is a trailing newline at the end?
  • Aaron: Unsure. I would initially argue no, strings may legitimately not contain a trailing newline. If in the future we need to sanitize a string and ensure it is terminated with a newline, we should add a new option to sanitize-string to do this.
• AI:

Additional security concerns in strip-markup

    Terminal/console escape injection remains possible. The sanitizer removes only markup tags and replaces <, >, and & with underscores when it detects suspicious transformations, but it leaves all other control characters untouched. Because StripMarkupEngine runs with convert_charrefs = True, an attacker can supply inputs containing HTML entities for escape characters (e.g., &#27; for ESC), which will be decoded and written back out unchanged via sys.stdout.write. This can produce ANSI escape sequences in logs or terminals, enabling log forgery or malicious terminal control even though HTML tags were stripped.

Not safe for contextual HTML output. The “sanitization” only removes tags and (in the fallback path) converts <, >, and & to underscores; it does not escape quotes, backticks, or other characters that are dangerous in attribute, JavaScript, or CSS contexts. If the supposedly “clean” output is later interpolated into HTML attributes or script blocks, an attacker can inject payloads such as javascript:... URLs or string-breaking quotes that lead to XSS despite markup stripping.

• Aaron:
  • The terminal/console escape injection issue is possibly not a problem, because Python's HTML parser discards (some) entities that encode the ESC character rather than emitting the character they encode. Nonetheless, added defense-in-depth code to sanitize_string to ensure stray escapes are sanitized after HTML parsing is complete. Commits pushed to helper-scripts.
  • The contextual HTML output concern is not a worry since sanitize_string is not designed to make strings that are safe to place into the attribute of an HTML element.
• Patrick: Merged.
• Patrick:
  • ./usr/lib/python3/dist-packages/stdisplay/stsponge.py - temporary file should be deleted?
  • temp_file.close() is redundant due to "with"?
• bug: running "strip-markup" as is without any input will hang forever

• https://github.com/assisted-by-ai/qubes-whonix/pull/1
  • Aaron: Integrated useful change from this, commit pushed to qubes-whonix.
• https://github.com/assisted-by-ai/helper-scripts/pull/2
  • Aaron: Integrated useful changes from this, commit pushed to helper-scripts.
• https://github.com/assisted-by-ai/helper-scripts/pull/3
  • Aaron: Implemented roughly the same idea differently than ChatGPT did, commit pushed to helper-scripts.
• https://github.com/assisted-by-ai/Whonix-Installer/pull/2 - refactoring might not be worthwhile
  • Aaron: Should likely be rejected, see comments for rationale.
• https://github.com/assisted-by-ai/qubes-whonix/pull/2
  • Aaron: Partially merged in, but part of it needs more discussion.
• Patrick: new ones since last commenting here...
• https://github.com/assisted-by-ai/helper-scripts/pull/4
  • Aaron: Integrated useful changes from this, commit pushed to helper-scripts.
• https://github.com/assisted-by-ai/helper-scripts/pull/5 (probably not worthwhile)
  • Aaron: Rejected, appears unnecessary after looking at Tor's source code.
• https://github.com/assisted-by-ai/helper-scripts/pull/6
  • Aaron: Rejected, see comments for rationale.
• https://github.com/assisted-by-ai/helper-scripts/pull/7
  • Aaron: Implemented one useful thing from this, commit pushed to helper-scripts.
• https://github.com/assisted-by-ai/helper-scripts/pull/8
  • Aaron: Added all test cases. Commit pushed to helper-scripts.
• https://github.com/assisted-by-ai/helper-scripts/pull/9
• https://github.com/assisted-by-ai/helper-scripts/pull/10
  • Aaron: Rejected, see comments for rationale.
• https://github.com/assisted-by-ai/security-misc/pull/1

• From Marek:
  • General performance issues, may be solved by making things more efficient in general
    • https://openqa.qubes-os.org/tests/159131
    • https://openqa.qubes-os.org/tests/159129#step/TC_00_Dom0Upgrade_whonix-gateway-18/2
      • Applied some optimizations to sdwdate and sdwdate-gui. systemd reports a relatively fast boot time now (around 7 seconds), however the time from a qvm-run call to application startup is still pretty long.
  • https://openqa.qubes-os.org/tests/159123 (this one is due to sudo blocked)
    • Add a privleap rule for inserting v4l2loopback kernel module
      • Done: https://github.com/QubesOS/qubes-video-companion/pull/33
  • https://openqa.qubes-os.org/tests/159089
    • Random timesanitycheck failure, likely will not reoccur.
  • https://github.com/Whonix/updates-status/issues/290#issuecomment-3524509617
    • /tmp/user/1000 owned by root again, try to make an automated reproducer for this
      • Automated reproducer couldn't trigger the issue. Audited all mkdir calls, pushed a commit to helper-scripts with a fix to lockfile.sh. Unlikely to fix the issue, but worthwhile.
        • Patrick: Merged. Yes, worthwhile to fix. Also yes, unlikely to fix the issue since the issue started before lockfile.sh got introduced.
  • https://github.com/Whonix/updates-status/issues/289#issuecomment-3524513760
    • Can't reproduce here, probably already fixed?
      • Found that the fix was indeed already applied.
• From Ben:
  • https://openqa.qubes-os.org/tests/159100#step/TC_00_DispVMPerf_whonix-workstation-18/21
    • Might have been the msgprogressbar issue, hopefully won't reoccur
• Results of benchmarking a cloned debian-13-xfce qube while adding bits from Kicksecure into it gradually, giving the qube only 400 MB of RAM with no ability to balloon:

Using packages from trixie Kicksecure repo, not trixie-developers
Before any morph: (8.388 + 8.015 + 8.112) / 3 = 8.171
After adding helper-scripts: (8.005 + 8.179 + 7.999) / 3 = 8.061
After adding security-misc: (8.222 + 8.346 + 8.404) / 3 = 8.324 (with outlier 18.132) (Marked drop in performance here, and the outlier did take an awfully long time, does the first boot after security-misc installation do something weird?)
After adding usability-misc: (8.381 + 8.395 + 8.326) / 3 = 8.367
After adding dist-base-files: (8.516 + 8.399 + 8.431) / 3 = 8.448
After adding kicksecure-base-files: (8.253 + 8.461 + 8.430) / 3 = 8.381
After adding desktop-config-dist: (8.714 + 8.580 + 8.598) / 3 = 8.630 (Another marked drop in performance here)
After adding sdwdate: (8.867 + 8.751 + 8.946) / 3 = 8.854 (another marked drop in performance here, not really a surprise since this pulled in Tor)
After adding sdwdate-gui: (9.167 + 9.075 + 9.165) / 3 = 9.135 (another marked drop in performance)
After adding systemcheck: (9.057 + 9.125 + 9.103) / 3 = 9.095
After adding msgcollector-gui: (9.171 + 9.190 + 9.224) / 3 = 9.195 (noticeable performance drop)
After adding vm-config-dist: (9.245 + 9.378 + 9.112) / 3 = 9.245 (doesn't seem to be a truly reliable drop in performance)
After adding bootclockrandomization: (9.312 + 9.152 + 9.081) / 3 = 9.181
After adding dist-general-gui-lxqt: (9.264 + 9.112 + 9.187) / 3 = 9.187
... should have done more incremental benchmarks here ...
After installing the rest of everything with kicksecure-qubes-gui-lxqt: (9.974 + 9.976 + 9.921) / 3 = 9.957

• Takeaways from benchamrking:
  • It might be worth trying to avoid forking in our startup scripts; maybe having less forks and less units would allow for faster operation. Unfortunately Python multithreading isn't very fast, and Bash doesn't have multithreading, so we can't get parallelism and absence of forks at the same time.
  • We might see if we can avoid blocking startup on units that aren't startup-critical. sdwdate-gui, for instance, takes some time to come up, but also apparently blocks the UI showing up for a quarter of a second on my test machine, which could possibly be avoided.
  • None of the performance issues here seem particularly egregious to me, certainly not enough to cause slews of timeouts like we're seeing in Whonix's tests on OpenQA.
  • I used a very low-RAM system for this, and it worked quite well; no memory exhaustion issues were encountered.
  • Further research needs to be done on the specific tests that are timing out to determine what they're trying to do that is timing out.
• Investigation of logs from a DispVM test where Whonix-Workstation timed out:
  • Qubes' test infra seems to have a periodic hardware lag issue that affects all VMs.
  • Whonix is probably just the first thing to trim timeouts because we have too many services doing too many resource-intensive tasks during early boot.

guest-disp2246.log (Fedora Linux 42, 7 second kernel load time, 1 second from "Qubes: done" to disk mount, login prompt, 35 second runtime)
guest-disp3748.log (Fedora Linux 42, 6 second kernel load time, 2 seconds from "Qubes: done" to disk mount, login prompt, 66 second runtime)
guest-disp5735.log (Fedora Linux 42, 7 second kernel load time, 2 seconds from "Qubes: done" to disk mount, login prompt, 29 second runtime)
guest-disp5839.log (Debian 13, 6 second kernel load time, 9 seconds from "Qubes: done" to disk mount, login prompt (barely), 60 second runtime)
guest-disp5955.log (Whonix-Gateway 18, 9 second kernel load time, 12 seconds from "Qubes: done" to disk mount, no login prompt, 81 second runtime)
guest-disp6231.log (Whonix-Gateway 17, 7 second kernel load time, 3 seconds from "Qubes: done" to disk mount, login prompt, 62 second runtime)
guest-disp6497.log (Debian 13, 6 second kernel load time, 8 seconds from "Qubes: done" to disk mount, login prompt (barely), 39 second runtime)
guest-disp678.log (Fedora Linux 42, 8 second kernel load time, 4 seconds from "Qubes: done" to disk mount, login prompt (barely), 39 second runtime)
guest-disp7152.log (Whonix-Workstation 18, 7 second kernel load time, 6 seconds from "Qubes: done" to disk mount, no login prompt, 70 second runtime)
guest-disp9514.log (Debian 13, 5 second kernel load time, 6 seconds from "Qubes: done" to disk mount, login prompt (barely), 43 second runtime)
guest-sys-net.log (Fedora Linux 42, 6 second kernel load time, 0 seconds from "Qubes: done" to disk mount, login prompt, hours long runtime for obvious reasons)

• https://github.com/QubesOS/qubes-issues/issues/10420#issuecomment-3576719255

• https://openqa.qubes-os.org/tests/161078/file/system_tests-qubes.tests.integ.dispvm_perf.TC_00_DispVMPerf_whonix-workstation-18.test_001.guest-test-inst-dvm.log
• increase systemd verbosity, if possible, and/or
• add helper systemd unit (to usability-misc) that will show which units are failing to terminate once systemd sends sigterm

• Test with Windows Home, if possible.
• Test with Windows Pro.
• Document how to use VirtualBox with Hyper-V.
  • https://www.virtualbox.org/manual/topics/AdvancedTopics.html#hyperv-support
  • This is important because it is the future.
  • It is also important because it requires fewer changes to Windows. It does not require disabling Windows security features.
  • Using VirtualBox with Hyper-V might not be possible on Windows Home.
    • There are mixed reports about whether Windows Home supports "full" Hyper-V. The Home edition might use Hyper-V internally, which causes issues for VirtualBox. ("green turtle")
• Document how to use VirtualBox with VirtualBox's native virtualization ("blue chip" symbol instead of "green turtle").
  • This might be useful for users on Windows Home edition.
  • Add the required commands to fix the VirtualBox "green turtle" in the wiki: VirtualBox/Green_Turtle_Issue
  • Documentation on how to manually change the settings is useful for understanding but should not be the ultimate goal.
  • All steps should be executable using command-line commands only, as there are too many steps to perform manually.
  • Consider accomplishing this using Windows Intune.
  • Write a batch script (if not using Windows Intune).
  • Add an option to the Windows Installer to do this.
  • If unsolvable, document everything learned or attempted. This might assist others in continuing the work. Collect any helpful links and add quotations from useful information.
• Essentially, explore and document both approaches: using VirtualBox with Hyper-V and using VirtualBox with its native virtualization while disabling Windows' Hyper-V.
• Aaron: Current research:
  • Intune is not free and does not work on home editions of Windows, thus not usable.
  • PowerShell scripting would likely make quick work of this, but unfortunately Microsoft prevents one from running PowerShell scripts without taking explicit (and IIRC convoluted) steps to enable them, as a security feature.
  • Probably the easiest solution is to use a batch file and then execute it as administrator (which is tricky but not impossible; requires calling a ShellExecuteExW function in the Windows API with the "runas" verb, see https://learn.microsoft.com/en-us/windows/win32/shell/launch, this should trigger a UAC prompt, then the script should be able to run and do whatever it needs to).
  • Batch files for disabling Hyper-V and re-enabling virtualization-based security under Windows 11 Home have been created. Still need to wire them into Whonix-Installer itself.
• todo: add debug output to script in case there are issues, users can post the debug output
  • Aaron: Done.
• todo: run hypervisorlaunchtype auto and hypervisorlaunchtype Off to work around windows bug experienced by Patrick
  • Aaron: Done.
• todo: run at the end for debugging Get-CimInstance Win32_ComputerSystem | Select-Object HypervisorPresent
  • add link as comment: https://forums.ea.com/discussions/battlefield-6-technical-issues-en/unable-to-run-in-a-virtual-machine-please-exit-the-vm-and-try-again-121/12789008
• todo: add these commands?
  • https://forums.ea.com/discussions/battlefield-6-technical-issues-en/unable-to-run-in-a-virtual-machine-please-exit-the-vm-and-try-again-121/12789008
    • Aaron: Likely unnecessary, but should be kept in the task list for reference.
• todo: disable firmware protection
  • Aaron: Done.
• todo: explain commands and potential failures as echo comments
  • Aaron: Done.
• todo: add separator output between lines
  • Aaron: Done.
• todo: allow the script to be executed by the installer
  • option: enable, disable
  • default: none (require user choice)
  • show link to the related wiki page

Fix VirtualBox green turtle issue which can cause grave VirtualBox stability and performance issues by fully disabling Windows Hyper-V?

Notes:

* Security impact: This unfortunately also disables necessarily various Windows security features.
* Root issue caused by: VirtualBox, Microsoft Windows
* Root issue not caused by: VM guest operating systems such as Whonix.

Alternatives:

* Linux based host operating systems are unaffected. See host operating system selection.
* Perhaps try out Kicksecure (on USB)?
* Or Whonix-Host in the future? (Not yet available at time of writing.)

https://www.kicksecure.com/wiki/VirtualBox/Green_Turtle_Issue
https://www.kicksecure.com/wiki/Host_Operating_System_Selection
https://www.kicksecure.com
https://www.kicksecure.com/wiki/USB_Installation
https://www.whonix.org/wiki/Whonix-Host

• https://forums.whonix.org/t/tor-controller-gui-tor-control-panel/5444/112

• usability-misc Depends: on policyrcd-script-zg2
• todo: think through if this dependency should be removed, moved elsewhere and can interact badly with user-sysmaint-split policyrcd
• Aaron:
  • Very unlikely to interact badly. policyrcd-script-zg2 uses the alternatives system, as does user-sysmaint-split, and user-sysmaint-split installs its policy-rc.d with a higher priority than policyrcd-script-zg2, therefore it will take priority. However, this also means that the functionality offered by policyrcd-script-zg2 is broken, likely including the pointer to helper-scripts' policy-rc.d in the POLICYRCD environment variable used by apt-get-noninteractive.
  • The use of POLICYRCD in apt-get-noninteractive seems superfluous and possibly even bad. During package builds, disabling daemon restart makes sense, but this is done by installing helper-scripts' policy-rc.d with a higher priority than even user-sysmaint-split's version, so POLICYRCD is unnecessary to prevent things like unintentional connections to Tor. Done in help-steps/prevent-daemons-from-starting. Users who use apt-get-noninteractive would probably reasonably expect daemons to be restarted during installation of new packages.
  • Suggestion: Remove dependency, strip all instances of POLICYRCD from codebase where the variable is set to a path. (Currently the variable is only set in apt-get-noninteractive and dpkg-noninteractive. There is also a use in grml-debootstrap but it appears to be used as a flag, not a path, thus this should not be removed.)
• Patrick:
  • Because daemon restarts can cause APT upgrade failures and `apt-get-noninteractive` is designed as a tool to easily fix broken APT. Documented in its man page just now. Therefore, please keep that as is.
  • todo: move dependency of policyrcd-script-zg2 from usability-misc to helper-scripts?
  • todo: review policyrcd-script-zg2. seems to be a stable, not changing much, simple package with only 1 essential file: /usr/sbin/zg-policy-rc.d
  • todo: please port user-sysmaint-split to policyrcd-script-zg2, if sensible

+ /usr/libexec/helper-scripts/terminal-wrapper 'leaprun sdwdate-log-viewer'
sdwdate_status_changed: WARNING: Could not parse JSON from sdwdate
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/sdwdate_gui/sdwdate_gui_client.py", line 393, in sdwdate_status_changed
    status_dict: dict[str, str] = json.load(f)
                                  10:36, 1 November 2025 (UTC)[[Special:Contributions/127.0.0.1|127.0.0.1]] 10:36, 1 November 2025 (UTC)^^^
  File "/usr/lib/python3.13/json/__init__.py", line 293, in load
    return loads(fp.read(),
        cls=cls, object_hook=object_hook,
        parse_float=parse_float, parse_int=parse_int,
        parse_constant=parse_constant, object_pairs_hook=object_pairs_hook, **kw)
  File "/usr/lib/python3.13/json/__init__.py", line 346, in loads
    return _default_decoder.decode(s)
           10:36, 1 November 2025 (UTC)10:36, 1 November 2025 (UTC)10:36, 1 November 2025 (UTC)10:36, 1 November 2025 (UTC)[[Special:Contributions/127.0.0.1|127.0.0.1]]^^^
  File "/usr/lib/python3.13/json/decoder.py", line 345, in decode
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())
               10:36, 1 November 2025 (UTC)10:36, 1 November 2025 (UTC)10:36, 1 November 2025 (UTC)^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.13/json/decoder.py", line 363, in raw_decode
    raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)
sdwdate_status_changed: WARNING: Could not parse JSON from sdwdate

• Patrick: Not seen in a while. Might already be fixed. If the code does not have any obvious issues, this is probably alright.

• /etc/systemcheck.d/30_default.conf contains a lot of ignored warnings/errors
• please add comments on top why that line is being ignored
• add links to upstream issues
• in unknown cases, please investigate, report upstream
• in case of unknowns, high effort, rabbit holes, please create follow-up issues

• non-Qubes only
• hardware only
• add gsmartcontrol
• also add smart-notifier, if sensible to task bar?

• sysmaint-panel and live-indicator: these are currently using the python logo
• please use different icon (not necessarily project logo)

• please search code base for: random_socks_user_name
• implement, if sensible: https://spec.torproject.org/proposals/351-socks-auth-extensions.html

• Overview: https://openqa.qubes-os.org/tests/158005/file/system_tests-whonix-workstation-18_graph_08_template_mean.png
• More detailed analysis:
  • Debian 13: https://openqa.qubes-os.org/tests/158005/file/system_tests-debian-13-xfce_graph_04_line_0_exec.png
  • Debian 13: https://openqa.qubes-os.org/tests/158005/file/system_tests-debian-13-xfce_graph_04_line_2_total.png
  • Whonix 18: https://openqa.qubes-os.org/tests/158005/file/system_tests-whonix-workstation-18_graph_04_line_0_exec.png
  • Whonix 18: https://openqa.qubes-os.org/tests/158005/file/system_tests-whonix-workstation-18_graph_04_line_2_total.png
• Whonix is about 1.5 to 3 seconds slower in app startup in many test cases.
• Investigate, find ways to reduce the performance delta

• cause reproducible issues

• install bash module by default? vs qubes initial memory
• set SYSTEMD_SULOGIN_FORCE=1 by default to allow login into dracut emergency console even if root account password is locked

https://github.com/QubesOS/qubes-core-agent-linux/pull/526/files

• https://github.com/assisted-by-ai/vm-config-dist/pull/1

• adjust cli (virtual console) login manager messages based on session type (user session versus sysmaint session)

grep -r -i "default username"

find . | grep --fixed-strings issue.d

find . | grep --fixed-strings motd.d

• Kicksecure's ISO does not boot easily on Heads because booting it requires mounting the full disk device, whereas Heads is only designed to open individual disk partitions.
• Add a new option to the boot menu for the whole disk device, for compatibility with ISOs like Kicksecure's.
• Might not be needed it Heads upstream implements it first.

• user story: I think that I added a shared folder alraedy. But I am mistaken without knowing. The following error message by mnt-shared-vbox.service leads to hunting non-existing issues. The only issue is the omitted host configuration.

Nov 06 16:29:18 localhost mount-shared[1099]: /sbin/mount.vboxsf: mounting failed with the error: No such file or directory

• The readme shows up even after shared folder is perfectly functional.
• Maybe best to abolish the readme.
• Readme is copied over and over again?

• https://github.com/ArrayBolt3/kloak/commit/691d1512cd870db7297f5d38aeba421f08543311
• is allow_disconnected.path=/disconnected safe? Any upstream documentation on what exactly leads to a path becoming "disconnected" and why this is necessary?
• Possible to avoid needing this? Why does Python attempt to access /dev/null through a disconnected path?
• use include abstractions/python?

• Sometimes the data in the approx cache goes out of date and approx fails to update it, resulting in failed builds and possibly resulting in builds containing outdated packages
• Reproduce issue, report upstream, create workaround in derivative-maker
• Aaron: Issue reported: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118031
• Aaron: Workaround created: https://github.com/ArrayBolt3/derivative-maker/commit/42f6e3ba146e60a89167acba67c041aecb49d505
  • Patrick: Merged.

• investigate if it is possible to get the name of a qube's NetVM from within the qube, or otherwise send qrexec requests to the NetVM
• contribute feature to upstream if it doesn't exist
• use case: don't require sdwdate-gui in Qubes-Whonix-Workstation to be explicitly configured to talk to the appropriate Qubes-Whonix-Gateway in a multi-gateway setup

• clang provides a minimal UBSan runtime which may be usable as an additional hardening feature.
• Investigate if this is worthwhile.
• gcc supports more warnings, perhaps use gcc and clang together for "diagnostic builds" and static analysis, and clang for release builds?
• Perhaps build twice with, first with gcc for testing only, then with clang?
  • Patrick: Keeping gcc support might be worthwhile as per non-technical reasons: GCC vs Clang-LLVM

• port all code base from gpg to sequoia-pgp as much as sensible
• related - not part of this task - only for reference - https://github.com/QubesOS/qubes-issues/issues/8241
• https://sequoia-pgp.org/blog/2022/12/19/202212-chameleon-0.1/
• https://packages.debian.org/trixie/sequoia-chameleon-gnupg
  • Can we just symlink /usr/bin/gpg to /usr/bin/gpg-sq?
• Aaron: Unsure if replacing gpg with gpg-sq wholesale is a good idea. Quoting the blog post on gpg-sq:
  • "A consequence of not modifying GnuPG’s state but using an overlay is that changes made using the Chameleon will not be picked up by GnuPG. For example, if you import a certificate using the Chameleon, it will only be inserted into the overlay, and GnuPG will not see it."
  • Would prefer porting to sq's native API instead, to avoid consistency issues.
• Aaron: Delay until after the release of Kicksecure 18 perhaps? That way the work done here doesn't end up causing us major problems before the release is complete.
  • Delaying this may be essential, as Whonix 18 should release before Qubes OS R4.3 does.
  • Please move to WAITING ON if good to delay, move back to TODO if we should pursue this now.
    • Patrick: Please do in sequoia branch.

• https://github.com/QubesOS/qubes-issues/issues/10292

• current implementation: forks frequently, has to re-open and re-parse /etc/shadow and related files for every query. Results in noticeable performance delays in some scripts, also is non-atomic and vulnerable to race conditions.
• better implementation: a library that caches /etc/shadow and related files when the library is sourced. Queries rely on in-memory data and avoid forking if possible.
• refactor existing bash code? rewrite in Python? Python may be simpler and faster, but existing bash implementation seems very stable.

• https://forums.kicksecure.com/t/ctrl-alt-del-three-finger-salute-action/1197
• the three finger salute should so something useful similar to what it does on Windows
  • lock screen (Qubes does that)
  • start task manager
  • emergency shutdown button
• Open a sysmaint (or root) shell?
  • This feature can be deferred.
  • SAK alike?
    • Can a compromised Wayland swallow the three finger salute and mount a login spoofing attack?
      • Aaron: No, because the salute is read by the handler via evdev, which is provided directly by the kernel. It could receive the keypress despite emerg-shutdown or similar seeing it too, but emerg-shutdown would SIGSTOP the compositor before running the actual Ctrl+Alt+Delete handler.
    • Perhaps we should use the real SAK, but reconfigure its action, if that is at all possible?
      • Aaron: Does not appear to be possible, see https://www.kernel.org/doc/html/v6.0/security/sak.html
  • research SIGSTOP
    • Aaron: Looks like it works reliably, even when a stuck kernel thread is involved
  • research locked up kernel threads and their abuse potential
    • Aaron: It appears the worst they can do is prevent processes from fully exiting, which isn't a problem for us. They also seem to be very hard to create, unless you have root access. See https://chrisdown.name/2024/02/05/reliably-creating-d-state-processes-on-demand.html
  • anti-phishing code
    • static
    • TOTP - perhaps at a later time

• probably already resolved?

Aug 10 08:30:55 host live-hardener[767]: mount: /boot/efi: wrong fs type, bad option, bad superblock on overlay, missing codepage or helper program, or other error.

• Patrick: Was already fixed

• todo
• Patrick: Still an issue? Duplicate of Kicksecure installer versus live-hardener bug?
  • might have been fixed in: https://github.com/Kicksecure/security-misc/commit/c59a3b233bd8893d466c020a2e2695ab545c6e60
  • KVM affected?

• emerg-shutdown may be triggered by accident, users should have an opportunity to cancel unless the root device has vanished entirely
• for delayed shutdowns, show a warning of some sort and provide clear instructions on how to cancel the shutdown
  • switch to a TTY and display a red screen with warning text on it?
    • may conflict with agetty, investigate how to suppress it (or switch to a TTY that isn't in use and that agetty isn't configured to spawn on)
• some users may need instant shutdown without warning, allow configuring the shutdown timeout, including making it 0

• an init (systemd) wrapper?
• root disk must be unmounted so kernel deletes Full Disk Encryption (FDE) key from RAM

• Qubes:
  • Should probably not run in Qubes at all? Disable using systemd unit file conditional?

Aug 10 06:10:23 host emerg-shutdown[635]: Failed to find any input device supporting panic keys!
Aug 10 06:10:23 host systemd[1]: emerg-shutdown.service: Main process exited, code=exited, status=1/FAILURE
Aug 10 06:10:23 host systemd[1]: emerg-shutdown.service: Failed with result 'exit-code'.
Aug 10 06:10:35 host memlockd[677]: Mapped file /lib/x86_64-linux-gnu/libgpg-error.so.0

• Non-Qubes:
  • So far only observed in non-Qubes.

Aug 11 08:27:57 localhost memlockd[1006]: Error mmaping /etc/resolv.conf: Invalid argument

• add more debug output:
  • every relevant code path should be written to journal
  • trigger needs to be recorded
  • action needs to be recorded
  • purpose: in case of bugs (such as above), it should be able to debug this at least with a (virtual) serial console

• https://forums.kicksecure.com/t/chvt-change-foreground-virtual-terminal-vt-tty-prevent-malware-from-forced-tty-change/1274

• https://github.com/QubesOS/qubes-core-agent-linux/pull/592

• GRUB patch for Xen command line parsing has been merged
• implement boot mode support for in-vm kernels in qubes-core-admin
• Qubes issue: https://github.com/QubesOS/qubes-issues/issues/9872

• https://github.com/QubesOS/qubes-issues/issues/9570
• https://github.com/QubesOS/qubes-issues/issues/8649
• https://github.com/QubesOS/qubes-issues/issues/9759

• https://www.whonix.org/wiki/Dev/TimeSync
• anondate
• https://www.kicksecure.com/wiki/Dev/sdwdate
• please study, improve
• take note of Tor consensus and replay attacks
• in preparation for follow-up tasks

• study sdwdate source code
• lightweight refactoring (such as no longer using classes because these are used inconsistently)
• separate into sdwdate-daemon and sdwdate-time-fetcher?
  • Aaron: sdwdate-daemon is a very interesting idea, most likely useful for the ClockVM idea, however it is only feasible in situations where one either has multiple networked physical machines or multiple connected virtual machines (i.e. VBox with one Whonix-Gateway and many Whonix-Workstations, or Qubes OS). This is because the daemon has to be able to change the system's time as it sees fit in order to get Tor working (i.e. first get consensus to work by using certificate lifetime if possible, then get circuits to work using consensus, then get real time from three separate servers which are now accessible since circuits work). There is no way to isolate CLOCK_REALTIME changes from the rest of the system, Linux has time namespaces but they don't virtualize CLOCK_REALTIME. Thus sdwdate-daemon would have to be able to modify the system time freely in its mission to find the right time.
  • In theory, this could be avoided if time changes could be communicated to the Tor daemon without modifying the system's wall clock. I do not know if this is possible, I suspect it isn't. Even though it is technically feasible, it would potentially be immensely complicated to implement.
  • Perhaps implement sdwdate-daemon as a process that only returns whatever the next time step is, and also indicate whether there are further steps? Then sdwdate-time-fetcher could either ignore the date if the daemon indicates more steps are still to come, or accept it. The ClockVM itself would unconditionally accept sdwdate-daemon's reported time values in order to assist it in finding the correct time, then client VMs would only update their clock once the "final step" was reached.
• sdwdate oneshot feature (pick the median time from the 3 pools, output to console, then exit) if considered useful for the next bullet point
• add support for sdwdate to be used as a Qubes-Whonix-Gateway as ClockVM
• note: sdwdate can already fix the clock if it is very slow (with the help of Tor consensus and anondate)
  • Aaron: If the clock is very very slow, this seems to not work. Might be possible to use Tor certificates to get within a year of the correct date, then attempt to brute-force a month that will allow Tor consensus to work. As long as the Tor network itself will not work if the clock is too far off, we don't have to worry too much about replay attacks, untrusted data, etc. - the worst an attacker could do is denial of service, we'll only get working connectivity if we get very close to the correct time (or an adversary controls so many of the servers we're using it can trick us into thinking our time is correct, which is statistically unlikely...? is it actually statistically unlikely?)
• add feature to sdwdate to allow it fixing the clock if it is very fast too
  • it may not be possible to implement such a feature securely (setting the clock forward has no security risk but setting the clock backwards makes already expired keys valid again). perhaps should just be a manual action? in theory, by setting the clock backwards very far into the past, sdwdate should be able to fix it. Perhaps we could try once to set the clock backwards just a few hours (not years) based on Tor consensus / anondate? Or perhaps this should only be possible by manual user action?
• use chrony - time setting only - not time fetching - as a replacement for sclockadj as per Dev/sdwdate
  • or if easier, saner, port sclockadj from clock_settime to adjtimex?
  • Aaron: Probably easier to port sclockadj, chrony looks a bit dangerous to me.
  • please research, consider various options

• only shipped-by-default apt repositories go through Tor
• ideally, newly added apt repositories should go through Tor as well, as should flatpak installation and updates
  • Flatpaks can be made to go through Tor by enabling an HTTPTunnelPort in Tor, then setting http_proxy and https_proxy to http://localhost:9080 (assuming your port number is 9080) when running Flatpak. There doesn't appear to be a way to set a proxy in Flatpak's configuration, thus this would probably require a wrapper.

• users are given the ability to easily install flatpaks via browser-choice, but aren't given any easy way to update them
• add code to upgrade-nonroot that also updates flatpaks
• Aaron: Implemented: https://github.com/ArrayBolt3/usability-misc/tree/arraybolt3/flatpak-update
• Patrick: should be deferred until update torification has been improved

• https://spec.torproject.org/proposals/351-socks-auth-extensions.html
• note: curl socks user name in Qubes source code

• investigate why Debian Rolling initiative failed
  • From initial research:
    • Lots of disagreement about how exactly to implement it, although https://lists.debian.org/debian-devel/2011/05/msg00275.html had a very large amount of positive feedback compared to other proposals
      • See also DEP-10 (https://dep-team.pages.debian.net/deps/dep10/) which is somewhat orthogonal but related
    • Limited manpower, no one appears to have tried to actually do it
    • Need to cope with the activity occurring in Debian's unstable and testing repositories, which have some turbulence and can cause issues if one isn't careful
    • Likely worth trying to resurrect
• contact people involved previously, if that makes sense
• suggest prospective developers
• Started to write tooling for this: https://github.com/ArrayBolt3/drk Very incomplete, nowhere near usable. Will keep developing this.

• Kicksecure GitHub repository-dist repository
• GUI: detect stable, stable-proposed-updates, testers, developers setting in GUI. I.e. if re-running the tool, keep the former setting. Should this depend on previous choice in the GUI (status files, probably easier) or actual status on the disk (might be manually modified by the user)
• add support for switching back and forth between clearnet and onion

• https://forums.whonix.org/t/tool-to-onionize-all-apt-sources/13367
• Should it be part of repository-dist or a standalone tool?

• assume firmware can extend trust to kernel via Sovereign Boot
• create a system for extending trust from kernel to initramfs and userland
• possibly investigate immutable images?
• Implementation idea notes:
  • A system running with Verified Boot enabled must have the root partition in live mode (read only with tmpfs overlay). Therefore something similar to live mode will be needed when running in "verified mode"
  • dm-verify is what Google uses, there seems to be no compelling reason for us to avoid it.
  • Kernel modifications are not permitted, Kicksecure will be signing Debian's shim meaning only vanilla Debian kernels will be bootable. Rely on alternative ways of storing the dm-verify root hash in a secure immutable fashion, such as:
    • TPM / Measured Boot? Highly desirable if security issues don't result, as this avoids the need for user interaction unless something goes wrong.
      • Would require some way of authenticating that the TPM has not been reset (similar to Heads TOTP/HOTP codes)
    • User providing the hash on an external drive?
    • Verification passphrase similar to LUKS passphrase?
  • Patrick: TPM is unavailable inside VMs? In this case, verified boot support is still desirable.
• Patrick
  • Whonix-Gateway: either no verified boot initially or install user-sysmaint-split by default
  • persistent mode, verified boot should still allow for logs persistent
  • When the verification is over?:
    • "verification is a continuous process happening as data is loaded into memory"
    • "This means if malware manages to modify the /usr/bin/mv program despite immutability, then dm-verity would notice this the next time the user or system is attempting to execute that command."
    • This security gained from this feature is somewhat reduced if the attacker can use ephermal overlays.
  • consider enable sudo access in USER session (developer debug mode): disable verified boot + write to disk + regenerate verified boot hash tree (this is to ease debugging issues only happening in user session but not in sysmaint session)
• prefer Debian on true read-only filesystem without ephemeral overlay to benefit from kernel verified continuous verification after boot feature
  • Challenges with Immutable Filesystems
    • As-needed ephemeral overlays
    • Use alternate software that doesn't require root to be writable
    • as feasible, up for discussion

• default selection: none - require explicit user choice. If possible, otherwise default to "yes, install firmware-nonfreedom".

• got a bug report by e-mail

sudo apt install network-manager-openvpn-gnome

security-misc (3:44.4-1)  ...
INFO: triggered security-misc: 'security-misc' security-misc DPKG_MAINTSCRIPT_
NAME: 'postinst' $\*: 'triggered /usr' 2: '/usr'
/usr/libexec/security-misc/mmap-rnd-bits: INFO: Successfully written ASLR map
config file:
/etc/sysctl.d/30_security-misc_aslr-mmap.conf
Running SUID Disabler and Permission Hardener... See also:
https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener
/var/lib/dpkg/info/security-misc.postinst: INFO: running: permission-hardener
enable
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root shadow 744 /usr/lib/live/mount/rootfs/filesystem/usr/sbin/unix_chkpwd
dpkg-statoverride: : `/usr/lib/live/mount/rootfs/filesystem/usr/sbin/unix_chkpwd'
permission-hardener: [ERROR]: Command 'dpkg-statoverride --add --update root shadow 744 /usr/lib/live/mount/rootfs/filesystem/usr/sbin/unix_chkpwd' failed with exit code '2'! calling functio
n name: 'commit_policy'
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener-v2/new_mode --add root shadow 744 /usr/lib/live/mount/rootfs/filesystem/usr/sbin/unix_chkp
wd
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/rootfs/filesystem/usr/bin/pkexec
dpkg-statoverride: : `/usr/lib/live/mount/rootfs/filesystem/usr/bin/pkexec'
permission-hardener: [ERROR]: Command 'dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/rootfs/filesystem/usr/bin/pkexec' failed with exit code '2'! calling function name:
'commit_policy'
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener-v2/new_mode --add root root 744 /usr/lib/live/mount/rootfs/filesystem/usr/bin/pkexec
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/rootfs/filesystem/usr/bin/sudo
dpkg-statoverride: : `/usr/lib/live/mount/rootfs/filesystem/usr/bin/sudo'
permission-hardener: [ERROR]: Command 'dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/rootfs/filesystem/usr/bin/sudo' failed with exit code '2'! calling function name: 'c
ommit_policy'
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener-v2/new_mode --add root root 744 /usr/lib/live/mount/rootfs/filesystem/usr/bin/sudo
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root shadow 744 /usr/lib/live/mount/medium/usr/sbin/unix_chkpwd
dpkg-statoverride: : `/usr/lib/live/mount/medium/usr/sbin/unix_chkpwd'
permission-hardener: [ERROR]: Command 'dpkg-statoverride --add --update root shadow 744 /usr/lib/live/mount/medium/usr/sbin/unix_chkpwd' failed with exit code '2'! calling function name: 'co
mmit_policy'
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener-v2/new_mode --add root shadow 744 /usr/lib/live/mount/medium/usr/sbin/unix_chkpwd
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/medium/usr/bin/pkexec
dpkg-statoverride: : `/usr/lib/live/mount/medium/usr/bin/pkexec'
permission-hardener: [ERROR]: Command 'dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/medium/usr/bin/pkexec' failed with exit code '2'! calling function name: 'commit_pol
icy'
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener-v2/new_mode --add root root 744 /usr/lib/live/mount/medium/usr/bin/pkexec
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/medium/usr/bin/sudo
dpkg-statoverride: : `/usr/lib/live/mount/medium/usr/bin/sudo'
permission-hardener: [ERROR]: Command 'dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/medium/usr/bin/sudo' failed with exit code '2'! calling function name: 'commit_polic
y'
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener-v2/new_mode --add root root 744 /usr/lib/live/mount/medium/usr/bin/sudo
permission-hardener: [NOTICE]: To compare the current and previous permission modes, install 'meld' (or preferred diff tool) for comparison of file mode changes:
sudo apt install --no-install-recommends meld
meld /var/lib/permission-hardener-v2/existing_mode/statoverride /var/lib/permission-hardener-v2/new_mode/statoverride
permission-hardener: [ERROR]: Exiting with non-zero exit code: '203'
/var/lib/dpkg/info/security-misc.postinst: ERROR: Permission hardening failed.

• random guess: Could there be issues with non-latin language settings?
• Why is it /usr/lib/live/mount/rootfs/filesystem?
• Could it be that the user booted into live mode?
• Maybe a case of low RAM where no further writes to RAM were possible?
• Booting into live mode and using APT should be supported as much as feasible.
• In case of insufficient information, could you please add debug code to provide more information in the future?
• Unsure if further information can be requested form the reporter, but I could try.
• Useful to add:

test -w "${file_name_from_stat}"

• permission hardener might not be the cause of this issue. However, ideally it would show a better error message pointing out the issue.
• Aaron: Cannot reproduce on ISO or in LIVE mode USER.
  • The /usr/lib/live/mount path suggests that the issue is the result of attempting to distribution-morph a vanilla Debian Live session. This, IMO, is not something we should support, because:
    • All changes will be lost on reboot, meaning someone who uses this in production will be downloading a lot of Kicksecure packages from our infra every time they start the system.
    • We already offer a live Kicksecure ISO.
    • None of the kernel hardening options will be enabled, and they can't be enabled, because that would require a reboot which will discard everything.
    • And of course, permission-hardener doesn't expect anything under /usr to be read-only.
  • Would suggest adding a warning to the distribution morphing documentation that a live Debian ISO session can't be morphed, and that one should download a live Kicksecure ISO if they need a Kicksecure-enhanced live system.
• Patrick: Done. Documented.
• Could you please add better error handling in this case?

• https://forums.whonix.org/t/port-from-pulseaudio-to-pipewire-for-audio-support/16879/40
• please read, comment if something useful to share

• https://forums.whonix.org/t/virtualbox-intel-hd-audio-and-pipewire-incompatibility-audio-broken-after-increasing-ram-to-5-gb-no-sound-after-latest-updates-pipewire-bug/18211
• https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081965
• please investigate if doable with reasonable effort
• Tried switching between Pulseaudio and Pipewire on a booted VM, discovered I could "initialize" the speakers with Pulseaudio and then Pipewire would work thereafter
• Virtually certain this is an upstream bug, was able to reproduce with both Ubuntu 24.04 and Arch Linux.
• Suggest switching to AC97 audio (even Arch Linux defaults to this under Virtualbox).
• Need to investigate upstream code
• Could not get any meaningful hints from pipewire, wireplumber, and pipewire-pulse logs. Pulseaudio shows an "alsa woke us up to write new data to the device but there was actually nothing to write" error in its logs. At this point this is likely to be a bug in VirtualBox or the snd-hda-intel kernel driver.

• Does the ISO still function if build with lb config --dm-verity?
• Does it break apt-get install pkg-name? It might not break it due to overlayfs.
• Lacks live-build support when used with dracut:
  • lb config won't even run if you try to enable verity and dracut at the same time, unless you override live-build by commenting that sanity check out
  • The ISO won't build initially because the dm-verity building code is trying to find the live filesystem in the wrong location
  • dracut isn't configured to include systemd-veritysetup-generator, needed for verifying the root FS in the first place
  • No kernel command line options are added to the ISO for verity setup

https://forums.kicksecure.com/t/kicksecure-firewall/378/10

https://forums.kicksecure.com/t/meta-packages-kicksecure-desktop-versus-kicksecure-server/415

• add wipe video RAM support to ram-wipe
• maybe based on https://wiki.archlinux.org/title/Swap_on_video_RAM
• maybe also based on https://github.com/divestedcg/Brace/blob/master/brace/etc/profile.d/brace-env-overrides.sh

# zero video RAM to prevent leakage
# see (CC BY-SA 4.0): https://www.adlerweb.info/blog/2012/06/20/nvidia-x-org-video-ram-information-leak
export R600_DEBUG=zerovram;
export AMD_DEBUG=zerovram;
export RADV_DEBUG=zerovram;

• if doable with reasonable effort

• https://gitlab.torproject.org/tpo/core/tor/-/issues/40892
• write a script to use git bisect to auto test which commit introduced this issue maybe based on https://forums.whonix.org/t/vanguards-additional-protections-for-tor-onion-services/8064/64
• if not done by upstream yet
• if doable with reasonable effort
• Aaron: vanguards has been removed from Debian Trixie, still worth doing?

• sudo apt install serial-console-enable
• Serial Console
• causes bug (spam of journal)
• https://forums.whonix.org/t/serial-console-in-virtualbox/8021/13
• fixable? upstream bug report?
• would installation by default be sane or a security issue?

Nov 24 10:13:35 localhost agetty[1346]: -: failed to get terminal attributes: Input/output error

• please test: https://www.whonix.org/wiki/KVM#3D_Graphics_Acceleration_-_Testing_-_drm
• please mention your configuration (still using SPICE), quote Patrick and report here: https://forums.whonix.org/t/how-to-enable-3d-acceleration-in-kvm/16501/22
• test if DRM (direct rendering manager) is enabled as per https://www.whonix.org/wiki/KVM#3D_Graphics_Acceleration_-_Testing_-_Direct_Rendering_Manager
• test performance as per https://www.whonix.org/wiki/KVM#3D_Graphics_Acceleration_-_Testing_-_Performance

• https://forums.whonix.org/t/how-to-enable-3d-acceleration-in-kvm/16501/22
• test SDL
• test if DRM (direct rendering manager) is enabled as per https://www.whonix.org/wiki/KVM#3D_Graphics_Acceleration_-_Testing_-_drm
• test performance as per https://www.whonix.org/wiki/KVM#3D_Graphics_Acceleration_-_Testing_-_Performance

• https://forums.whonix.org/t/how-to-enable-3d-acceleration-in-kvm/16501/22
• test GTK
• test if DRM (direct rendering manager) is enabled as per https://www.whonix.org/wiki/KVM#3D_Graphics_Acceleration_-_Testing_-_drm
• test performance as per https://www.whonix.org/wiki/KVM#3D_Graphics_Acceleration_-_Testing_-_Performance

• https://forums.whonix.org/t/help-welcome-kvm-development-staying-the-course/166/593

• https://forums.whonix.org/t/rootless-virtual-machines-with-kvm-and-qemu/20952
• port documentation (and XML files, if needed) to qemu:///session, if sane
• search Kicksecure; and Whonix wiki - using Special:ReplaceText
• re-check if sVirt is still functional

• https://forums.whonix.org/t/help-welcome-kvm-development-staying-the-course/166/594
• update documentation
  • https://www.whonix.org/wiki/Multiple_Whonix-Workstation#How-to:_Use_more_than_One_Whonix-Workstation_-_Easy
  • https://www.whonix.org/wiki/KVM#Creating_Multiple_Internal_Networks
  • https://www.whonix.org/wiki/Multiple_Whonix-Gateway#KVM

• when <dns enable=no/> is set in Whonix-external-network.xml, Whonix-Gateway cannot get an Internet-facing IPv6 address
• router solicitation messages are being sent according to tcpdump but router advertisement messages are not being received in response
• removing <dns enable=no/> from both the external and internal network configuration resolves the issue
• removing <dns enable=no/> from only the external network configuration resolves the issue if and only if Whonix-Gateway is allowed to fully boot before Whonix-Workstation is started
• above issues are present with Ubuntu 24.04's libvirt
• test a newer libvirt version (using Arch Linux?)
• file bug report if necessary

• in preparation for the next task
• please read prior discussions
• https://www.whonix.org/wiki/Protocol-Leak-Protection_and_Fingerprinting-Protection#Identifiers_Design_Goals
• https://forums.whonix.org/t/revisit-handling-of-var-lib-dbus-machine-id/18827
• https://forums.whonix.org/t/anonymize-etc-machine-id/7721
• https://gitlab.tails.boum.org/tails/tails/-/issues/7100
• nowadays implemented in dist-base-files
  • ./packages/kicksecure/dist-base-files/var/lib/dbus/machine-id
  • ./packages/kicksecure/dist-base-files/etc/machine-id
• but maybe needs to be moved back to anon-base-files when porting to Debian trixie? (hard to migrate within the same release codename)
• The machine-id files should not be shipped by a package. They are intended to be generated, not hardcoded, thus Debian's code is probably not going to cope well when a package ships these files. Case in point, live-build deleting them to avoid machines with duplicate IDs in the wild, when we want machines with duplicate IDs in the wild.
• Calamares is designed to write the machine-id files at instalation time. It has a dedicated module for this purpose. However, it does not permit specifying a hardcoded machine-id other than a literal "uninitialized" value or an empty file. So we will have to resort to using a shellprocess for Whonix-Host that will detect when Whonix is in use, and overwrite the machine-id files with a static machine-id. Calamares is the proper location to do this at IMO, since it's designed for this, systemd's docs suggest using the installer for this, and I fear we could run into problems trying to do this on first boot with a systemd unit.
  • Patrick: Please implement.
  • Patrick: Note, Whonix VMs are built using grml-debootstrap. While using a package to handle these files might be the wrong way. Whonix VMs still need these.

• Polkit
• todo: discuss
• find solutions on how to have functional shutdown/restart/etc. buttons

• get --force-unsafe-io working again or at least partially working, it's broken with mmdebstrap but maybe we can use it in some areas at least
• parallelize package builds if possible
• if we could figure out a hack to use native (de)compression routines rather than emulated ones that would probably help immensely

• todo: discuss
• related to the following tasks
• nested wayland?

• in preparation for the next two tasks
• forum discussion: stackable wrappers
• proposals repository: 634-stackable-wrappers.md
• Debian feature request: Feature Request: Automatically starting programs under firejail
• review, comment, pull request where applicable
• draft and/or open a discussion on debian-devel
• use cases:
  • automatically sandbox applications (such as when typing "browser-name")
  • warn user against starting certain applications inside sysmaint session such as browsers
  • apply system resources restraint: https://forums.whonix.org/t/constrained-system-resources-program-starter-wrapper/10914

• https://github.com/igo95862/bubblejail
• in preparation for next task

• sandbox-app-launcher
• review
• promising? worth bringing back to life, polishing?
• at odds with apparmor.d?
• better using bubblejail?

• todo: discuss

• https://github.com/roddhjav/apparmor.d
• https://forums.whonix.org/t/apparmor-d-full-set-of-apparmor-profiles-1500-profiles/17389
  • review
• https://github.com/roddhjav/apparmor.d/issues?q=is%3Aissue+author%3Aadrelanos
  • check ticket status
• lightweight security review
  • conceivable or too much effort?

• documentation
  • rebrand wiki CLI for server
• Linux account passwords?
• cloudinit?
• vm-config-dist versus autologin CLI vs GUI vs server

• general information: https://www.kicksecure.com/wiki/Security-misc#hidepid
• enable by default for users of user-sysmaint-split?
• hidepid seems to make most sense if using user-sysmaint-split, because then account "user" cannot use sudo/pkexec anyhow
• test and implement https://github.com/systemd/systemd/issues/29893#issuecomment-2757436101 if sane

• research if shred is still useful nowadays
• if not, should be replaced by safe-rm

• https://github.com/QubesOS/qubes-issues/issues/9508
  • Will be fixed by https://github.com/QubesOS/qubes-core-admin-addon-whonix/pull/25.

• https://github.com/QubesOS/qubes-mgmt-salt-dom0-virtual-machines/blob/main/qvm/anon-whonix.sls
• "template-" observation turned out to be a red herring. Still debugging the actual problem, but not sure what it is yet.
• Aaron: This is probably a Qubes bug, filed a report: https://github.com/QubesOS/qubes-issues/issues/10445

• https://github.com/Kicksecure/security-misc/pulls
  • Aaron: All PRs reviewed and commented on except for the mitigations=auto,nosmt one, which is still being discussed. Many PRs merged, some need further discussion.

• Qubes. Should be fixed but is not fixed. Happening after boot.

Oct 27 13:40:36 host qrexec-agent[12402]: 2025-10-27 13:40:36.085 qrexec-agent[12402]: exec.c:902:find_qrexec_service: Warning: ignoring skip-service-descriptor=true for execute executable service /etc/qubes-rpc/qubes.UpdatesProxy

• Qubes. Happening after boot.

Oct 27 13:50:13 host systemctl[14620]: Failed to connect to user scope bus via local transport: $DBUS_SESSION_BUS_ADDRESS and $XDG_RUNTIME_DIR not defined (consider using --machine=@.host --user to connect to bus of other user)

• Qubes. Happening when using sdwdate-gui log viewer from systray to open a terminal emulator.

host xdg-desktop-por[1655]: Failed to load RealtimeKit property: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.RealtimeKit1 was not provided by any .service files

• Same as above.

xdg-desktop-por[1655]: Failed connect to PipeWire: Couldn't create PipeWire context

• https://forums.whonix.org/t/systemcheck-messages-in-qubes-whonix-18/22339
• Aaron: Fixed for most in place, still outstanding issues:
  • DBUS_SESSION_BUS_ADDRESS issue is a Qubes bug: https://github.com/QubesOS/qubes-issues/issues/10384
  • Still unsure what's causing the /tmp/user/1000 issue, see https://forums.whonix.org/t/systemcheck-messages-in-qubes-whonix-18/22339/5

• LXQt unfortunately puts the system into suspend before locking the screen. However, this does not occur on Arch Linux. Debug and determine whether Debian needs a patch or our configuration needs to change.
  • Aaron: Debugged, discovered how to reproduce the bug on Arch, created a bug report with some analysis: https://github.com/lxqt/liblxqt/issues/371

• todo
• please set up for
  • CLI user
  • CLI sysmaint
  • GUI user
  • GUI sysmaint
• Aaron: Moving the systemd-localed keyboard layout set disable file out of the way does not result in labwc picking up the keyboard layout settings from Calamares. Will need to create a shellprocess module or similar to hack this into working right.
• Aaron: Implemented, changes pushed to helper-scripts, user-sysmaint-split, lxqt-wayland-session, and live-config-dist. All four scenarios now work as expected.
  • Patrick: Merged.
• Patrick: Is this reported upstream, so one day Debian, calamares will be fixed and can be used without XWayland?
  • Aaron: Looked at Debian's systemd bug reports, did not find anything. Filed a report of my own against the systemd package (as that's the package that ships /usr/share/dbus-1/system.d/systemd-localed-read-only.conf). https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118702

• https://github.com/QubesOS/qubes-issues/issues/10328
• are there more ways in which that can go wrong?
• realistic to fundamentally re-design this to avoid such kinds of issues?
  • Aaron: NetVM authentication, to ensure the NetVM used by a particular qube provides the features and security/anonymity guarantees needed by that qube? May be vaguely related to the "qrexec to NetVM" task.
• https://github.com/QubesOS/qubes-issues/issues/6948
• https://github.com/QubesOS/qubes-issues/issues/3994
• Aaron: Looked at the relevant issues, I'm not entirely sure how the Salt issue is directly relevant, but I did look at it and will keep it in mind.
• Aaron: Sent an email with some ideas to the qubes-devel mailing list: https://www.mail-archive.com/qubes-devel@googlegroups.com/msg05660.html
• Aaron: Feature request: https://github.com/QubesOS/qubes-issues/issues/10334
  • Major feature request, will most likely need to wait until after the release of R4.3.

• https://github.com/QubesOS/qubes-core-agent-linux/pull/613
• https://github.com/QubesOS/qubes-core-admin-addon-whonix/pull/25
  • The code on this one is mostly good but has one major flaw; any time a DispVM or NetVM somehow ends up set to None, the code is designed to always honor that and never change it away from None, as a security feature. This seems good on the surface, but there are way too many instances where the code winds up with a default DispVM of None, which ends up causing somewhat broken behavior:
    • Templates are created before whonix-workstation-18-dvm, and so both Whonix-Gateway and Whonix-Workstation templates end up with a default DispVM of None even though they're supposed to be able to have a default DispVM of whonix-workstation-18-dvm.
    • StandaloneVMs created by cloning a template end up with a default DispVM of None because their parent template had a default DispVM of None as well.
    • I'm pretty sure cloned templates will have the same problem.
  • Two ideas come to mind:
    • Maybe we just live with this? It's better than the wrong default DispVM being set at least.
    • Maybe we don't honor the default DispVM being set to None, and force it back to an appropriate value if possible? If a user really wants to disallow the use of DispVMs in a particular qube, they can use qrexec policy.
  • What would really be nice is if there was two different kinds of "None" in Qubes, one for "the user explicitly set this to None" and one for "the OS set this to None because there was no better option at the time". But unfortunately we don't have that.
  • Tested, awaiting merge.

• https://github.com/QubesOS/qubes-issues/issues/10328
  • Aaron: Waiting on https://github.com/QubesOS/qubes-core-admin-addon-whonix/pull/25 for this as I intend to backport this to R4.2 to solve this.

• when the user changes the keyboard layout in labwc, kloak's keyboard layout configuration does not change to match
• Aaron: Discovered this is a bug in labwc, reported: https://github.com/labwc/labwc/issues/3113
  • Waiting on upstream's response. For now, we should document that one must restart kloak with Right Shift + Escape to make a keyboard layout change take effect.

• https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1113744
• Obtain requested debugging information and attach to ticket
• Aaron: Added new information to ticket, waiting on response.

• plan how to use a new signing key
  • Aaron: Where all do we use the signing key? It's used to sign:
    • apt packages
    • git commits
    • git tags
    • OS images
    • Warrant canaries?
      • These are signed by OpenBSD's signify tool, not GPG, thus their key migration does not necessarily have to be bound to derivative.gpg's rotation.
    • anything else?
  • apt package migration:
    • Due to how apt packages work, it is probably best to do this during release upgrade. Ship a new version of the key in legacy-dist in Bookworm only, install it during the release upgrade procedure and ensure all packages that are ever a part of the trixie repositories are signed with the new key.
  • git commit/tag migration:
    • The key expires, so there isn't a risk of it being used to sign newer packages after expiration. Just start signing commits with the new key and let expiration handle everything else.
    • Add the new key to the list of trusted keys in derivative-maker so that people can still build older tags/commits if they need to.
  • OS image migration:
    • Just start using the new key to sign OS images. Announce the key change publicly (i.e. on the forums) so users expect to need to update their key. Sign the new key with the old key so that users with high security requirements can transition from one key to the next without having to re-establish trust in the key.
  • Canary migration, if needed:
    • Can we just start signing canaries with the new key? Or do we need to put the canaries in a different location and stop updating the old ones?
• Patrick:
  • The plan might be good enough.
  • I might just extend the validity of the signing key and postpone this plan.
• Patrick:
  • Key has been extended.
• Aaron:
  • Moved to WAITING ON for now, we should move this back to TODO once we're ready to do the actual key rotation.

• in context of: https://github.com/QubesOS/qubes-issues/issues/9983#issuecomment-3028994433
• Tor Browser does not appear to sign metadata. Even metadata used by Tor Browser's internal updater might be relying on unsigned metadata.
• Important to explain: Not only signed metadata is required, also fresh metadata is required. Therefore periodic re-signing is required.
• Compare with Firefox: Does Firefox's internal updater even have this feature? If Firefox has it, making the argument for Tor Browser to enable it might be much easier. If not, it might be better to request this feature from Mozilla as well.
• goal of this ticket: The only goal of this ticket is to post feature requests / bug reports on Tor Project (and Mozilla issue tracker if applicable) and to properly communicate this.
• non-goal: implementation
• info:
  • Tor Browser uses json files: https://aus1.torproject.org/torbrowser/update_3/release/download-linux-x86_64.json
  • Firefox uses xml as per https://firefox-source-docs.mozilla.org/toolkit/mozapps/update/docs/InAppUpdateProcess.html
• draft:

Rollback Attacks Definition:

The Update Framework (TUF) defines `rollback attacks` [x]

> An attacker presents files to a software update system that are older than those the client has already seen. With no way to tell it is an obsolete version that may contain vulnerabilities, the user installs the software. Later on, the vulnerabilities can be exploited by attackers.

Rollback Attack Protection and Valid-Until Field

Rollback attacks attempt to trick the updater into applying an outdated (and potentially vulnerable) version of the software. One widely recommended mitigation against rollback attacks is using a "Valid-Until" field or equivalent freshness period in the signed metadata, after which a given update should no longer be accepted.

Firefox's internal updater does not publicly mention using a "Valid-Until" field (or explicit expiration on update metadata) to guarantee update freshness or safeguard against replay/rollback attacks in the same way as systems like The Update Framework (TUF) or Debian's APT

Non-solutions:

TLS might mitigate this attack but higher security than what TLS can offer should be provided in case TLS or server compromise.

Solution:

Server side: Sign, automatically periodically re-sign update metadata.

Client side: Accept only metadata signed up to a certain age.

Resources:

Mozilla has blogged about rollback attacks in the past. [x]

[x] https://theupdateframework.io/docs/security/

[x] https://blog.mozilla.org/attack-and-defense/2020/10/12/guest-blog-post-rollback-attack/

• Aaron: Filed issue against Tor Browser: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/44039 Also requested a Tor Project Gitlab account, which I now have.
  • I did not file a report against Mozilla Firefox, because their update mechanism involves automatically generated XML created by a backend server, whereas The Tor Project's update metadata seems to be static and not nearly as complicated.

• https://github.com/grml/grml-debootstrap/issues/348#issuecomment-3017083278
• please use discretion on how worthwhile it is to spend time on this. as in, if you think it's doable without huge effort and you like docker, please implement. Otherwise, please only provide instructions for reproduction and leave it to upstream or tableseeker to fix.
  • Aaron: Ran into complications trying to fix this myself, handed off to tabletseeker for further investigation.

• Start a discussion and contribute to https://raspi.debian.net/ if accepted by upstream.
• This and the above ticket might result in implementation feedback, such as for options in config.txt.
• Combined this and the debian-arm notification ticket into a single email.
• https://lists.debian.org/debian-arm/2025/04/msg00012.html
• Found:
  • https://salsa.debian.org/raspi-team
  • https://salsa.debian.org/raspi-team
  • Seems active as per: https://salsa.debian.org/raspi-team/image-specs/-/issues/74
  • https://salsa.debian.org/raspi-team/image-specs/-/issues
    • Please consider posting a feature request there for RPi GRUB support, if that is sensible. Draft:

add support for GRUB as bootloader for RPi

I've recently succeeded in converting an existing Debian Trixie RPi image to boot using GRUB on the RPi 4B and extensively documented how to do that. [1] I also posted about this on the debian-arm mailing list. [2]

Booting in this way has several substantial advantages over the current Raspberry Pi boot process:

* The kernel command line can be modified via /etc/default/grub and files under /etc/default/grub.d. Some software requires or benefits from such modifications and leverages this mechanism in GRUB to make non-invasive changes to the command line. With direct kernel boot, these changes are silently ignored, while with U-Boot + GRUB, they are correctly applied.
* In the event of a bad kernel update, users can easily boot into older kernels as they would on a typical desktop system.
* Recovering from a broken boot without a secondary system becomes much easier, as users can use the GRUB and U-Boot consoles to debug and manually boot the system.
* Multiboot installations on the Pi become possible.

Is this a feature for which you would welcome a merge request here, either as an option or even as the default?

Obviously, at this point, RPi GRUB support could only be added to Forky and later.

(I've also recently submitted a pull request to `grml-debootstrap` (a Debian bootable image builder tool) [3] [4] implementing "basic" RPi support.)

* [1] https://www.kicksecure.com/wiki/Dev/boot#Booting_Debian_Trixie_with_GRUB_+_u-boot_on_Raspberry_Pi_4
* [2] https://lists.debian.org/debian-arm/2025/04/msg00012.html
* [3] http://packages.debian.org/grml-debootstrap
* [4] https://github.com/grml/grml-debootstrap/pull/335

• Aaron: Filed issue upstream using template: Support U-Boot + grub-efi boot flow
  • Also filed a bug report against raspi-firmware: Add support for U-Boot + grub-arm64-efi boot flow

• https://github.com/grml/grml-debootstrap/issues/114
• Draft PR at https://github.com/grml/grml-debootstrap/pull/335, needs more testing and work
• Tested and polished PR and marked it as ready for review.
• Added question about future support for U-Boot + grub-efi-arm64.

• https://github.com/grml/grml-debootstrap/issues/221
• zeha currently does not want to implement this until systemd-boot "happens" (I'm guessing this means until it is supported by grml-debootstrap).

• please submit a patch to Debian to make grub-pc and grub-efi co-installable
• Allow concurrent installation of grub-pc and grub-efi-amd64
• Submitted and awaiting review: Remove ucf conffile conflict between grub-pc and grub-efi-{amd64,ia32}
• Unfortunately this is not going to be able to make it into Trixie, it will have to wait for Forky before it makes it into Debian Stable.

• Earlier attempts to fix cosmetic errors in GRUB failed, since they introduced bugs into the live-build-provided boot screen.
• Investigate how to fix this, potentially make an upstream feature request or patch if needed
• Errors include loadfont issues, Secure Boot loading issues
• Sent email to grub-devel mailing list to investigate this

error: bad shim signature

• Fixable?
• Apparently requires a security review: Meta: Signing memtest86+ v6.10
• memtest86+: fails to work with Secure Boot enabled
• Asked about what contributions would allow this to move forward on the debian-efi mailing list: Memtest86+ Secure Boot signing

• ensure SysRq+unraw, SysRq+k behave as expected in context of Login spoofing
• Has issues, wlroots bug reported at https://gitlab.freedesktop.org/wlroots/wlroots/-/issues/3930

(annoted)

+ debsums --silent
debsums: changed file /usr/sbin/sources-media (from calamares-settings-debian package) - issue for future verified boot
debsums: missing file /var/lib/dbus/machine-id (from dist-base-files package) - issue for Whonix-Host, non-ideal for Kicksecure but not a blocker

+ debsums --config --silent
debsums: changed file /etc/calamares/modules/unpackfs.conf (from calamares-settings-debian package) - issue for future verified boot
debsums: changed file /etc/cryptsetup-initramfs/conf-hook (from cryptsetup-initramfs package) - issue for future verified boot
debsums: changed file /etc/machine-id (from dist-base-files package) - issue for Whonix-Host, non-ideal for Kicksecure but not a blocker

• All of these are modified by live-build itself:
  • /usr/sbin/sources-media is modified by live-build/share/hooks/normal/5050-dracut.hook.chroot so that it points to the proper location of the on-ISO apt repo when dracut is in use (the location is different when initramfs-tools is used). The need for this could potentially be removed by modifying the sources-media script to autodetect the correct location, though this requires upstream to be receptive to the idea.
    • Please discuss upstream. Since there is already some sort of dm-verity support in upstream live-build (scripts/build/binary_dm-verity), upstream might be receiptive.
      • Feature request filed: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089618
  • /var/lib/dbus/machine-id is deleted by live-build/share/hooks/normal/8020-remove-dbus-machine-id.hook.chroot, which has a note in it as follows: "This removes dbus machine id that cache that makes each system unique." This seems important and I can't think of an obvious way to avoid needing to do this. My Kicksecure VMs appear to have machine IDs, but it's unclear how they're being generated originally, so it may be worth enabling the machineid module in our Calamares configuration to ensure that the machine ID is properly generated.
    • See also: https://www.whonix.org/wiki/Protocol-Leak-Protection_and_Fingerprinting-Protection#Identifiers_Design_Goals
    • TODO: Discuss.
      • Proposal for fixing this made.
  • /etc/calamares/modules/unpackfs.conf is modified by live-build/share/hooks/normal/5050-dracut.hook.chroot so that it points to the proper location of the on-ISO squashfs containing the operating system. Again, the location is different when initramfs-tools is used. This is a "hardcoded" configuration file, there isn't a way to add autodetection logic here. It might be possible to make a pull request to Calamares that would allow it to skip squashfses that didn't exist?
    • Yes, please discuss upstream.
      • Feature request filed: https://github.com/calamares/calamares/issues/2409
  • /etc/cryptsetup-initramfs/conf-hook is modified by live-build/share/hooks/normal/1010-enable-cryptsetup.hook.chroot, where it is used to enable cryptsetup in initramfs-tools. Assuming this isn't legacy configuration, this seems important and I can't think of an obvious way to avoid needing to do this. Might be worth testing to see if this is still necessary though.
    • Yes, please.
      • Bug report made: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089624
  • /etc/machine-id is deleted by live-build/share/hooks/normal/8020-remove-dbus-machine-id.hook.chroot. Has a very similar note to the other machine ID deletion hook. Same concerns apply.
    • Proposal for fixing this made.

• https://github.com/calamares/calamares/issues/2321
• please follow-up
• Followed up on Matrix, will follow up again soon on Github if I don't get a response.
• Was informed by Adriaan de Groot that the code is still unfinished, and also on his radar.

• https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031932
• https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031929
• Merge request: https://salsa.debian.org/live-team/live-build/-/merge_requests/370

• use option apt --error-on=any for all invocations of apt-get (update)
• only needed for apt-get update, otherwise superfluous but non-issue
• this is a security feature
• this is to prevent inconsistent images that succeeded connecting to the "normal" repository but failed to connect to the security repository
• can be implemented using already existing live-build option --apt-options OPTION|"OPTIONS"?
• Requires a patch to live-build. Using --apt-options results in a build failure with E: Command line option --error-on=any is not understood in combination with the other options
• Patch written, submitted upstream as https://salsa.debian.org/live-team/live-build/-/merge_requests/371. New configuration option now used in my branch of live-build.

• there is /etc/pam.d/sudo-i for interactive and /etc/pam.d/sudo
• pam has concepts of common-session-noninteractive vs common-session (non-interactive)
• how could we on the PAM level notice if faillock is used interactively or non-interactively?
• if non-interactive, skip faillock
• if interactive, do not skip faillock
• Bug reports:
  • https://github.com/linux-pam/linux-pam/issues/842
  • https://github.com/sudo-project/sudo/issues/415
• Once we go sudoless, this will no longer be a concern except for VMs that aren't sudoless.

• add https://www.supergrubdisk.org/wiki/Loopback.cfg compatibility (as as Debian Live ISO)
• Requires fixes in live-build and Dracut to make work:
  • live-build is specifying the wrong kernel parameter for loopback booting when using dracut - it's using findiso when it should be using iso-scan/filename. A fix for this has been integrated into my fork of live-build. MR to upstream here: https://salsa.debian.org/live-team/live-build/-/merge_requests/376
  • dracut is failing to run udevadm trigger during its device scanning, so even when it finds the ISO and attaches it as a loopback device, it never finds it. Only appears to be a problem on Debian Bookworm, Trixie works just fine.
    • Task is on hold until we migrate to Trixie.
  • (Side note: At least on QEMU, loopback mounts in GRUB fail with out-of-memory errors if the system uses UEFI. With BIOS it works fine. Not quite sure why this happens, very well may be an issue with QEMU's implementation of UEFI hardware or my usage thereof.)

• todo
• Bug filed at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1087470
• Note that the use of apt-get in the binary stage appears to be very baked into live-build's logic. It's pretty unlikely this will change.

• https://salsa.debian.org/live-team/live-build/-/merge_requests/409

• user reported
• Bug: suspend results in black screen with no recovery (unless hard reboot)
• lock-screen reports it cannot lock the screen and system then frozen. Might not be related to lock-screen.
• Aaron: Cannot reproduce on my main development machine. On a testing machine, an instant reboot was observed after waking from sleep, but installing debug-misc made the reboots stop. Checking dmesg after wake revealed a kernel warning occurring while waking a device from suspend during a filesystem write. Issue is therefore likely hardware-specific, and may be resolved by disabling panic-on-warn.

• in Qubes, but might be a general bug related to static network configuration
• no network card seen in user session
• Aaron: Cannot reproduce, details shared in chat.
• Patrick: See two videos provided by user.
• Aaron: Reproduced issue, discovered root cause ("All users may connect to this network" was disabled). Documented that one should not disable this setting with user-sysmaint-split installed, and documented how to fix the system after this happens.

• hit this in Kicksecure for Qubes by changing privleapd configuration and restarting it a lot

sudo genmkfile install && sudo systemctl restart privleapd && systemcheck --verbose --function check_kernel_messages        
/usr/share/genmkfile/make-helper-one.bsh: INFO: install
/usr/libexec/systemcheck/systemcheck: WARNING: Cannot communicate with privleapd. File '/run/privleapd/comm/user' does not exist. Cannot use privleap.

You might be able to create a privleap socket by executing: sudo leapctl --create 'user'

• privleapd and leaprun is still functional but shows this error
• when running "leaprun log-checker-kernel" after this, no error shown
• therefore could be a race condition, i.e. using leaprun too early after restarting privleapd?
• when injecting a "sleep 1", i.e. "sudo genmkfile install && sudo systemctl restart privleapd && sleep 1 && systemcheck --verbose --function check_kernel_messages" there is no such issue
• Aaron: Fixed, commit pushed to privleap.
• Patrick: Merged.

• https://github.com/Whonix/kloak/issues/10
  • Aaron: Fixed, commits pushed to kloak.
• Patrick: Merged.

• https://github.com/assisted-by-ai/whonix-firewall/pull/1
  • Aaron: Done, commit pushed to whonix-firewall.
• Patrick: Merged.

• as discussed
  • Aaron: Implemented, commit pushed to whonix-firewall.
• Patrick: Merged.

• https://forums.kicksecure.com/t/unable-to-unlock-screen-locker-after-setting-a-user-password/1379/4
  • Aaron: Fix: https://github.com/ArrayBolt3/security-misc/commit/0534a34ed7246793db384518cfbecb3adfcb7f3e
• Patrick: Merged.

• VirtualBox: probably unfixable? add to journal ignore on virtualbox?
  • Aaron: Likely unfixable on most affected desktop hardware unless the BIOS is updated. Microcode can't be applied within virtual machines, thus this is likely not able to be fixed in VirtualBox.
  • Hiding it only when running in a virtual machine seems like it would make sense. We should show this when running on bare metal though.
  • Implemented, commit pushed to systemcheck.

Speculative Return Stack Overflow: WARNING: See https://kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html for mitigation options.

• the following might be hardware issues and nothing an be fixed in the code unless you notice something

Nov 24 10:13:50 host systemd[1641]: Starting updatecheck.service - System update checker (user service)...
Nov 24 10:13:50 host updatecheck-daemon[1910]: /usr/libexec/systemcheck/updatecheck-daemon: INFO: start.
Nov 24 10:13:50 host systemd[1641]: Started updatecheck.service - System update checker (user service).
Nov 24 10:13:50 host updatecheck-daemon[1910]: /usr/libexec/systemcheck/updatecheck-daemon: INFO: First start. Therefore waiting for 2 minutes for first updatecheck.
Nov 24 10:16:33 host updatecheck-daemon[1910]: /usr/libexec/systemcheck/updatecheck-daemon: INFO: loop start.
Nov 24 10:16:39 host updatecheck-daemon[8321]: /usr/bin/updatecheck: INFO: No updates available.
Nov 25 05:26:31 host systemd[1641]: updatecheck.service: Watchdog timeout (limit 7h)!
Nov 25 05:26:31 host systemd[1641]: updatecheck.service: Killing process 1910 (updatecheck-dae) with signal SIGABRT.
Nov 25 05:26:31 host systemd[1641]: updatecheck.service: Main process exited, code=dumped, status=6/ABRT
Nov 25 05:26:31 host systemd[1641]: updatecheck.service: Failed with result 'watchdog'.
Nov 25 05:26:31 host systemd[1641]: updatecheck.service: Scheduled restart job, restart counter is at 1.
Nov 25 05:26:31 host systemd[1641]: Starting updatecheck.service - System update checker (user service)...
Nov 25 05:26:31 host updatecheck-daemon[17124]: /usr/libexec/systemcheck/updatecheck-daemon: INFO: start.
Nov 25 05:26:31 host systemd[1641]: Started updatecheck.service - System update checker (user service).
Nov 25 05:26:31 host updatecheck-daemon[17124]: /usr/libexec/systemcheck/updatecheck-daemon: INFO: First start. Therefore waiting for 2 minutes for first updatecheck.
Nov 25 07:59:13 host updatecheck-daemon[17124]: /usr/libexec/systemcheck/updatecheck-daemon: INFO: loop start.
Nov 25 07:59:13 host updatecheck-daemon[17163]: /usr/bin/updatecheck: updatecheck: Software updates check failure: 'leaprun system-ready-check' failed.
Nov 25 07:59:13 host updatecheck-daemon[17163]:   Debugging information:
Nov 25 07:59:13 host updatecheck-daemon[17163]:   - system_ready_check_output: 'ERROR: Could not connect to privleapd!'
Nov 25 07:59:13 host updatecheck-daemon[17163]: To view log, run:
Nov 25 07:59:13 host updatecheck-daemon[17163]: journalctl --boot --user -u updatecheck.service
Nov 25 07:59:13 host updatecheck-daemon[17163]: Please run systemcheck.

Whonix-Workstation
VirtualBox
Windows host
no green turtle

Nov 24 10:14:51 host sdwdate[1567]: 2025-11-24 10:14:51 - sdwdate - INFO - Sleeping for 131 minutes, ok.
Nov 24 13:34:51 host systemd[1]: sdwdate.service: Watchdog timeout (limit 3h 20min)!
Nov 24 13:34:51 host systemd[1]: sdwdate.service: Killing process 1567 (sdwdate) with signal SIGABRT.
Nov 24 13:34:51 host systemd[1]: sdwdate.service: Main process exited, code=dumped, status=6/ABRT
Nov 24 13:34:51 host systemd[1]: sdwdate.service: Failed with result 'watchdog'.
Nov 24 13:34:51 host systemd[1]: sdwdate.service: Consumed 2.063s CPU time, 102.3M memory peak.
Nov 24 13:35:01 host systemd[1]: sdwdate.service: Scheduled restart job, restart counter is at 1.
Nov 24 13:35:01 host systemd[1]: Starting sdwdate.service - Secure Distributed Web Date...
Nov 24 13:35:02 host systemd[1]: Started sdwdate.service - Secure Distributed Web Date.
Nov 24 13:35:02 host sdwdate[15405]: 2025-11-24 13:35:02 - sdwdate - INFO - sdwdate (Secure Distributed Web Date) started. PID: 15405

sudo journalctl | grep stuck      
Nov 19 11:07:44 host kernel: watchdog: BUG: soft lockup - CPU#2 stuck for 2381s! [swapper/2:0]
Nov 19 22:28:10 host kernel: watchdog: BUG: soft lockup - CPU#2 stuck for 38019s! [swapper/2:0]
Nov 22 11:35:36 host kernel: watchdog: BUG: soft lockup - CPU#1 stuck for 47763s! [swapper/1:0]
Nov 22 11:46:12 host kernel: watchdog: BUG: soft lockup - CPU#1 stuck for 449s! [swapper/1:0]
Nov 24 07:50:14 host kernel: watchdog: BUG: soft lockup - CPU#0 stuck for 59412s! [swapper/0:0]
Nov 24 08:51:46 host kernel: watchdog: BUG: soft lockup - CPU#0 stuck for 3437s! [swapper/0:0]
Nov 24 10:01:18 host kernel: watchdog: BUG: soft lockup - CPU#0 stuck for 3496s! [swapper/0:0]
Nov 24 10:12:05 host kernel: watchdog: BUG: soft lockup - CPU#0 stuck for 526s! [swapper/0:0]
Nov 25 05:26:29 host kernel: watchdog: BUG: soft lockup - CPU#0 stuck for 46634s! [swapper/0:0]

Nov 24 13:55:19 host privleapd[1293]: send_action_results: INFO: Action 'sdwdate-sync-hwclock' requested by account 'sdwdate' completed
Nov 25 07:59:13 host systemd[1]: privleapd.service: Watchdog timeout (limit 10s)!
Nov 25 07:59:13 host systemd[1]: privleapd.service: Killing process 1293 (privleapd) with signal SIGABRT.
Nov 25 07:59:13 host systemd[1]: Starting privleapd.service - privleap - Limited Privilege Escalation Framework...
Nov 25 07:59:13 host systemd[1]: Started privleapd.service - privleap - Limited Privilege Escalation Framework.
Nov 25 07:59:14 host privleapd[17276]: handle_control_create_msg: INFO: Handled CREATE message for account 'user', socket created

• Aaron: The above looks like either a slow RTC, or memory thrashing left for a very long time that eventually (partially?) resolved itself, or both. (Some of those soft lockups in a swapper kernel thread last for over half a day.)
  • My main Kicksecure development virtual machine has one watchdog timeout for sdwdate, but with no time jump immediately before it.Likely hardware-related or specific to this setup. All of the timeouts above have a time jump before them.
  • Likely hardware-related, the result of too little or improperly set up swap space, and/or sdwdate may be occasionally having very bad luck when syncing time from Tor. (The last possibility would not explain the swapper lockups, but might explain the time jumps. In combination with the lockups though, and given the pool mechanism we use, I don't expect this to be the case.)
• Patrick: Merged.

• please implement, if sane
• Aaron: Implemented, commit pushed to helper-scripts.
• Patrick: Merged.

• end-of-options broken. not functional as documented in its man page.

tor-ctrl -- GETINFO version

• please install tor-ctrl in Kicksecure by default
• Aaron: Fixed bug, moved tor-ctrl's to a different metapackage. Commits pushed to tor-ctrl, developer-meta-files, kicksecure-meta-packages, and anon-meta-packages.
• Patrick: Merged.

• https://github.com/QubesOS/qubes-issues/issues/8303#issuecomment-3591073202
• sys-whonix booted into sysmaint session
• qubes.TemplateSearch qrexec action is prohibited in PERSISTENT Mode - SYSMAINT Session.
• todo: convert the following to a (partial) standalone script and show an error popup and enter into journal?

      rpc_block_template="#!/bin/bash

printf '%s\n' '${rpc_config_file} qrexec action is prohibited in PERSISTENT Mode - SYSMAINT Session.'"

• Aaron: Implemented, commit pushed to user-sysmaint-split.
• Patrick: Merged.

• issue currently: lots of build issues, especially on Qubes infrastructure
• treat hardcoded tbb version number as a minimum version number. as a minimum version number sanity check.
• even in --postinst mode, try auto detect version from remote. as long as higher than hardcoded version, that shall be acceptable.
• The already implemented last seen version numbers shall also be kept in use as a sanity test.
• Aaron: Implemented, commit pushed to tb-updater. Tested by installing Tor Browser on an existing VM both with up-to-date and outdated hardcoded version numbers, works. Also tested by rebuilding Whonix VMs for VirtualBox with an unchanged hardcoded version, works correctly there also.
• Patrick: Merged.

• VirtualBox
• 18.0.7.0
• after a few reboots into user session/sysmaint session, Whonix-Gateway desktop background turns black - task bar still functional
• after a few reboots into user session/sysmaint session, Whonix-Workstation desktop background turns black - task bar broken
• non-issue: virtualbox screen resize, still working great
• lxqt-panel can be manually started: yes, all good.
  • after reboot: lxqt-panel works normally again
• Aaron: Cannot reproduce problem with lxqt-panel. Issue with pcmanfm-qt desktop turning black is known and happens when the first shutdown in user mode is done from the CLI with reboot or shutdown now, will debug and create a solution now.
  • Black screen issue fixed, commit pushed to desktop-config-dist.
• Patrick: Merged.
• bug: Black desktop background remains. Worth fixing? (The lock file nowadays removed does not exist on my system (anymore?).)
  • Aaron: Added a followup fix to desktop-config-dist.
• Patrick: Merged.
• Patrick: 18.0.7.0, VirtualBox, LXQt bug: black screen is back.
• (The task bar is apparently being restored, because the task bar is overlapping the "Computer" desktop icon.)
• Aaron: Cannot reproduce even after several reboots using the reboot command in a terminal in user mode. The taskbar overlapping the "Computer" desktop icon is expected when PCManFM-Qt settings are damaged though, so it does sound like this is the same bug as previously.
  • Was the system fully up-to-date when it broke? Was it already previously broken and just isn't managing to automatically fix itself after updates despite the heuristics we added?
• Patrick: Correction. Version was 18.0.7.6. Wasn't previously broken since 18.0.7.6. Fails to automatically fix itself.
• Patrick: Made some changes to start-lxqt-session.
• Patrick: Provided debug information in chat.
• Aaron: Reproduced issue with further information. Fix pushed to desktop-config-dist.
• Patrick: Merged.

• QVMM shows user session boot option only for Standalone VM
• bug: Standalone doesn't inherit boot options from Template
• user might report bug at Qubes
• Aaron: Could not reproduce bug by making a new standalone from a Whonix-Workstation 18 template.
  • Found Qubes bug report, asked for clarification on the issue.
  • Upgrading Kicksecure StandaloneVM will result in sysmaint-persistent (root) boot is missing #10438
  • Reply received, do further investigation.
• Closed, and follow-up bug closed as user error. Archiving.

• qubes-public, Marek:

ok, I have real systemcheck results now, there are a couple issues found in sys-whonix, but overall nothing major IMO: https://openqa.qubes-os.org/tests/156993/file/whonixcheck-whonixcheck-sys-whonix.log

sdwdate[2269]: PermissionError: [Errno 13] Permission denied: '/var/lib/sdwdate/time-replay-protection-utc-unixtime'

• Aaron: Unable to reproduce. The file shown above is owned by sdwdate:sdwdate on my release-upgraded sys-whonix qube, AppArmor permits sdwdate to access it, and the error above does not show in the output of systemcheck --verbose --leak-tests.
• Aaron: Reproduced in Whonix-Gateway 18 template downloaded from Qubes community template repo. Somehow the entire /var/lib/sdwdate directory is owned by debian-tor:UNKNOWN (uid 108, gid 120).
  • Fix created, pending review and merge: https://github.com/QubesOS/qubes-core-agent-linux/pull/615
    • Merged.

• please comment how this could be resolved
• https://github.com/QubesOS/qubes-issues/issues/10163
• https://forums.whonix.org/t/qubes-sudo-su-root-hardening-development-discussion/8561/73
• Aaron: Fix: https://github.com/QubesOS/qubes-video-companion/pull/33
  • Merged.

• please post an update in the forums what was done and what might be missing (useful for release announcement)
  • https://forums.whonix.org/t/better-mouse-obfuscation/21445
    • Aaron: Update posted.
• please also update the wiki in case anything is no longer up-to-date
  • https://www.whonix.org/wiki/Keystroke_and_Mouse_Deanonymization
    • Aaron: Documentation updated.

• todo
• Fixed.

• assigned to Patrick

• anon-whonix in unrestricted admin mode

[ERROR] [systemcheck] Check 'pkexec /usr/libexec/systemcheck/pkexec-test' result: System misconfiguration detected. No need to panic. This is not a severe issue. However, other tests may be affected due to this.

The following command:
pkexec /usr/libexec/systemcheck/pkexec-test ; echo $?
did not produce an empty output with an exit code of zero, indicating an unexpected result.

exit_code: 127

privilege_escalation_tool_output:
pkexec must be setuid root

chmod-calc /usr/bin/pkexec
Permissions for: '/usr/bin/pkexec'
Type: Regular File
Owner: root
Group: root
Octal Permissions: 755
File Size: 30952 bytes
Link Count: 1
Hidden File: No
ACLs: none
Extended Attributes: none
Capabilities: None
Immutable (chattr +i): No

Symlink: No

Parent Folder Symlink: No

Category   Read   Write  Execute 
Owner      Yes    Yes    Yes     
Group      Yes    No     Yes     
Public     Yes    No     Yes     

Special Attributes:
SUID: Not Set
SGID: Not Set
Sticky Bit: Not Set

• Aaron: pkexec doesn't actually have its SUID bit set until its postinst script runs. If security-misc, pkexec, and user-sysmaint-split are all installed in the same apt invocation, and security-misc gets configured first, it will see pkexec as having permissions 755 and will save that in the existing_mode database before changing its permissions to match user-sysmaint-split's policy. Then when permission-hardener protections are removed, permission-hardener applies those incorrect permissions to the file.
  • No good way to solve this using Debian packaging known, there isn't a way to enforce postinst script order of execution without using Pre-Depends, and a package does not seem to be able to trigger itself.
  • Resolved for new builds by saving a pre-populated existing_mode database when security-misc is installed. This handles many common executables, we can expand the database if needed later.
  • Commits pushed to security-misc.
• Patrick: Merged.

• maybe /usr/lib/systemd/system/qubes-whonix-sysinit.service can be abolished, if sensible. This might speed up the boot process a bit.
• scan code base for:
  • /run/qubes-service/whonix-gateway
  • /run/qubes-service/whonix-workstation
• for example
  • /usr/lib/systemd/system/qubes-whonix-remote-support.service

## Copyright (C) 2020 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

[Unit]
Description=Qubes-Whonix Remote Support
Documentation=https://github.com/Whonix/qubes-whonix
ConditionPathExists=|/run/qubes-service/whonix-gateway

[Service]
Type=forking
ExecStart=/usr/bin/qvm-connect-tcp 22:dom0:22
SuccessExitStatus=143

[Install]
WantedBy=multi-user.target

Could maybe be replaced by:

## Copyright (C) 2020 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

[Unit]
Description=Qubes-Whonix Remote Support
Documentation=https://github.com/Whonix/qubes-whonix

## Not inside TemplateVM.
ConditionPathExists=!/run/qubes/this-is-templatevm
## Whonix-Gateway
ConditionPathExists=/usr/share/anon-gw-base-files/gateway
## And ( NetVM OR ProxyVM )
ConditionPathExists=|/run/qubes/this-is-netvm
ConditionPathExists=|/run/qubes/this-is-proxyvm

[Service]
Type=forking
ExecStart=/usr/bin/qvm-connect-tcp 22:dom0:22
SuccessExitStatus=143

[Install]
WantedBy=multi-user.target

• Aaron: This did indeed look possible. Implemented throughout the codebase.

• see chat
• Aaron: Switched to using a notify service here, also fixed up the systemd-notify wrapper. Commits pushed to helper-scripts, msgcollector, systemcheck, and sdwdate-gui.

• there are a number of journal messages in systemcheck output in Non-Qubes-Whonix
• there might be others for Qubes-Whonix
• Whonix-Gateway, non-Qubes:

Nov 21 15:34:16 host pipewire[1803]: mod.rt: RTKit error: org.freedesktop.DBus.Error.ServiceUnknown

• Aaron: Added more lines to /etc/systemcheck.d/30_default.conf, commit pushed to systemcheck.
• Patrick: Merged.

• todo
• Aaron: Automatically done as part of disabling LXQt power management. See completed task below.

• Battery watcher and idleness watcher are still active
• lxqt-powermanagement appears to forcibly write configuration in ~/.config/lxqt/lxqt-powermanagement.conf that enables power management regardless of the contents of $XDG_CONFIG_DIRS
• Aaron asked in #lxqt:matrix.org if there's some way to work around this behavior (other than writing to the user's configuration under /home)
• Aaron: Culprit found, runCheckLevel=1 needed to be set in desktop-config-dist's lxqt-powermanagement.conf. Added the setting, new installations should now obey system-wide power management settings. Existing installations that already have an autogenerated user-specific lxqt-powermanagement.conf will not have this, fixing things for those users may be hard since there is no way to distinguish intentional configuration from auto configuration for existing Kicksecure/Whonix 18 users.
  • Maybe we can detect if runCheckLevel is explicitly set in a user-specific lxqt-powermanagement.conf file and wipe the file if so? That would override settings for existing users, but wouldn't cause further problems after that.
• Patrick: Merged.

• only during boot

systemctl list-units --failed                         
  UNIT                                  LOAD   ACTIVE SUB    DESCRIPTION                                                     >
● sdwdate-gui-qubes@0-1531-1000.service loaded failed failed sdwdate graphical user interface - Qubes socket proxy (PID 1531/>

• this is probably because sys-net starts before sys-whonix
• Aaron: Fixed (and fixed a bug I noticed while working on this), commits pushed to sdwdate-gui.

• Kicksecure
• VirtualBox
• after installing serial-console-enable, system has been reset to standard GRUB boot menu
• Patrick: This is to be expected. Nothing very bad happening. Caused by:

GRUB_TERMINAL="console serial gfxterm"

• Patrick: Probably no action required except documentation.
  • Aaron: Documented at https://www.kicksecure.com/wiki/Recovery#Serial_Console

• Does usbguard and usbguard-notifier work for you in Qubes?
• Aaron: Mostly; notifications were not working because qubes-notification-agent and listing USB devices using the usbguard CLI was not working because list permissions were not present. Fixed both with pushes to developer-meta-files, kicksecure-meta-packages, and security-misc.
• Aaron: usbguard-notifier allows users to ad-hoc allow and deny USB devices when they are attached. Should we allow the qubes and sudo groups to have modify permissions in usbguard as well to allow this to work?
  • https://forums.kicksecure.com/t/usbguard-what-should-we-allow-or-disallow-by-default/1248/49
  • Patrick: Added modify permissions.
• TODO: Please test.
  • Aaron: Tested, works.

• 18.0.7.0
• Qubes
• 4 GB = initial RAM = total RAM
• dynamic memory balloon: disabled
• sysmaint related messages in console visible, after that
• fails to boot: black screen
• as per: https://www.kicksecure.com/wiki/Qubes#HVM
• Aaron: Issue appeared to be related to the display resolution - 1920x1080 seems to be too high for labwc to handle. Resolutions other than 1024x768 may work, but may also behave strangely.
  • Pushed a commit to vm-config-dist to make wlr_resize_watcher set a default resolution of 1024x768 under Xen.
• Patrick: Merged.
• Patrick: Please report issues to Qubes, and wherever else useful.
• Aaron: Filed reports:
  • https://github.com/QubesOS/qubes-issues/issues/10425
  • https://github.com/QubesOS/qubes-issues/issues/10424
• https://github.com/QubesOS/qubes-issues/issues/10426

• todo
• sys-whonix: for eth1, use static IPv4 and IPv6 address, if sensible
• make sure replace-ips is correct and makes Tor bind on eth1 (not on eth0)
• implement Qubes static networking, if still in time for Qubes R4.3 and if sensible
  • https://github.com/QubesOS/qubes-issues/issues/1477
  • https://forums.whonix.org/t/qubes-whonix-eth1-static-networking/18493
• Aaron: Discussed possible solutions in chat. Pushed commits to qubes-whonix and anon-gw-anonymizer-config that should implement this sufficiently well for Whonix 18.
• Patrick: Merged.
• Patrick: Made huge changes to replace-ips. Please review and test.
  • Aaron: Reviewed, made mostly minor changes (some more involved ones to the var_name function). Tested, seems to work right.

• Non-Qubes-Whonix Whonix-Workstation
• no adverse effects, but looks scary for users
• Aaron: I've seen this before, but could not reproduce it on-demand for testing.
  • Pushed commits to desktop-config-dist and user-sysmaint-split in an attempt to resolve the issue and a related problem with scary logs being shown during shutdown. Unfortunately I ended up reproducing the issue by accident even after these changes were installed.
• Patrick:
  • What place is supposed to set XDG_RUNTIME_DIR? Can we set it?
  • Could you ask labwc please?
  • libpam-systemd missing? as per
    • https://github.com/BlitterStudio/amiberry/issues/453#issuecomment-549150776
  • Aaron: Possibly a minor greetd bug: https://lists.sr.ht/~kennylevinsen/greetd-devel/%3C20251113233255.64d6bc0f@kf-m2g5%3E
    • Seems benign and most likely race-induced (labwc is failing to start somewhere, but it seems to get retried and successfully starts thereafter?). Silencing for now. Commits pushed to desktop-config-dist and systemcheck.
• Patrick: Merged.

• While a time sync is in progress, right-click on the sdwdate-gui icon. The menu will flash rapidly in bursts.
• This is most likely caused by the sdwdate-gui-client rewrite, which is probably reacting overzealously to status file changes from sdwdate. Adjust the inotify mechanism to not notify quite so frequently.
  • Fixed, commit pushed to sdwdate-gui.
• Patrick: Merged.

• expected behavior: endless repeated notifications about failed qrexec calls
• actual behavior: failed qrexec call warnings stop after a bit, sdwdate-gui-client consumes 100% CPU
  • Fixed, commit pushed to sdwdate-gui.
• Patrick: Merged.

• VirtualBox
• 18.0.7.0
• ISO
• btrfs
• at boot time, an error related to subvolumes is shown
• bug: read-only volume without read-write overlay
• Aaron: Dracut bug, already fixed upstream but not fixed in Trixie. Bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121043
  • Pushed a commit to grub-live to revert back to the Debian-specific overlay-root module and rootovl kernel parameter.
• Patrick: Merged.

• todo
• https://github.com/assisted-by-ai/privleap/pull/1
• Aaron: Reviewed, implemented various fixes and added hardening measures. Commits pushed to privleap.
• Patrick: Merged.
• https://github.com/assisted-by-ai/privleap/pull/1 - PR updated
  • Aaron: Reviewed, added a bugfix.
• new PR: https://github.com/assisted-by-ai/privleap/pull/2
  • Aaron: Reviewed, manually tested the scenario the bulk of the PR was intended to test, added an extra feature suggested by the AI.
• new minor: bug: after running "leaprun sudo" (non-existing, user error, but causes scary error message)

Nov 18 10:03:03 host privleapd[1648]: auth_signal_request: WARNING: Action run request: Could not find action 'sudo' requested by account 'user'
Nov 18 10:03:06 host privleapd[1648]: send_msg_safe: ERROR: Could not send 'UNAUTHORIZED'
Nov 18 10:03:06 host privleapd[1648]: BrokenPipeError: [Errno 32] Broken pipe

• Aaron: Most likely caused by pressing Ctrl+C during the delay caused by attempting to run an action without authorization. Fixed by the new signal handling mechanism in leaprun used to fix check_action_terminate: ERROR: Could not get message from client run by account 'user'!.
• Patrick: Merged.

• https://forums.whonix.org/t/rejecting-passwordless-sensitive-account-user/22440/2
  • Fixed, commit pushed to security-misc.
• Patrick: Merged.

• VirtualBox
• 18.0.8.0
• not upgraded

Nov 18 09:01:02 localhost privleapd[1143]: check_action_terminate: ERROR: Could not get message from client run by account 'user'!
Nov 18 09:01:02 localhost privleapd[1143]: Traceback (most recent call last):
Nov 18 09:01:02 localhost privleapd[1143]:   File "/usr/lib/python3/dist-packages/privleap/privleapd.py", line 517, in check_action_terminate
Nov 18 09:01:02 localhost privleapd[1143]:     comm_msg: PrivleapMsg = comm_session.get_msg()
Nov 18 09:01:02 localhost privleapd[1143]:                             ~~~~~~~~~~~~~~~~~~~~^^
Nov 18 09:01:02 localhost privleapd[1143]:   File "/usr/lib/python3/dist-packages/privleap/privleap.py", line 691, in get_msg
Nov 18 09:01:02 localhost privleapd[1143]:     recv_buf: bytes = self.__recv_msg_cautious()
Nov 18 09:01:02 localhost privleapd[1143]:                       ~~~~~~~~~~~~~~~~~~~~~~~~^^
Nov 18 09:01:02 localhost privleapd[1143]:   File "/usr/lib/python3/dist-packages/privleap/privleap.py", line 549, in __recv_msg_cautious
Nov 18 09:01:02 localhost privleapd[1143]:     raise ConnectionAbortedError("Connection unexpectedly closed")
Nov 18 09:01:02 localhost privleapd[1143]: ConnectionAbortedError: Connection unexpectedly closed
Nov 18 09:01:02 localhost privleapd[1143]: send_action_results: INFO: Action 'sdwdate-log-viewer' requested by account 'user' completed

• not reproducible after upgrade
  • Aaron: Mitigated somewhat with a commit to leaprun, however this was most likely caused by the leaprun process receiving a signal mid-execution. There isn't much that can be reasonably done to prevent a session terminated prematurely at an arbitrary point from resulting in the server griping about it, other than hiding possibly useful debugging output. The commit fixes a likely common case though.
• Patrick: Merged.

• Tor could not bind. At second boot.
• VirtualBox
• 18.0.6.8
• upgraded
• see log provided
• output by leapctl does not allow to nail this down easily at this point. Perhaps if difficult to debug, add additional debug output to leapctl so we can point out which exact leapctl call is causing this?
• please add more debug output to leapctl calls in any case for the future.
  • Aaron: Sufficient information to debug the leapctl failure is present in the logs. The issue seems to have been triggered by privleapd dying due to a watchdog timeout. The exact reason is unclear, the VM seems to have locked up for 10 seconds or otherwise experienced a time jump possibly. Details shared in chat.

• 1) bug: in sysmaint session sudo set-system-keymap de fails to reload labwc. reboot required to change keyboard layout. (confusion resolved: system vs user configuration)
• 2) bug: set-system-keymap / set-console-keymap is broken in some situations:
  • inside dracut emergency shell
  • single user mode (kernel parameter single)
  • this is because localectl is unavailable. Patrick pushed some changes to ignore this.
• 3) feature request: set-system-keymap should configure the system keymap in case of
  • single user mode (kernel parameter single) - possible by re-generating initrd running "sudo dracut -f" - tested - functional
  • dracut emergency shell - same as above.
  • run sudo dracut -f &>/dev/null to hide verbose dracut output and report only success or failure.
  • Patrick implemented this.
• 4) feature request: set grub stage 2 keyboard layout
  • 1 or 2 separate grub boot menu entries
    • additional boot menu entry 1: specific user-chosen keymap only
      • use case: easier to use GRUB menu entry - no need to scroll through lots of language entries
    • additional boot menu entry 2: generate all keymaps (within reasonable limits?)
      • What would be a good time/trigger to generate the keymaps? Useful/avoidable to keep re-generating the keymaps over and over again? A new /etc/grub.d drop-in? Part of which script?
      • use case: usable on the ISO
      • use case: users can easily try kernel boot parameters to attempt to fix the boot process in case of hardware issues
    • boot menu entries should be at the very bottom
    • enabling verbose ("set -x") equivalent may be useful
  • boot with GRUB standard keyboard. Only if the user selects a custom GRUB keyboard layout change menu try loading a different keyboard driver and layout.
  • Aaron: USB keyboard support does not appear practical, as numerous GRUB issues occur when using nativedisk and insmod usb_keyboard:
    • GRUB randomly can't find hard drives sometimes
    • Stack overflows occur
    • Sometimes "alloc magic" errors appear
    • Fonts can become very messed up
    • Boot usually becomes impossible
  • Aaron: Implemented, commits pushed to helper-scripts, kicksecure-base-files, usability-misc, anon-gw-base-files, anon-ws-base-files, and derivative-maker.
• 5) feature request: set-labwc-keymap: --persist should be the default?
• 6) feature request: apply console layout change by running systemctl --no-block --no-pager restart keyboard setup
• 7) set-console-keymap: allow running as non-root / support file ~/.keyboard
  • Discussed, researched, not possible to set console keymap without root permissions and setting the keymap system-wide.
• 8) bug: Should write INFOs to stdout, not stderr? Or is there a reason to write everything to stderr? In such special cases, please document this by adding a script comment on how channels (stdout, stderr) are used.
• 8) set-system-keymap in sysmaint mode bug: layout change requires reboot
• Patrick: Merged.

• Tor could not bind. At second boot.
• VirtualBox
• happened at first boot only
• happened just once. difficult to reproduce.
• see old log provided (was version 18.0.6.8)
• Patrick: Fixed.

• Physical hardware installations to a USB drive oftentimes are slow due to slow USB key performance
• Timeouts sometimes occur during the installation process, resulting in failed installations
• Lengthen timeouts in live-config-dist so that this use case is better supported
• Aaron: Lengthened timeouts in both live-config-dist and calamares-settings-debian.
  • Patrick: Merged.
  • Worth asking Debian upstream if they'd be interested in lengthening timeouts too, since it's the bootloader-config module in calamares-settings-debian that was timing out according to https://forums.kicksecure.com/t/warning-prob-with-installing-on-verbatim-seaglass-drives-false-alarm/1359/6?
  • Patrick: Yes.
    • Aaron: Reported: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120779
• Patrick: Merged.

• todo
• Aaron: Fixed, commit pushed to derivative-maker.
• Patrick: Merged.

• "ERROR: You are unauthorized ..."
  • Who is "You"? :)
  • todo: please add who "you" is. This might simplify debugging when using nested privleap.
• Aaron: Implemented, also did some test script refactoring. Commit pushed to privleap.
• Patrick: Merged.

• noticed only once in sys-whonix

Nov 11 03:56:11 host systemd[1]: Starting livecheck-lsblk.service - Obtains lsblk output for use by livecheck...
Nov 11 03:56:12 host livecheck-lsblk[654]: overwrite: ERROR: Error while writing file '/run/desktop-config-dist/livecheck-lsblk', and >
Nov 11 03:56:12 host systemd[1]: livecheck-lsblk.service: Main process exited, code=exited, status=1/FAILURE
Nov 11 03:56:12 host systemd[1]: livecheck-lsblk.service: Failed with result 'exit-code'.
Nov 11 03:56:12 host systemd[1]: Failed to start livecheck-lsblk.service - Obtains lsblk output for use by livecheck.

• https://github.com/Kicksecure/desktop-config-dist/blob/master/usr/lib/systemd/system/livecheck-lsblk.service probably needs to wait for systemd-tmpfiles
  • Aaron: Implemented in desktop-config-dist.
• Patrick: Merged.

• rads RAM threeshold?
• non-Qubes minimum RAM for CLI? 512 insufficient nowadays?
  • Aaron: Should be sufficient now that we have swapfile issues solved.

• sysmaint session
• 512 MB RAM
• login as sysmaint succcess
• message "You are using the sysmaint account. This account has sudoers capabilities." visible but then system frozen
• only reproducible at first login, maybe not reproducible
• Aaron: RAM issue, encrypted swapfiles as made by swap-file-creator work on Bookworm but are broken on Trixie.
  • unencrypted: works
  • encrypted by virtue of being on a LUKS-encrypted partition: works
  • file on an unencrypted filesystem which is then itself encrypted and device-mapper mounted, then used as a swapfile: broken, machine hangs as if memory is exhausted while gigabytes of swap remain
  • Reported bug to LKML: https://lore.kernel.org/lkml/20251111231835.1232ad8f@kf-m2g5/T/#u
  • Adjusted swap-file-creator to use unencrypted swapfiles, but only allow creating swapfiles on systems with LUKS FDE. Commits pushed to swap-file-creator.
• Patrick: Merged.

• https://forums.whonix.org/t/increased-memory-usage/22092/12
• sdwdate_gui_client.py: please port to asyncio - not trixie branch
  • Aaron: Initial porting attempt, needs more testing but seems to work initially: https://github.com/ArrayBolt3/sdwdate-gui/tree/arraybolt3/sdwdate-gui-client-asyncio
  • Patrick: Merged.
• Several more possibly memory-related issues reported:
  • https://github.com/qubesos/qubes-issues/issues/10349
  • https://github.com/QubesOS/qubes-core-admin/pull/748#issuecomment-3489978459
  • alimj reported OOM crashes in the qubes-public Matrix room
• Commits pushed to security-misc, developer-meta-files, and kicksecure-meta-packages to disable USBGuard on Whonix always, and on Kicksecure when there is no USB controller.
• Patrick: Merged.
• -----
• Patrick: asyncio also merged.
• Patrick: Please review, merge (only the bug fix - not the test script) - https://github.com/assisted-by-ai/sdwdate-gui/pull/1
  • Aaron: Merged, did substantial refactoring and fixed an uncaught bug in the process (inconsistent handling of config file parsing)
• Patrick: Please increase Qubes default memory, if applicable.
  • Aaron: Per Qubes OS's current wishes, attempting to avoid this if possible. If memory is still an issue after merging the new sdwdate-gui code, will request a memory limit bump.
• Patrick: bug: chokes on gateway=sys-whonix - without quotes. Some users will use it that way because that is how it was documented in the past. I added code to legacy-dist. Please review.
  • Aaron: Left comments in chat.
    • Will move migration code to sdwdate-gui postinst script.
      • This is now done, commits pushed to legacy-dist and sdwdate-gui.
• Patrick: please review https://github.com/assisted-by-ai/sdwdate-gui/pull/2
  • Aaron: Merged.

• Network: Seems useless. Please remove.
  • Aaron: Removed, commits pushed to kicksecure-base-files, anon-gw-base-files, and anon-ws-base-files.
• Patrick: Merged.

• usability-misc

/etc/profile.d/50_default_editor.sh /etc/zprofile.d/50_default_editor.zsh
/etc/profile.d/50_default_editor.sh /etc/X11/Xsession.d/50_default_editor

• in non-Qubes, Wayland: env | grep VISUAL
• also other environment variables set through profile.d/ zprofile.d, Xsession.d mechanism might be missing
• Aaron: Issue was caused by a check for "$XDG_SESSION_TYPE" = "tty". Removed that conditional, now it works. (greetd appears to run the session start script in a TTY.)
  • Did not find any other missing variables in /etc/profile.d that were being missed except for safe-rm's addition of its own path to $PATH (this file is not symlinked to /etc/zprofile.d so this is likely expected).
  • Fixed 50_default_editor.sh, commit pushed to usability-misc.
• Patrick: Merged.

• vm-config-dist has vbox-guest-installer and wlr-resize-watcher, which both can be/are highly useful inside virtualbox
• Do you see anything that makes vm-config-dist incompatible with installed on the host operating system or inside Qubes?
• investigate /etc/dracut.conf.d/30-vm-config-dist.conf and if it seems safe for rm_conffile removal
• Please modify, if sane, to make it compatible with the host / Qubes. I.e. implement no-ops, if needed.
• Install by default everywhere non-Qubes, Qubes and host, if sane.
• Aaron: Next steps:
  • Need to change the `shared` bookmark so it is saved in a system-wide location and only created on VMs.
  • Keep wlr-resize-watcher from running on physical hardware
  • OK to comment out power management disabling and VBox guest additions installation in the postinst?
• Aaron: Done, commits pushed to vm-config-dist.
• Patrick: Ready to installed by default on the ISO? If yes, please add.
  • Aaron: Done, commits pushed to developer-meta-files and kicksecure-meta-packages.
• Patrick: Merged.

• seen in persistent mode user, briefly, during shutdown
• cosmetic issue only
• avoidable?
• Aaron: VBoxDRMClient bug. Report filed: https://github.com/VirtualBox/virtualbox/issues/375
  • Possible security risks in /tmp remaining mounted during shutdown? Perhaps if shutdown hangs while /tmp is mounted, valuable data might be left in-memory that an attacker could access, but we have emerg-shutdown to deal with most situations where this would be a concern.
  • As a stop-gap, we could use a service in usability-misc to kill VBoxDRMClient during shutdown if we want to ensure /tmp is properly unmounted.
    • Patrick: Please implement in security-misc? Seems security related. As a stop-gap until ensure-shutdown gets default and (more) reliable.
      • Aaron: Done, commits pushed to security-misc and user-sysmaint-split.
• Patrick: Merged.

• https://forums.whonix.org/t/choosing-qt-wayland-compatible-software-for-lxqt/22332/9
• Read through, commented.

• VirtualBox 7.24
• Kicksecure LXQt 18.0.5.8
• Can these warnings be fixed?

sudo sgdisk -v /dev/sda

Caution: Partition 3 doesn't end on a 2048-sector boundary. This may
result in problems with some disk encryption tools.

No problems found. 2021 free sectors (1010.5 KiB) available in 2
segments, the largest of which is 2014 (1007.0 KiB) in size.

• Aaron: May be difficult to fix. grml-debootstrap uses parted for partition creation, and according to parted, partition 3 is optimally aligned. I find it somewhat unlikely grml-debootstrap would want to port to sgdisk.
  • Sent an email to the GPT fdisk mailing list to see if there's a good way to fix the discrepancy between the behavior of GPT fdisk and Parted. https://sourceforge.net/p/gptfdisk/mailman/message/59257231/
• https://forums.kicksecure.com/t/sudo-sgdisk-v-dev-sda-caution-partition-3-doesnt-end-on-a-2048-sector-boundary-this-may-result-in-problems-with-some-disk-encryption-tools/1363

• something has to be done about hibernation. even if deciding we're against it. then updating the wiki and removing the hibernation button (or breaking it).
• Create forum thread to determine demand before investing effort.
  • Forum post: https://forums.kicksecure.com/t/support-for-hibernation/1349

• sys-whonix

INFO: user-sysmaint-split session detection result: SYSMAINT Session.
INFO: Whonix Login Security Check:
+----------+--------------------------------------+
| Users    | Password               GUI Autologin |
+----------+--------------------------------------+
| root     | Locked (Present)       Disabled      |
| user     | Absent                 Disabled      |
| sysmaint | Absent                 Enabled       |
+----------+--------------------------------------+

• anon-whonix

[INFO] [systemcheck] user-sysmaint-split session detection result: USER Session.
INFO: Whonix Login Security Check:
+----------+--------------------------------------+
| Users    | Password               GUI Autologin |
+----------+--------------------------------------+
| root     | Restricted (Absent)    Disabled      |
| user     | Locked (Absent)        Enabled       | [Locked (Absent) - green color]
| sysmaint | Locked (Absent)        Enabled       | [Locked (Absent) - orange color]
+----------+--------------------------------------+

• Kicksecure Qubes

[INFO] [systemcheck] user-sysmaint-split session detection result: USER Session.
[INFO] [systemcheck] Kicksecure Login Security Check:
+----------+--------------------------------------+
| Users    | Password               GUI Autologin |
+----------+--------------------------------------+
| root     | Restricted (Absent)    Disabled      |
| user     | Absent                 Enabled       |
| sysmaint | Locked (Absent)        Enabled       |
+----------+--------------------------------------+

• bug: user | Locked (Absent) versus user | Absent?
• bug: why do some Locked (Absent) entries get green color and others orange?
• bug: why are some accounts locked while others are not?
• new design
• refuse screen lock because the password is locked
• refuse logout because the password is locked
• when booted in user mode:
  • prevent logging into accounts that are passwordless and members of group sudo, root, or sysmaint
  • prevent logging into account sysmaint
• when booted in sysmaint session:
  • prevent logging into any accounts other than sysmaint
• stop locking account sysmaint in user sessions since we now rely on a PAM module
• remove special handling of account sysmaint in login security table of systemcheck
• Aaron: Implemented, commits pushed to security-misc, user-sysmaint-split, and systemcheck.
• Patrick: bug:
  • Kicksecure, 512 MB RAM, user session:
    • can no longer login. Account false-positive detected as sensitive passwordless account.
    • Perhaps because account user is a member of group sudo?
      • Aaron: Fixed, commit pushed to security-misc.
• Patrick: Merged.

• todo
• slower since fixing unmount of /tmp?
• Aaron: Unable to reproduce. Timing measurements from screen recordings (all times and timestamps are measured in 1/30 of a second):

                                     start   end    end minus start
before upgrade - bootup            : 335  -> 736  | 401
before upgrade - shutdown          : 914  -> 1156 | 242
after upgrade - bootup             : 323  -> 728  | 405
after upgrade - shutdown           : 869  -> 1058 | 189
before upgrade - sysmaint bootup   : 247  -> 746  | 499
before upgrade - sysmaint shutdown : 1377 -> 1621 | 244
after upgrade  - sysmaint bootup   : 215  -> 616  | 401
after upgrade  - sysmaint shutdown : 1195 -> 1410 | 215

• If slow shutdown is noticed again, will re-measure and compare to these values.

• debian policy appliable?
• https://www.kicksecure.com/wiki/Dev/Debian#startdict
• Sent email to Debian.
• https://lists.debian.org/debian-devel/2025/10/msg00175.html
  • Aaron: Conversation seems to have run its course, package is likely no longer unsafe and can be left. However, if a similar issue reoccurs, this can be referenced.

• now: when booting into sysmaint session and user-sysmaint-split fails, one actually boots into a user session
• expected: better error handling
• todo: when user-sysmaint-split fails (such as read-only file system, either due to a live-hardner bug or filesystem corruption, disk hardware issues):
  • show an error, wait, reboot or poweroff?
  • offer to open a recovery console? conflicts with no recovery console by default goal. so settings should be honored. a recovery console however or even booting into "user session" may be helpful for debugging.
  • need to have some way to debug the system
• Aaron: Suggested action: Make sysmaint-boot.service print stdout and stderr to journal+console (so messages are seen by the user). If an error is encountered and trapped, pause for five seconds so they can see or screenshot the error. Ensure that the user does not get dropped to a sysmaint session with a full LXQt desktop, or a user session, prefer dropping them to a login screen as worst-case scenario.
  • This should allow easy-ish debugging (switch to a TTY and log in as account sysmaint) assuming the sysmaint account was unlocked before sysmaint-boot.service crashed. It also avoids the possible security risks of logging in as a standard user while the sysmaint account is unlocked.
  • Maybe also block logging into a full graphical user session when booted in sysmaint session, to encourage the use of a TTY instead?
  • Suggestions implemented, commits pushed to user-sysmaint-split and desktop-config-dist.
• Patrick: Merged.

• todo discuss
• Aaron: Done, commits pushed to kloak and lxqt-wayland-session.
• Patrick: Merged.

• todo
• Aaron: Added requested feature, also greatly improved regression test coverage, added better comments, and fixed some bugs with finding submounts.
• Patrick: Merged.
• Patrick: please review https://github.com/assisted-by-ai/grub-live/pull/1
  • Aaron: Merged.

• Do /etc/systemd/system folder contents still make sense nowadays?
• https://github.com/Kicksecure/security-misc/tree/master/etc/systemd/system
  • Aaron: In my opinion, yes. The contents of these files prevent a locked root account from denying access to emergency mode, which IMO is very useful so that someone with physical access to the machine and the disk passphrase (and bootloader password) can fix a broken system even if the root account is locked for security. I also think that these should remain in /etc as they are now, because that allows users who want to disable this behavior to do so easily.

• https://forums.kicksecure.com/t/make-the-taskbar-on-the-bottom-not-at-the-top/1338
• if sensible
• new images:
  • VM images: Taskbar at the top by default. - keep as is
  • ISO / hardware: Taskbar at the bottom by default. - new default
• existing images: No need to change the setting for existing users.
• Patrick: Not doing this for now. Could run a poll if this comes up again.

• https://github.com/Whonix/Whonix-Starter
• 1. please fork
• 2. done
• (this is just to be able to git fetch from github using dm-packaging-helper-script without errors, exceptions, the only not yet forked repository)
• 3. please move to archived when done
  • Aaron: Repo was already forked. Made sure the master and work branches of all my repos were updated just in case that would help the issue.

• occurs for users running Whonix KVM under Fedora, Manjaro
  • Debugged, was only able to reproduce the issue once (using Manjaro KDE). Partition table was corrupted after first boot, the partition table field indicating the end of the partition had been changed to a larger value, but integrity checking info was not updated, thus Linux wasn't detecting any partitions on the device. Interestingly, in a later working VM, the same larger value was seen in the partition table, but there were no boot issues.
  • The most likely culprit is systemd-repart.
  • Unable to reproduce with Whonix 18 on Manjaro KDE. Documented possible workaround here: https://www.whonix.org/wiki/KVM#VM_disk_corruption_after_first_boot

• todo: discuss
• Aaron: Discussion thread created: https://forums.kicksecure.com/t/power-management-for-physical-hardware-in-kicksecure-18/1344
• Patrick: Please report LXQt issue upstream
  • Aaron: Done.
• Aaron: Implemented new power savings settings, commits pushed to desktop-config-dist and vm-config-dist.
• Patrick: Merged.

• if pressing the livecheck button multiple times, and an active popup window is already open, don't open additional popups
  • Aaron: Implemented in desktop-config-dist.
• Patrick: Merged.

• bug: Whonix-Gateway - no user-sysmaint-split - sudo set-system-keymap de
• expected: runs labwc --reconfigure
• actual: does not run labwc --reconfigure
• todo: look at $SUDO_USER and run sudo --non-interactive -u $SUDO_USER labwc --reconfigure
• todo: run sudo --non-interactive -u $user_name_item labwc --reconfigure for all users?
• todo: set-system-keymap / set-console-keymap: run loadkeys to apply changes without reboot? (not possible)
• Aaron: Implemented, however this does not fully work due to a labwc bug: https://github.com/labwc/labwc/issues/3184
• Patrick: Merged.

• todo
• Aaron: Fixed for new VM image builds: https://github.com/ArrayBolt3/derivative-maker/commit/095d4dfadf57cfa291fd123c7320e559fc78b802
  • Does not affect ISO builds.
  • Patrick: Merged.
  • Worth adding code to legacy-dist to fix this on upgrade for existing Kicksecure/Whonix 17 users?

• Steps to reproduce:
  • Set anon-whonix NetVM to "none"
  • Boot sys-whonix
  • Boot anon-whonix
  • Observe sdwdate-gui icon changes to a "broken" icon (this is intentional, as sdwdate in anon-whonix is broken due to the NetVM being "none"
  • Shutdown anon-whonix
  • Expected result: sdwdate-gui icon changes back to what it was previously
  • Actual result: sdwdate-gui icon is stuck "broken"
• Fixed: https://github.com/ArrayBolt3/sdwdate-gui/commit/deffa5039800d1eac28d83ed5cb9dc7dc9cb1f19
• Patrick: Merged.

• bug: starts sdwdate-gui instead of sdwdate-gui-qubes?
• bug: /usr/libexec/sdwdate-gui/sdwdate-gui-qubes-proxy-helper is broken because UID 1000 is hardcoded
• this results in other App Qubes (such as anon-whonix) frequent sdwdate-gui systemd journal errors
• Aaron: Fixed, pushed commit to sdwdate-gui.
• Patrick: Merged.

• could be related to above issue
• https://www.kicksecure.com/wiki/Qubes#HVM

broken units:

• systemd-networkd-persistent-storoge.service
• greetd-config-build.service
• live-mode-apparmor.service
• sdwdate-pre.service
• cold-boot-attack-defense-status
• tor@default.service
• usbguard.service
• Maybe just insufficient RAM? -> todo: fail more obvious, stop boot?
• failed units can mess up sysmaint session?
• Aaron: Reproduced with slightly different symptoms (had a VM crash during bootup once and boot into CLI mode another time), increasing RAM did appear to fix the issue. Could possibly use a oneshot unit very early in startup that would print a message to the TTY if RAM was below a certain "safe" threshold.
  • Pushed a commit to rads that should result in a warning message and fallback to CLI-only mode if RAM is insufficient.
• same issue as trixie-port - live mode - sysmaint session - broken

• many systemd units failing during boot
• could be related to above
• Aaron: Could not reproduce, tried multiple scenarios after discussion in chat.
• same issue as trixie-port - live mode - sysmaint session - broken

• to debug, use "leaprun sudo" (as documented on https://www.kicksecure.com/wiki/Sysmaint#enable_sudo_access_in_USER_session)
• bug: boots into user session, presumably due to read-only file system
• bug: sudo touch /etc/testfile show "read-only file system"
• bug: live-hardener: INFO: Non-zero exit code. - Should be ERROR or at least WARNING?
  • Patrick: Fixed.
• bug: live-hardener detect grub-live-semi-persistent-unsafe but livecheck does not point that out
• bug: live hardener attempts to remount /boot/efi but fails
• bug: live-hardener runs a mount code that has a non-zero exit code but yet live-hardener exits zero rather than non-zero
• Aaron: Could not reproduce, tried multiple scenarios after discussion in chat.
• Patrick: live-hardener log: removed since not caused by live-hardener.
• Patrick: Probably not caused by live-hardener. sudo systemctl mask live-hardener.service - did not solve the issue
• Patrick: Also not a VirtualBox green turtle issue as this was also resolved on my system.
• lots of overlayfs related issues: https://github.com/dracut-ng/dracut-ng/issues?q=overlayfs
• user session mode - persistent mode - no issue - for comparison only

mount

/dev/sda3 on / type ext4 (rw,relatime,errors=remount-ro)
devtmpfs on /dev type devtmpfs (rw,nosuid,size=4096k,nr_inodes=246855,mode=755,inode64)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,inode64)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=600,ptmxmode=000)
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,nsdelegate,memory_recursiveprot)
pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime)
bpf on /sys/fs/bpf type bpf (rw,nosuid,nodev,noexec,relatime,mode=700)
proc on /proc type proc (rw,relatime)
tmpfs on /run type tmpfs (rw,nosuid,nodev,size=403684k,nr_inodes=819200,mode=755,inode64)
systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=36,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=4308)
mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime)
hugetlbfs on /dev/hugepages type hugetlbfs (rw,nosuid,nodev,relatime,pagesize=2M)
tracefs on /sys/kernel/tracing type tracefs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k,inode64)
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,nr_inodes=1048576,inode64)
tmpfs on /run/credentials/systemd-journald.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,inode64,noswap)
fusectl on /sys/fs/fuse/connections type fusectl (rw,nosuid,nodev,noexec,relatime)
configfs on /sys/kernel/config type configfs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /run/credentials/systemd-networkd.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,inode64,noswap)
/dev/sda1 on /boot/efi type vfat (rw,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro)
binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,nosuid,nodev,noexec,relatime)
tmpfs on /run/user/1000 type tmpfs (rw,nosuid,nodev,relatime,size=201840k,nr_inodes=50460,mode=700,uid=1000,gid=1000,inode64)
tmpfs on /run/credentials/getty@tty1.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,inode64,noswap)
portal on /run/user/1000/doc type fuse.portal (rw,nosuid,nodev,relatime,user_id=1000,group_id=1000)
shared on /mnt/shared type vboxsf (rw,nodev,relatime)

• user session - live mode - broken read-only filesystem

/dev/sda3 on / type ext4 (ro,relatime)
devtmpfs on /dev type devtmpfs (rw,nosuid,size=4096k,nr_inodes=246855,mode=755,inode64)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,inode64)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=600,ptmxmode=000)
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,nsdelegate,memory_recursiveprot)
pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime)
bpf on /sys/fs/bpf type bpf (rw,nosuid,nodev,noexec,relatime,mode=700)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
tmpfs on /run type tmpfs (rw,nosuid,nodev,size=403684k,nr_inodes=819200,mode=755,inode64)
systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=36,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=4451)
tracefs on /sys/kernel/tracing type tracefs (rw,nosuid,nodev,noexec,relatime)
hugetlbfs on /dev/hugepages type hugetlbfs (rw,nosuid,nodev,relatime,pagesize=2M)
tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k,inode64)
mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime)
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,nr_inodes=1048576,inode64)
tmpfs on /run/credentials/systemd-journald.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,inode64,noswap)
fusectl on /sys/fs/fuse/connections type fusectl (rw,nosuid,nodev,noexec,relatime)
configfs on /sys/kernel/config type configfs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /run/credentials/systemd-networkd.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,inode64,noswap)
/dev/sda1 on /boot/efi type vfat (rw,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro)
binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,nosuid,nodev,noexec,relatime)
tmpfs on /run/user/1000 type tmpfs (rw,nosuid,nodev,relatime,size=201840k,nr_inodes=50460,mode=700,uid=1000,gid=1000,inode64)
tmpfs on /run/credentials/getty@tty1.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,inode64,noswap)
portal on /run/user/1000/doc type fuse.portal (rw,nosuid,nodev,relatime,user_id=1000,group_id=1000)

• user session: same output for both, persistent mode and live mode

sudo sgdisk -v /dev/sda

Caution: Partition 3 doesn't end on a 2048-sector boundary. This may
result in problems with some disk encryption tools.

No problems found. 2021 free sectors (1010.5 KiB) available in 2
segments, the largest of which is 2014 (1007.0 KiB) in size.

• Patrick: For debugging, removed error=remount-ro from /etc/fstab. No effect.
• Aaron: Issue spotted, your system is still using the Debian-specific module for mounting an overlayfs, and thus is looking for rootovl rather than rd.live.overlay.overlayfs=1.
• Patrick: Merged.

• probably minor bug: boot into sysmaint session -> lock screen -> black screen
  • note: this bug was only observed prior reboot. after reboot, screen locking was refused with popup. as expected. (because no password set)
    • after setting a password and locking the screen, everything worked as expected.
• we might be able to ignore this bug since unreleased
• xtrace of /usr/libexec/user-sysmaint-split/sysmaint-session-wayland
  • (ticket below for unrelated error messages found)
• Aaron: Cannot reproduce. Asked for more info in chat.
• Aaron: Possibly transient, symptoms did not match any screen locking utility in Kicksecure. Archiving for now.

• Aaron saw the AppArmor "disallowed-test" fail in KVM. Investigate.
  • Issue does not occur in a freshly built KVM VM. Archiving.

• flatpak install flathub org.mozilla.firefox
• functional in user session
• also functional
  • flatpak --user remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo
  • flatpak --user install flathub org.mozilla.firefox
• please investigate security impact
• Aaron: Users were indeed able to install applications system-wide, so that account user could install an app in a location where account sysmaint could run it later.
  • Added a commit to security-misc to lock down Flatpak's polkit controls, requiring authorization for most things. Installing software with flatpak install --user is still functional as account user even with user-sysmaint-split installed.
• Patrick: Does it belong into security-misc or user-sysmaint-split?
  • Aaron: security-misc seems preferable. Might prevent deployment of a system-wide malicious flatpak.
• Patrick: Please update debian/control and readme.
  • Aaron: Updated README.md. debian/control didn't look like it had anything that needed updated.
• Patrick: Merged.

In file included from src/kloak.c:47:
src/xdg-output-protocol.h: In function 'zxdg_output_v1_add_listener':
src/xdg-output-protocol.h:347:38: warning: cast discards 'const' qualifier from pointer target type [-Wcast-qual]
  347 |                                      (void (**)(void)) listener, data);
      |                                      ^
In file included from src/kloak.c:48:
src/wlr-layer-shell.h: In function 'zwlr_layer_surface_v1_add_listener':
src/wlr-layer-shell.h:434:38: warning: cast discards 'const' qualifier from pointer target type [-Wcast-qual]
  434 |                                      (void (**)(void)) listener, data);
      |                                      ^
make[1]

• Aaron: Warnings are in headers autogenerated by wayland-scanner. The way in which the code is used that leads to these warnings appears to be correct use of the Wayland protocols and libraries, thus this should be safe to ignore.
• Patrick: Merged.

• privleap systemctl workaround
• no stream isolation warnings injected by uwt
  • Aaron: Both done, new commits in uwt.
• Patrick: Merged.

• https://github.com/Kicksecure/mediawiki-shell/pull/1
• please review, merge and commit any fixes on top if any new bugs were introduced or obvious bugs spotted
• branch: trixie (primarily used internally)
  • Aaron: Reviewed, fixed many small issues, pushed to my fork of mediawiki-shell. Code is untested as of yet, can come back to test this if/when desirable.
• Patrick: Merged.

• Kicksecure 18, ISO with vm-config-dist installed
• /etc/profile.d/20_software_rendering_in_vms.sh - script executes correctly if executed using sh -x /etc/profile.d/20_software_rendering_in_vms.sh
• when typing env | grep -i QML the environment variable is missing under Wayland
• Aaron: Found bug, glxinfo is not directly compatible with Wayland and can be misleading when using Xwayland.
  • Fix, switch to eglinfo: https://github.com/ArrayBolt3/vm-config-dist/commit/36aa33c0e64a9a73a83db4753ee4005af5007ceb
• Patrick: Merged.

• please discuss, review
• https://forums.whonix.org/t/tor-controller-gui-tor-control-panel/5444/99
  • Aaron: Briefly reviewed, commented. This looks like it increases code duplication, which is undesirable.

• downloads failing because curl proxy is not set
• Fix in progress: https://github.com/QubesOS/qubes-core-agent-linux/pull/614
  • Merged, test locally.
  • Seems to work in testing. Will keep sys-whonix as the dom0 update proxy for a few more days to see what happens.
• Patrick: Please document. https://www.whonix.org/wiki/Qubes/UpdatesProxy
  • Aaron: Added documentation, did some more testing of the dom0 update system to ensure it actually was working.
• Patrick: If possible, please revert upstream in Qubes and implement a uwt wrapper for dnf that injects the required option.
  • https://github.com/QubesOS/qubes-core-agent-linux/pull/614#issuecomment-3449884150
    • Aaron: Done, pushed commits to uwt, helper-scripts, and qubes-whonix. The new code works both with and without the Qubes-side proxy argument injection in place, so migration should be smooth.
• Patrick: Merged.

• Please check if any systemd units are missing in sysmaint.target.

sudo systemctl list-units --all | grep "loaded    inactive dead"

• Aaron: Compared the units running in a user session with the units running in a sysmaint session, rather than using --all; this approach should be more accurate.
  • Added some missing units to user-sysmaint-split (sysmaint-boot.service).
  • Also sent an email to Qubes to see if we should just blanket whitelist all qubes units going forward (this should be done with automation of some sort most likely to avoid units introduced in the future ending up missed). https://www.mail-archive.com/qubes-devel@googlegroups.com/msg05673.html

• uses has privately shared a log where /var/lib/sdwdate/time-replay-protection-utc-unixtime was not writeable by sdwdate
• /usr/lib/tmpfiles.d/sdwdate.conf looks fine
• therefore this is a qubes-bind-dirs issue?
• https://github.com/QubesOS/qubes-issues/issues/8466
  • if possible during R4.3 RC. otherwise priority can be lowered.
  • otherwise, non-ideal workaround otherwise for all bind-dirs:

## https://github.com/QubesOS/qubes-issues/issues/8466
ExecStartPre=chown --recursive canary:canary /var/lib/canary

• Aaron: Issue already known, fix is at https://github.com/QubesOS/qubes-core-agent-linux/pull/615 but is pending merge by Qubes. Link to PR already in WAITING ON.

• move from /usr/libexec/helper-scripts/lock-screen to /usr/bin/lock-screen since it might be useful to lock the screen using the command line
• bug: unhandled swaylock issues. If swaylock exits non-zero, there would currently be no error popup. (Theoretical issue only at this time.)
• disable screen lock by default inside VMs, if sane?
  • Versus security on servers with wayland installed?
  • Versus vm-config-dist? (Which says it disables screen locks for VMs but does not yet for Wayland.)
• use a different background image that simply states "screen lock" all over the place?
• use a swaylack theme?
  • https://github.com/dracula/swaylock/blob/main/swaylock/config
  • looks better: https://github.com/dracula/swaylock/blob/main/screenshot.png
  • no need for a different background image, but the style, the clock might help the user to identify that this is a screen locker
• there is not really a swaylock alternative where the password prompt is more obvious? (was discussed before, i think)
• automatically lock screen in sysmaint session. Currently does not seem to happen.
• Aaron: All implemented in appropriate packages (anon-gw-base-files, anon-ws-base-files, desktop-config-dist, helper-scripts, kicksecure-base-files, sysmaint-panel, user-sysmaint-split, vm-config-dist)
• Patrick: Merged.

• excerpt from above log file from task trixie-port - sysmaint - lock screen - black screen
• steps to reproduce:
  • 1) from a virtual console.
  • 2) while a wayland session is already running
  • 3) sudo systemctl restart greetd
• Multiple sessions? Not important. Most important is to handle or fail better:
  • The usual thing would be to kill the old session and start a new one?
  • If not, can we fail with a better error message?
• Aaron: Implemented the "kill the old session and start a new one" solution. Commits pushed to user-sysmaint-split, helper-scripts, and kloak (since code from kloak ended up being reused in user-sysmaint-split and was split into a new library in helper-scripts).
• Patrick: Merged.

• excerpt from above log file from task trixie-port - sysmaint - lock screen - black screen
  • i did not use backlight-tool because testing inside a VM
  • yet, journal will probably pick up an issue such as the following

/usr/bin/backlight-tool-dist-agent: ERROR: Cannot read target file!

• bug: backlight-tool shows errors inside VMs where it is expected that there is no backlight kernel driver
• question:
  • related to calc_bl_brightness=$(( (bl_max_brightness * bl_pct) / 100 )) || true (split by Patrick into two lines)
  • action: bash -x usr/bin/backlight-tool-dist-agent set 100
    • result: overwrite /home/user/.config/backlight-tool-dist-last-bright-pct 50
    • always "50" is written to that file
• some changes by Patrick. Please review.
  • Aaron: Reviewed, made some string changes and added a better info message when no saved brightness value is present for restoring.
• Patrick: Merged.

• needed?
• Aaron: Done as part of disabling screen locking in VMs on Wayland.

• The on-screen keyboard button does nothing under Qubes because Wayland is not in use. Even if Wayland was in use, this would be confusing.
  • Hid this and the system keymap button under Qubes OS at the same time.
• Patrick: Merged.

• bug: apparmor-info is no longer functional on trixie. It fails to show denied (or any) apparmor messages.
• Aaron: Fixed, commits pushed to security-misc and helper-scripts.
  • WARNING: apparmor-info and apparmor-watch moved from helper-scripts to security-misc, thus please add to security-misc Breaks/Replaces against helper-scripts versions older than the next uploaded version.
    • Patrick: Merged, reverted to avoid breaks, replaced. Instead added the journal auditd socket activation to usability-misc.

• separate set-console-keymap
  • Aaron: Implemented in helper-scripts.
• sysmaint-panel: do not show keymap change in Qubes
  • Aaron: Implemented. Notes about UI design left in chat.
• Patrick: Merged.

• We currently ship Tor in the Kicksecure repository, taking packages from deb.torproject.org for this.
• We also hardcode a Tor Browser version number in tb-updater.
• Create scripts for finding the latest versions of Tor and Tor Browser, and taking the necessary actions to update them

## developer-meta-files
/usr/bin/dm-virtualbox-update-local-and-wiki-links

make_cross_build_platform_list="i386 amd64 arm64" ./build-steps.d/*_create-debian-packages --flavor internal --target root --function download_tpo_packages

./build-steps.d/*_create-debian-packages --flavor internal --target virtualbox --function download_packages_from_debian_sid

• Aaron: Implemented Tor package update script as dm-tor-update-repository, added wrapper in dm-packaging-helper-script.
• Aaron: Tor Browser version updater is already implemented as pkg_tor_browser_version_update in dm-packaging-helper-script.
• Aaron: Unsure where to add master wrapper to update Tor, Tor Browser, and VirtualBox all at once. Perhaps create a new shell script, dm-update-third-party-software-references or similar?
• Patrick: Merged.
• Patrick: dm-maintenance created

• vm-config-dist: debian/control

 Set screen resolution 1920x1080 by default for VM in VirtualBox and KVM.
 Workaround for low screen resolution 1024x768 at first boot. When using lower
 screen resolutions, Xfce will automatically scale down.
 `/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/displays.xml` TODO: This
 may no longer be the case with Wayland.

• please re-implement for Wayland, if sane.
• Aaron: Doing this exactly as described may be hard on Wayland, because there is no location where the display configuration is saved any longer, it is always generated dynamically and must be fixed manually by the user if desired. However, what we can do is set the resolution of all displays to 1920x1080 if the appropriate hypervisor helpers (VBoxDRMClient, spice-vdagentd) are not active when wlr_resize_helper launches.
  • Implemented this in vm-config-dist.
• Patrick: Merged.

• bug?

Setting up systemcheck (3:43.6-1) ...
warn: The user `canary' is already a member of `debian-tor'.
warn: The user `systemcheck' is already a member of `debian-tor'.
warn: The user `systemcheck' is already a member of `systemd-journal'.
Processing triggers for qubes-core-agent (4.3.34-1+deb13u1) ...
Setting up user-sysmaint-split (3:9.1-1) ...
update-alternatives: warning: forcing reinstallation of alternative /usr/libexec/user-sysmaint-split/policy-rc.d because link group policy-rc.d is broken
Synchronizing state of openvpn.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.
Executing: /usr/lib/systemd/systemd-sysv-install enable openvpn
Generating grub configuration file ...
Found theme: /boot/grub/themes/kicksecure/theme.txt
Adding boot menu entry for UEFI Firmware Settings ...
done
Setting up security-misc-desktop (3:48.8-1) ...

• Aaron: Qubes OS bug, fix submitted: https://github.com/QubesOS/qubes-builder-debian/pull/95

• Waybar is showing an empty volume widget on Whonix-Gateway
• Move config files to remove this.
  • Likely need to handle migration of the files from desktop-config-dist to the appropriate base-files packages to prevent breaking Qubes OS R4.3 rc3. See qubes-public Matrix room for context.
  • Done, commits pushed to kicksecure-base-files, anon-ws-base-files, anon-gw-base-files, and desktop-config-dist for this.
    • WARNING: After desktop-config-dist's version is bumped, all three *-base-files packages MUST have a Breaks/Replaces against desktop-config-dist (<< LATEST_VERSION) added.
• Patrick: Note to self:

myfind . | grep base-files | grep --invert-match dist-base-files | grep --invert-match whonix-base-files | grep control

./whonix/anon-gw-base-files/debian/control
./whonix/anon-ws-base-files/debian/control
./kicksecure/kicksecure-base-files/debian/control

• Patrick: Done.
• Patrick: Please check if functional on your side. If so, please move to archived.
  • Aaron: Upgrades worked, however due to an oversight the volume widget in Whonix-Gateway wasn't fully removed. Pushed a commit to anon-gw-base-files to fix.
  • Also noticed a preinst script header was missing in usability-misc, and pushed a commit to fix that too.
• Patrick: Merged.

• Automatic display resizing is no longer working under VirtualBox with Wayland. It actually does work, but it requires the user to manually set the resolution to the "native" resolution after every window resize.
• Possible solutions listed for discussion at https://github.com/labwc/labwc/discussions/3109
• Discussion ongoing, currently waiting on upstream to reply. I might attempt to do further development work on this if we consider it a priority.
• Discussed with Patrick, we should probably solve this ourselves via a daemon that watches udev messages, as not having this feature may result in serious usability issues with VirtualBox.
• Discovered that a missing binary, VBoxDRMClient, was needed to even try to implement resize support. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=968390#15
  • Found and tested a fix, sent it to the VirtualBox Debian maintainers. Awaiting a response from them. I can still work on implementing the resizing code in the mean time.
    • This was accepted in Debian.
• Implemented the helper tools for actually changing the display resolution.
  • vm-config-dist: https://github.com/ArrayBolt3/vm-config-dist/commit/bbc2633fe329229465ac7ab87bc08eef0e01e6a3
  • user-sysmaint-split: https://github.com/ArrayBolt3/user-sysmaint-split/commit/abc9f58a0d8e800a3a2b3754b3243ce94dad9c0d
• Patrick: Merged.
• Patrick: Tested in VirtualBox. Working great!
• Patrick: TODO: Please error out if vbox drm client is missing or fails.
  • Aaron: Implemented, along with similar code for KVM: https://github.com/ArrayBolt3/vm-config-dist/commit/166a3e13a2ad1369265aed7f23e3a7ae21cdea89
    • Patrick: Merged.
    • Patrick: Maybe better don't exit non-zero in case and keep running? Because there is no (systemd) supervisor to restart the script.
    • Patrick: Before: Forgiving in case dependencies are missing but installed later.
    • Patrick: Now: Non-forgiving, more brittle?
      • Aaron: Fixed, pushed a new commit to vm-config-dist for this.
    • TODO: Start wlr-resize-watcher as a systemd user unit, if sensible. Would be useful if the process gets randomly killed (some sort of user space OOM management).
      • Aaron: Undesirable, as this would prevent wlr-randr from finding the appropriate Wayland compositor. Having the session start the process makes sure the right WAYLAND_DISPLAY variable is set, which means wlr-randr should always access the correct compositor.

• Qubes R4.3
• 1) Kicksecure 17 Template installed
• 2) qubes-core-admin-addon-kicksecure installed
• 3) release-upgraded to Kicksecure 18
• 4) created App Qube based on Kicksecure Template
• bug: sdwdate-gui qrexec denied messages
• debugging information:
  • running "sudo qvm-features-request kicksecure=1" shows nothing in dom0 journal (i would expect that to show something)
  • running in dom0 "qvm-features kicksecure-17 | grep kicksecure" shows that qvm-feature "kicksecure" is missing
• Aaron: Reproduced, but the issue can be fixed by doing the following:
  • Ensure qubes-core-admin-addon-kicksecure is installed in dom0, if it isn't, install it (sudo qubes-dom0-update --action=install qubes-core-admin-addon-kicksecure) and then restart qubesd (sudo systemctl restart qubesd)
    • Patrick: Qubes bug? sudo systemctl restart qubesd should be automated? Perhaps the postinst script can do that?
  • Boot the upgraded Kicksecure 18 qube
  • Run cd /etc/qubes/post-install.d; for i in *.sh; do source $i; done
  • Reboot dom0 or restart qubesd again
• Aaron: Why are the post-install.d scripts not being properly called after a release upgrade? Shouldn't apt do this for us? We could probably work around this issue by making release-upgrade source all scripts in post-install.d after the upgrade.
  • • Patrick: Please report at Qubes to find a solution for this, if still an issue.
    • Patrick: Possible to add some echo informational debug output so we can see what is run?
  • Aaron: After another test, I believe these scripts are being run. Most likely the reason I ran into this issue was because I failed to restart qubesd or dom0 before running the release upgrade. After reinstalling Kicksecure 17 again and upgrading it to Kicksecure 18 again, the feature is properly set and a new AppVM based on the template is able to connect to sys-whonix's sdwdate_gui_server.
    • • Patrick: Probably same solution as above: Automate restart of qubesdb?
• Aaron: What's a good way to inform users that they need to install qubes-core-admin-addon-kicksecure and reboot before installing Kicksecure templates?
  • Patrick: No idea. Could you discuss at Qubes please? I guess also applies to qubes-core-admin-addon-whonix to a lesser degree. Meanwhile, please document.
• Patrick: Can qubes-core-admin-addon-kicksecure be made functional if installed too late (after Kicksecure Template installation)?
  • Aaron: Qubes OS R4.3 will have qubes-core-admin-addon-kicksecure preinstalled, so this likely won't happen to anyone using the final release. Sourcing all scripts in /etc/qubes/post-install.d will resolve the issue if it somehow shows up in the wild.
• Aaron: Anything left to do here? Our last conversation on Matrix ended with the conclusion that we could not re-evaluate the in-vm post-install.d scripts when dom0's qubes-core-admin-addon-kicksecure was installed or updated, but I'm not sure if we came to a conclusion about what to do with this, if anything. Maybe just document that users can do something like export LC_ALL=C; cd /etc/qubes/post-install.d; for i in *.sh; do source "$i"; done if necessary?
  • Patrick: Please document.
    • Aaron: Documented at https://www.kicksecure.com/wiki/Qubes#Known_Issues.
  • Patrick: Please discuss upstream if restarting qubesdb is a possibility.
    • Aaron: Created thread on qubes-devel: https://www.mail-archive.com/qubes-devel@googlegroups.com/msg05669.html

• more changes were added by Patrick
• 1) always show a success message such as the following even if run manually (currently only in interactive mode)
  • Aaron: Implemented in helper-scripts.

  printf '%s\n' "$0: INFO: Keyboard layout change successful." >&2

• 2) port live-config-dist to set-all-keymap, if sensible
  • Aaron: Implemented in helper-scripts and live-config-dist.
• 3) sysmaint-panel: add an option to start set-all-keymap
  • Aaron: Implemented in sysmaint-panel.
• Patrick: Merged.

• bug: systemcheck with garbage configuration file does not error out
• reported by Marek in qubes-public
• Aaron: Fixed: https://github.com/ArrayBolt3/systemcheck/commit/91f272912d5e35939298c0d075dd711b9597fd03
• Patrick: Merged.

• https://github.com/QubesOS/updates-status/issues/6127
• Aaron: Fix: https://github.com/ArrayBolt3/qubes-template-kicksecure/commit/1008e40ce5f82cab25703ea942603e70e4054bdf
• Patrick: Merged.

Warning: ignoring exit-on-service-eof=true for executable service /etc/qubes-rpc/qubes.UpdatesProxy

• Patrick: Is this a known Qubes bug?
• Marek in qubes-public: This is related to whonix replacing qubes.UpdatesProxy service. Those options are valid only for socket based service, but whonix replace it with a script. I'd recommend replacing service config too to avoid the warnings
• Aaron: Should be fixed by https://github.com/ArrayBolt3/qubes-whonix/commit/a8dfbfb3acd5ef5c506ea3b52132fac2be3239ed
• Patrick: Merged.

• install firmware-nonfreedom by default in Qubes. Done by Patrick.
• purpose: useful for sys-net (non-free wifi controller)
• we might want a smaller collection of packages to save disk space since for example microcode is irrelevant? can we rely on a Qubes package for the non-free firmware package selection?
• Aaron: Qubes does not appear to have a package we can use for this.
• Aaron: Split packages containing networking firmware (wireless or wired) from firmware-nonfreedom into firmware-nonfreedom-network, and switched kicksecure-qubes-cli to use firmware-nonfreedom-network. Commits in developer-meta-files, kicksecure-meta-packages.
• Patrick: Merged.

• we might have sdwdate.ConnectCheck issues from time to time. this implies broken sdwdate while actually only sdwdate-gui is broken.
• if still possible and sane, please rename.
  • Aaron: Asked for permission to do the rename: https://github.com/QubesOS/qubes-issues/issues/10346#issue-3547291374 Permission was granted.
    • Qubes-side PR: https://github.com/QubesOS/qubes-core-admin-addon-whonix/pull/26
    • sdwdate-gui commit: https://github.com/ArrayBolt3/sdwdate-gui/commit/2dc019a1e6967d55ca8a8cfd8e24a35e269bab10
• Patrick: Merged.

• reported by Marek on Matrix:
  • "in Whonix 18 workstation, opening "file manager" via domains widget opens "Catfish", not "pcmanfm-qt". Looks like some default apps are not set correctly (qubes calls xdg-open $HOME, which should open default app for inode/directory type)."
  • "something doesn't work with pcmanfm-qt actions - I see only "QubesOS Edit in DisposableVM" action, not any of copy/move, or view in disposable; on top of that, looks like file names are swapped (action for viewing in dispvm is in file named edit, and action for editing is in file named open); and I have no idea from "QubesOS" prefix comes"
    • Aaron: Fixed, required changes both on our side and on the Qubes side:
      • usability-misc: https://github.com/ArrayBolt3/usability-misc/commit/0a8c2d7d97345d78aa7cd58199b5b67925ab93cf
      • qubes-gui-agent-linux: https://github.com/QubesOS/qubes-gui-agent-linux/pull/246
    • Aaron: Fixed:
      • kicksecure-meta-packages https://github.com/ArrayBolt3/kicksecure-meta-packages/commit/ab29e2a064404b7462dca7e3956712e86799e30f
      • developer-meta-files: https://github.com/ArrayBolt3/developer-meta-files/commit/36056e1856cd37b2f57b573a029dfa427f23f41c
• Patrick: Merged.
• Aaron: Still working on the Qubes PR.
  • Merged.

• https://github.com/QubesOS/qubes-issues/issues/10286
• Fix submitted: https://github.com/QubesOS/qubes-gui-daemon/pull/172
  • Merged.

• should be installed only on demand
• this is to avoid Kicksecure Qubes Templates downloading Tor Browser
• Patrick: Implemented. Needs to be tested.
  • Aaron: Notes shared in chat.
• Patrick: Simple solution. Install tb-updater and tb-starter only. Instruct user to run Tor Browser Downloader in user session.
  • Aaron: Implemented, commits pushed to browser-choice.
• Patrick: Merged.

• as discussed
• skip sleep when IPv6 is disabled in kernel
• event-based if possible
• re-check every 0.1 - 1 second
• commentary why this is necessary
• Aaron: Pushed commits to anon-gw-anonymizer-config, reimplementing tor-wait-for-network in Python for speed and ease of working with files, and adding the requested functionality.
• Patrick: Merged.

• currently broken: anon connection wizard, tor control panel
• Aaron: Pushed new commits to anon-connection-wizard and tor-control-panel to fix issues in both. Untested (yet).
• Patrick: Merged.

• Environment: Kicksecure 17 upgraded to Kicksecure 18
• After some period of inactivity in the sysmaint session, the screen goes black
• A mouse click or keypress is enough to make it come back
• XScreenSaver is the likely culprit, find a way to disable on Wayland sessions
  • Aaron: Added code to legacy-dist to remove xscreensaver on upgrades. https://github.com/ArrayBolt3/legacy-dist/commit/7f91838b8878ded1f45479d4d9ecc7b01414c454
• Patrick: Merged.

• user story: I am a VM using and in user session, CLI. How do I change my keymap? "sudo loadkeys de"? Doesn't work. No sudo.
• todo:
  • refuse running set-labwc-keymap as root
  • set-console-keymap: CLI tool that can be used to configure the virtual terminal
  • set-multi-keymap: CLI tool that can set the keymap for currently logged-in account (most likely user), sysmaint and root. It should run, is a wrapper around set-console-keymap and set-labwc-keymap. A tool that sets the keymap for all places relevant to the user.
    • sysmaint GUI: set-labwc-keymap --persist keymap
    • user GUI: sudo --non-interactive -u user set-labwc-keymap --no-reload --persist keymap
    • sysmaint CLI: set-console-keymap de
    • user CLI: sudo --non-interactive -u user set-console-keymap de
  • not sure about --non-interactive
• Aaron: Implementation ended up being via two wrapper scripts, set-labwc-keymap and set-system-keymap, the former of which configures labwc for the current user, the latter of which configures labwc and the console for all users (with labwc settings being overridable by user-specific settings). The main reason for this is that there is no user-specific console keyboard layout, only a system-wide one. Both scripts wrap a library, set-keyboard-layout.sh. Changes pushed to helper-scripts.
  • Test plan completed, some fixes made during testing.
• Patrick: Merged.

• Aaron: if wrong username or password is provided, wlgreet exits and does not restart, user is left at a black screen
  • Fixed: https://github.com/ArrayBolt3/desktop-config-dist/commit/490b6833915f95ae66ce72c02aca6df23e9d13f2
• Patrick: Merged.

• Kicksecure Xfce 17.4.4.6 (for VirtualBox)
• sudo apt update && sudo apt dist-upgrade
• sudo release upgrade
• reboot
• bug: desktop environment no longer starting
• debugging:
  • in sysmaint session, CLI:

systemctl is-enabled greetd
disabled

sudo journalctl --boot -u sysmaint-boot
...
INFO: Wayland session: 'no'
...

• in sysmaint-boot we can probably safely change the default from sysmaint_session_wayland='no' to sysmaint_session_wayland='yes'. Done.
  • Aaron: Reviewed, looks good.
• file /etc/greetd/config.toml.d/30_desktop-config-dist.conf looks messed up. Something has apparently removed all newlines. sudo debsums -ce shows that the file has been modified. This is unexpected.
  • Aaron: autologinchange bug, fixed by https://github.com/ArrayBolt3/helper-scripts/commit/1e7fc0e26cb761189f744cd1ca3b2491d46d6135
• Aaron: greetd being disabled is likely the result of lightdm being enabled at installation time. Should be fixed by https://github.com/ArrayBolt3/legacy-dist/commit/2ced60ca2f41f310a70e0af5b88202c432b78cb3
• Patrick: Merged.

• https://forums.kicksecure.com/t/display-brightness/1271/2
• Aaron: See notes in chat.
• Previous plan: wrap pkexec and the backlight helper in lxqt to insert a validating shim, allowing safe(r) access to the backlight subsystem
  • Problem: this will probably interact poorly with user-sysmaint-split unless we place the pkexec wrapper in helper-scripts, and the pkexec wrapper may be too invasive to put in helper-scripts.
• Current plan: create a dedicated backlight management utility in Python, integrate with LXQt's config system, hide the existing (broken) backlight config, integrate with brightness keyboard shortcuts in labwc
• Aaron: Implemented:
  • desktop-config-dist: https://github.com/ArrayBolt3/desktop-config-dist/commit/673dd505ddfc2683c56fabcc9b35801f3a5926c6
  • user-sysmaint-split: https://github.com/ArrayBolt3/user-sysmaint-split/commit/36aa0d32b93f3332d232fbe898ef11073dd32669
• Patrick: Merged.

• https://github.com/QubesOS/qubes-core-agent-linux/pull/614
  • I thought my reply was productive. But apparently not. Please discuss, comment.
    • Aaron: Can't comment, discussion has been locked to limited collaborators there. However I don't see anything non-productive about the comment at https://github.com/curl/curl/discussions/11125#discussioncomment-7498491. If a Tor developer went out of their way to say the library shouldn't block onion resolution, and they do anyway because a Tor spec supposedly says they should, that's a strange decision and one they arguably shouldn't have made. Not sure much else can be done there other than work around the issue as we do now.

• https://github.com/Kicksecure/security-misc/issues/199#issuecomment-3345059129 - opinion?
  • Aaron: Reviewed, did some testing and commented.
• https://github.com/Kicksecure/security-misc/pull/323
  • Aaron: Reviewed, looks good, merged and fixed.
• https://github.com/Kicksecure/security-misc/pull/322
  • Aaron: Reviewed, looks good, merged and fixed.
• https://github.com/KSPP/kspp.github.io/issues/9
  • Aaron: Replied.
• https://github.com/QubesOS/qubes-core-admin-addon-whonix/pull/25
  • Aaron: Reviewed and left change suggestions.
• https://github.com/QubesOS/qubes-core-agent-linux/pull/613
  • Aaron: Left some notes.
    • Patrick: Please re-review as changes have been applied.
• Aaron: Also reviewed, left notes on https://github.com/Kicksecure/security-misc/issues/328

• todo
• Aaron: Cannot reproduce.
  • Freshly installed Kicksecure 17 template:
    • Boot mode: PERSISTENT Mode - SYSMAINT Session
    • AppVM default boot mode: PERSISTENT Mode - USER Session
  • After upgrading from Kicksecure 17 to Kicksecure 18:
    • Boot mode: PERSISTENT Mode - SYSMAINT Session
    • AppVM default boot mode: PERSISTENT Mode - USER Session
  • Freshly installed Whonix-Workstation 17 template:
    • Boot mode: PERSISTENT Mode - SYSMAINT Session
    • AppVM default boot mode: PERSISTENT Mode - USER Session
  • After upgrading from Whonix-Workstation 17 to Whonix-Workstation 18:
    • Boot mode: PERSISTENT Mode - SYSMAINT Session
    • AppVM default boot mode: PERSISTENT Mode - USER Session
  • Freshly installed Whonix-Gateway 17 template:
    • Boot mode: PERSISTENT Mode - USER Session
      • Expected, since Whonix-Gateway does not have user-sysmaint-split installed on it.
    • AppVM default boot mode: PERSISTENT Mode - USER Session
  • After upgrading from Whonix-Gateway 17 to Whonix-Gateway 18:
    • Boot mode: PERSISTENT Mode - USER Session
    • AppVM default boot mode: PERSISTENT Mode - USER Session
  • AppVMs for both Kicksecure 18 and Whonix-(Workstation/Gateway) 18 have the correct "PERSISTENT Mode - USER Session" boot mode
• Patrick: Whonix-Gateway - without user-sysmaint-split - shouldn't show PERSISTENT Mode - USER Session since not applicable?
• Aaron: After threat model discussion, choosing to install user-sysmaint-split in Whonix-Gateway.
  • See chat notes, fixing a UX issue requires some files to move in a way that will either require a painful migration process or require Whonix 18 and Kicksecure 18 systems to be rebuild/reinstalled/repaired by the end user. Would suggest the latter, as Kicksecure/Whonix 18 doesn't have even testing releases out yet.
    • Patrick: Confusing fixed by installing user-sysmaint-split by default.

[INFO] [systemcheck] kicksecure-dependencies-cli: Could not detect derivative kicksecure-dependencies-cli version. (Code: 2) Please report this bug!

• Fix should be added to usr/libexec/systemcheck/preparation.bsh:

   if [ -f "/usr/share/anon-gw-base-files/gateway" ]; then
      derivative_deb_package_name="whonix-gateway-packages-dependencies-cli"
   elif [ -f "/usr/share/anon-ws-base-files/workstation" ]; then
      derivative_deb_package_name="whonix-workstation-packages-dependencies-cli"
   elif [ -f "/usr/share/kicksecure/marker" ]; then
      derivative_deb_package_name="kicksecure-dependencies-cli"
   fi

• Patrick: Fixed.

• Qubes Kicksecure 18 Template
• unrestricted session
• bug: asks for sudo password
• perhaps run: passwordless-root
• Aaron: Reproduced issue. Fix: https://github.com/ArrayBolt3/user-sysmaint-split/commit/acdf596affe8c40232863a83f19f4101607600c9
  • This fix is insufficient on its own because passwordless-root is persistent even in AppVMs. Need to make it ephemeral in AppVMs by default, persistent only if explicitly requested.
    • Done, commits pushed to helper-scripts and usability-misc. NOTE: This includes moving passwordless-root from usability-misc to helper-scripts (done to avoid needing to add usability-misc as a dependency of user-sysmaint-split), so this will require the Breaks/Replaces in helper-scripts to be bumped.
    • Patrick: Merged.

• todo
• Patrick: Done.

• input by keyboard functional
• input by mouse clicks broken
• if not easily reproducible then please ignore
• Aaron: Reproduced, I can select the "No..." radio button with the mouse, but not the "Yes..." radio button.
  • Moving the radio button group box down so that it isn't partially overlapped by the text above resolves the problem.
  • Short-term solution, move the box down.
  • Long-term solution, this should be using layouts so that the window can be resized freely and overlap bugs of this sort don't occur. This will also make the wizard compatible with non-default Qt themes which may have differently sized elements.
  • Implemented long-term solution: https://github.com/ArrayBolt3/repository-dist/commit/9c9feff070470b4494520c8a5d16699f6185a04c Tested on Whonix-Gateway, works.
    • Patrick: Merged.

• Kicksecure, Whonix: Please bump Qubes R4.3 upstream to Kicksecure, Whonix 18
• Aaron: Waiting on input on upgrade plan.
• https://github.com/QubesOS/qubes-issues/issues/10253
• Aaron: Marek seems to be doing this so far. Will watch and assist where possible.
  • This appears to have been completed.

• is this intended?
• Aaron: Not intended. I'm unable to reproduce this issue though - neither a fresh ISO installation of Kicksecure nor Whonix-Gateway or Whonix-Workstation VirtualBox VMs have this issue. Also not seeing this issue in a Whonix-Gateway 18 sys-whonix on Qubes R4.3.
  • I believe I've seen this issue occur in the past, but haven't seen it in a while. I'm happy to build new VM images and check them for this issue if desirable.
  • Patrick: No longer reproducible.

• add open display settings
• rationale: When booting for the first time and into sysmaint session inside a VM, the display is too big.
• Aaron: Implemented in sysmaint-panel. Also pushed commits to developer-meta-files and kicksecure-meta-packages for adding kanshi.
  • Patrick: Merged.

• virtualbox guest additions missing on the Kicksecure ISO
  • Aaron: Fixed: https://github.com/ArrayBolt3/derivative-maker/commit/c0d7bf7a24483d5984142b8c274f1b66597935c1
    • Patrick: Merged.

• todo
• once there is a exit code of zero or non-zero, show a passive popup? change window color? animation?
• Aaron: Implemented in browser-choice. Also found and fixed an unrelated bug with dist-virtual-keyboard in helper-scripts.
  • Decided to use a notify-send popup because that will work in both sysmaint and user sessions and has a good chance of getting the user's attention even if the browser-choice window is hiding behind another window or is minimized. Considered using QWindow::alert but this would probably have not worked in a sysmaint session.
    • Patrick: Merged.

• usability bug: when hovering over volume changes in sysmaint session, the color gets darker, which implies it being clickable, but actually is not clickable
• Aaron: Fixed with a commit to desktop-config-dist.
  • Patrick: Merged.

• sudo systemctl restart greetd
• login as sysmaint
• bug: expected: sysmaint session. actual: normal desktop session
• Aaron: Fixed this and a bunch of related issues that popped up when the sysmaint session had autologin disabled. Changes pushed to helper-scripts, user-sysmaint-split, and desktop-config-dist.
  • Patrick: Merged.

• Kicksecure 17 release upgraded to Kicksecure 18

+ pkexec bash -c -- 'extrepo enable brave_release && apt-get update && apt-get-noninteractive --no-install-recommends --yes install brave-browser'
500 Can't connect to extrepo-team.pages.debian.net:443 (Temporary failure in name resolution) at /usr/share/perl5/Debian/ExtRepo/Data.pm line 34.
Could not download index YAML file:

Done, but operation failed!

• to fix, add env var: https_proxy=http://127.0.0.1:8082/
• Aaron: Should be fixed by https://github.com/ArrayBolt3/browser-choice/commit/83e33a2f604ffc8e670914dd8b09e74c55fdff9f
  • Patrick: Merged.

• todo
• Aaron: Cannot reproduce issues mentioned in chat. Successfully updated Kicksecure, Whonix-Gateway, and Whonix-Workstation 17 to 18 on Qubes R4.3 with no special configuration changes required.

• https://github.com/Kicksecure/security-misc/issues/253#issuecomment-3379301931
• Aaron: Implemented: https://github.com/ArrayBolt3/systemcheck/commit/b1ed7254e51423466efcdee07c8fad9839818e73
  • Patrick: Merged.

• "setxkbmap de" used to be handy.
• implement
• add to helper-scripts
• Aaron: Implemented: https://github.com/ArrayBolt3/helper-scripts/commit/41ae1e120672b94351a4c3889181bb9be2991eb0
  • Patrick: Merged.

• please set up for
  • CLI user
  • CLI sysmaint
  • GUI user
  • GUI sysmaint
• Aaron: Setting a non-English language in Calamares already sets the language for all of these scenarios in the installed system. Tested by doing an ISO installation of Kicksecure 18 with the langauge set to Spanish (Mexico). Spanish-translated strings were visible in all four session types. Admittedly, many strings were not translated, but that is likely simply a case of missing translations.

• Aaron: Qubes templates are still referencing Xfce components, Xfce won't be installed anymore
• PRs:
  • https://github.com/QubesOS/qubes-core-agent-linux/pull/608
  • https://github.com/QubesOS/qubes-app-linux-img-converter/pull/24
  • https://github.com/QubesOS/qubes-app-linux-pdf-converter/pull/36
• Filed, passes CI, works on my Qubes machine. Awaiting review from upstream.
  • Reviewed, merged upstream.

• host: trixie (non-Kicksecure)

 [SKIP} kloak.service to stop ordering cycle loop 

graphical.target: Found ordering cycle on multi-user.target/start
graphical.target: Found dependency on kloak.service/start
graphical.target: Found dependency on graphical.target/start
graphical.target: Job kloak.service/start deleted to break ordering cycle starting with graphical.target/start 

• wild guess: related to removal of symlinks?
• no more information available. Will hopefully be posted in the forums.
• Aaron: Cannot reproduce on Debian 13 with GNOME Desktop, using the pre-v2 version of kloak. User may have added a configuration rule that attempted to require kloak to start before multi-user.service. Waiting on more info.
• https://forums.whonix.org/t/kloak-latest-update-is-broken/22244

• we're now using /etc/dracut.conf.d/30-dist-base-files.conf

compress="xz"
hostonly="yes"
hostonly_mode="sloppy"

• Should we therefore increase the size of the ESP?
• grml
  • https://github.com/grml/grml-debootstrap/issues/221
• calamares
• Aaron: No changes needed to EFI partition size, dracut initramfs files are stored in /boot, not /boot/efi.
  • As discussed, boot partition doesn't need to be larger, it's 4 GB with Calamares and is integrated into the root partition on VM images.
  • grml-debootstrap is not interested in increasing the EFI partition size at this time, so I don't believe there's any reason to do this.
• Patrick: Should have said /boot partition.
  • VMs: We are not using a separate /boot partition.
  • Host: Fedora increased /boot to 2 GB We're already using 4 GB for /boot when installing using calamares.
  • This issue does not exist.

Setting up bindp (3:4.2-1) ...
/usr/lib/bindp.c:48:9: warning: "_GNU_SOURCE" redefined
   48 | #define _GNU_SOURCE
      |         ^~~~~~~~~~~

• <command-line>: note: this is the location of the previous definition
  • Aaron: This is because we have the compilation of bindp being done via a direct gcc call in the postinst. This is wrong, we should be using the Makefile in the postinst to build the library at runtime but without having to duplicate code in two locations. Will adjust postinst as appropriate to resolve this.
  • Aaron: Fixed: https://github.com/ArrayBolt3/bindp/commit/c0592d2e284c7a0a6e825279c5ace87bb9a1f566
• Patrick: Merged.

• todo
• purpose: configuration a keyboard layout when not knowing how to enter some special character such as "=" on the keyboard using the local keyboard
• related: On-Screen Keyboard
• Aaron: Done, new commits pushed to developer-meta-files, kicksecure-meta-packages, and usability-misc for this.
• Patrick: Merged.

• https://github.com/QubesOS/qubes-issues/issues/4096 has come back
• Probably related to delaying Tor's startup to accomodate IPv6 changes
• Possible ways of fixing the issue listed at https://github.com/QubesOS/qubes-issues/issues/4096#issuecomment-3383779544.
• Marek suggested a good fix, which works in testing. Implementation: https://github.com/ArrayBolt3/qubes-whonix/commit/34418e335c6ea8d09d018ebda871a2ead4f392c1

• currently, change keyboard layout required reboot but that is a contradiction on the ISO which cannot be rebooted
  • Aaron: I don't think keyboard layout changes require a reboot - if kloak isn't running, they take effect immediately after running labwc --reconfigure (which is automatically done by the newly created set-labwc-keymap script). If kloak is running, they take effect after kloak is restarted (which can be done even from a user session with Right Shift + Escape).
  • In the event a full compositor restart was needed to make a settings change take effect, logging out and logging back in would be sufficient to restart the compositor, even on the ISO.
• https://github.com/labwc/labwc/issues/1407
  • Aaron: This bug appears fixed in Trixie.

• add onscreen keyboard shortcut
• add open display settings or open lxqt settings shortcut
• Aaron: Implemented, pushed commits to usability-misc, helper-scripts, sysmaint-panel.
  • LXQt settings button will only appear in non-sysmaint sessions, as it is not useful and possibly misleading in sysmaint sessions.
• Patrick: Merged.

• usability bug: currently left click on sdwdate-gui does nothing
  • Aaron: Unfixable or at least extremely difficult to fix due to a combination of Wayland and Qt limitations.
  • Qt does not expose any API for popping up the menu the way a right-click pops it up. The only way to pop up a menu on a left-click is by using one of the exec() or popup() functions on the menu itself, which causes them to appear as a window in the middle of the screen under Wayland rather than them appearing as a popup menu.
  • Both Qt5 and Qt6 behave in the same way.
  • ChatGPT recommended using Gtk to create the context menu instead. A quick test revealed that Gtk has similar issues as Qt in this regard. I did not discover how to get a left-click to be registered by Gtk, documentation appears to be sparse and ChatGPT was not able to offer a functional suggestion.
  • I tried to see if it would be possible to use D-Bus to trigger the StatusNotifierItem associated with the QSystemTrayIcon to pop up a menu. The closest I was able to get to making this work simply popped up a window containing the menu in the middle of the screen.
  • The removable media and sound application icons seem to be left-clickable, but these are LXQt Panel plugins, not system tray icons. I suspect that's why they work, in which case that isn't a suitable solution for us.
  • It might be possible in the future to create an LXQt panel plugin for sdwdate_gui_server, but this would most likely require rewriting sdwdate_gui_server in C++, which I do not believe is practical at the moment.
  • For now, probably best to live with the issue, and make the time synchronization monitor popup specify "Right-click for menu" rather than "Click for menu".
  • Commit pushed to sdwdate-gui to change wording as described above.

• if file ~/.config/labwc/environment does not exist, pre populate it with XKB_DEFAULT_LAYOUT= (and other useful settings?)
• might not be needed if the tool below gets implemented
• Aaron: Ignoring in favor of setxkbmap replacement tool, as suggested.

• All sanitizers except minimal UBSan are unsafe to use in production, they may result in security vulnerabilities.
• LSan is causing sclockadj to go into an infinite loop on exit for Marek.
• Leave minimal UBSan runtime enabled, remove full UBSan and ASan from all code.
  • As it turns out, only Clang supports the minimal UBSan runtime, but we use GCC, so this is not possible. Just disable all sanitizers.
• Adjust sanitizer flags in compiler flags wiki page.
• Done, changed sdwdate, bindp, kloak, and security-misc to remove all sanitizers.

• Aaron:
  • swaylock is configured to show a solid black screen. We may want to show something else so that the user knows the system isn't broken and is awaiting a password.
    • Turns out telling the user that the system is awaiting a password is impossible with Swaylock's current feature set. See https://github.com/swaywm/swaylock/issues/100.
    • Asked Debian if they would be interested in us providing a patch to them, will likely contact the swaylock maintainer if that is confirmed as the correct next step.
    • Added background color / image configuration for now.
    • Swaylock has rejected further requests to allow displaying user-defined text on the lock screen, because they consider it an aesthetic feature and do not target a userbase that needs to be told that the lockscreen is waiting for them to type their password.
    • Debian has rejected an offer of a patch because the maintainer wants to stick with Swaylock upstream.
    • For now, we will likely just document how to unlock the screen and hope users don't get confused.
    • Documented: https://www.kicksecure.com/wiki/Protection_Against_Physical_Attacks#Screen_Lock
  • some systemcheck gripes need to be silenced, mostly just journal check stuff, but also the virtualizer check is "failing" on physical hardware because systemd-detect-virt returns non-zero if running on physical hardware. We probably shouldn't interpret that as failure.
    • Silenced a lot of these, but still have to build new VBox and KVM VMs to ensure all of them are silenced if possible.
    • Also fixed the virtualizer check.
  • Need to build the Qubes templates and make sure they actually work. I haven't tried to build a Qubes template even once so far. That's probably what I'm going to do now.
    • Kicksecure template built after some effort.
      • Need to submit changes to qubes-builderv2 so this works out of the box.
        • Somewhat done; Marek has changes in-flight that will do this for us.
      • Need to modify qubes-template-kicksecure to point to kicksecure-qubes-gui-lxqt package.
        • Done.
      • Need to modify qubes-template-kicksecure to point to trixie-developers repository.
        • Done.
      • Need to update template build documentation.
        • Done.
    • Whonix templates still need built.
      • Whonix-Workstation cannot be built due to curl being unable to resolve www.torproject.org. Most likely an issue with our uwt curl wrapper. Created a commit that should fix this: https://github.com/ArrayBolt3/uwt/commit/13984371a370ec330c25b721a48c24f25034ddc2
      • Got Whonix-Workstation to build. Both it and the Whonix-Gateway template seem to work well so far.
  • Might be good to launch Flameshot on login, make it not show a "welcome" message when launched, and bind the Print Screen key so that it triggers the screenshot UI when pressed.
    • We've decided to simply document this for now, since Flameshot consumes 80+ MB memory at idle. TODO: Where should we document this?
      • Patrick: Software?
      • Aaron: Good, let's just stick with the existing documentation there.
  • We should be configuring PCManFM-Qt to not show graphical thumbnails. (PCManFM-Qt is also missing some of our distribution-specific configuration because of some odd behavior with configuration profiles, a symlink should be enough to solve that.)
    • Done, tested, works on physical hardware and Qubes OS.
  • In the sysmaint session, the battery status notification takes a long time to notice if AC power is plugged in or unplugged. Should be pretty easy to solve by just shortening the check interval to 5 seconds rather than the default of 60.
    • Done, tested, works on physical hardware.
  • We need to document how to configure the keyboard layout using labwc. At some point we may want to write a tool for this, it's just a matter of modifying a configuration file written in XML, and Python has built-in XML manipulation capabilities. They can't be used on untrusted XML, but the labwc configuration won't be untrusted.
    • Done.
  • CLI builds don't have enhanced zsh configuration yet. Not sure if we figured out what to do with that, I think we wanted to create a new package for this but haven't actually done so yet.
    • Fixed by Patrick.

• bug: Installing chromium from Debian package sources results in installing avahi and cups. Better sudo apt install --no-install-recommends chromium chromium-sandbox?
• use --no-install-recommends whenever applicable
• Patrick: Done.

• https://forums.whonix.org/t/better-mouse-obfuscation/21445/18
• Aaron: Abandoned for the time being, rationale documented at https://forums.whonix.org/t/better-mouse-obfuscation/21445/19

• https://forums.whonix.org/t/screen-locker-in-security-can-we-disable-these-at-least-4-backdoors/8128
• please check, confirm, reply if this issue is now resolved thanks to Wayland (and our disabling of SysRq by default)
• Aaron: Replied, there a hardening option we might consider enabling (panic_on_oom).

• apparmor fails to start if /etc/apparmor.d/abstractions/tor does not exist, but shipping this file in anon-ws-disable-stacked-tor results in upgrade problems because Tor is being installed by default on Whonix-Workstation 17
  • Fix: https://github.com/ArrayBolt3/anon-ws-disable-stacked-tor/commit/a9a0ac9db25fa1f00985a585193e109dc51fb5b4
• Patrick: Merged.
• Aaron: Ended up removing this fix and replacing it with an if exists fix instead as discussed. Commits pushed to helper-scripts, systemcheck, and anon-ws-disable-stacked-tor for this.
• Patrick: Merged.

• https://forums.whonix.org/t/replace-sudo-with-doas/17482/35
• Aaron: Replied while waiting for Whonix templates to build.

• https://github.com/Whonix/kloak/issues/8
• Aaron: To enable natural scrolling: https://wayland.freedesktop.org/libinput/doc/latest/api/group__config.html#ga958b67193c3948b59add719a68f1b948 This will need to be a configurable option within kloak itself.
• Aaron: Implemented: https://github.com/ArrayBolt3/kloak/commit/c881c666ac8af47fbc334dd41acec12323c1bcfe
• Patrick: Merged.

• user-sysmaint-split installed
• Qubes Template
• Kicksecure trixie based
• Qubes R4.2
  • This may not be applicable to Qubes R4.3.
• Also reproducible in Qubes R4.2 + bookworm based Kicksecure.
• The following error message is not applicable:

You are currently running Browser Choice inside a user session. You will be unable to install most browsers from here; only browsers that install into the current user account will be installable. To install a browser, reboot, select PERSISTENT Mode| SYSMAINT Session | system maintenance tasks from the boot menu, and click Install a Browser in the System Maintenance Panel. See Sysmaint for more information.

• What should the user do?
  • Aaron: Open a Qubes Root Console, then run browser-choice as root. Ugly, but should work. Will work on messaging for Qubes.
  • Aaron: Fix created, untested: https://github.com/ArrayBolt3/browser-choice/commit/41ced11b9a77abfb58d2d7f616563625d70d9363
• Patrick:
  • Qubes R4.2 + trixie: Opened a root terminal. Bug: No installation (such as chromium from Debian) possible.

You are currently running Browser Choice as a normal user. You will be unable to install most browsers from here; only browsers that install into the current user account will be installable. To install a browser, open a terminal in dom0, run qvm-run -u root VMNAME xfce4-terminal, then run browser-choice from that terminal. See Sysmaint for more information.

• Aaron: Second attempted fix, untested: https://github.com/ArrayBolt3/browser-choice/commit/f1331432b649fb636f7516617fc3df98692e90af
• Patrick: Merged.

• Aaron: Attempted to fix https://github.com/QubesOS/qubes-issues/issues/10253#issuecomment-3333503493
  • qubes-template-kicksecure: https://github.com/ArrayBolt3/qubes-template-kicksecure/commit/36a2bd4ad9d0648650fdc50df71fc30384dc350e
    • Patrick: Merged.
  • qubes-template-whonix: https://github.com/ArrayBolt3/qubes-template-whonix/commit/db004332a67a82e2b956174fbc76678c9f1ddc98
    • Patrick: Merged.
• Aaron: Also make a fix for a Qt theming issue: https://github.com/ArrayBolt3/desktop-config-dist/commit/e37430be671458e7fb6f61eb306e3d5e032eb3aa
  • Patrick: Merged. As a side effect, the default font in KDE konsole now looks weird. There is too much space between letters. But probably not important as there are other terminal emulators to choose from.
    • Aaron: The default terminal in LXQt is QTerminal, so this should be fine. Might be worth adding support for components of other desktops as a future task?
• Aaron: Please move to "WAITING ON" if this looks good. Feedback on qubes-core-agent-pcmanfm-qt would also be appreciated.
  • Patrick: Looks good.
• Patrick: Best to split this ticket into general Qubes build issues for trixie and qubes-core-agent-pcmanfm-qt?
  • Aaron: Sure.

• https://github.com/Kicksecure/security-misc/issues/321
• Can unshare be used to bypass ptrace restrictions? Create sample code and test.
  • Aaron: Tested, could not circumvent ptrace restrictions by leveraging unshare. Unshare actually made the restrictions tighter.

• freshly installed Kicksecure 18 system on physical hardware:
  • INFO: Full Disk Encryption (FDE): Enabled.
  • This is incorrect, the system has other operating systems on it that do use FDE, but the Kicksecure installation is not one of them.
  • Only report FDE enabled if root (/) and home (/home) are both located on encrypted volumes
  • Done: https://github.com/ArrayBolt3/systemcheck/commit/488aabfd69e039eb89a3a7d66e89f5400d2992d2
    • Patrick: Merged.

• install by default, if sensible
  • Aaron: Would recommend against it for now, it's not critical and most users should likely not be using clipboard sharing anyway.
• document usage
• KVM, Clipboard Sharing
• Clipboard Sharing (Mention it does not work.)
  • Aaron: Documented in both places.
• https://forums.whonix.org/t/whonix-18-wayland-based-virtualbox-clipboard-sharing-broken/22213
• https://forums.whonix.org/t/whonix-18-wayland-based-kvm-clipboard-sharing-broken/22212

• if file /var/run/qubes/this-is-templatevm exists, do not allow to start browsers
  • Aaron: Done: https://github.com/ArrayBolt3/browser-choice/commit/845946c344c4917afbb765a7c322e6ac3e955e28
    • Patrick: Merged. Tested.

• review, discuss upstream: https://github.com/assisted-by-ai/tirdad/pulls
• https://github.com/0xsirus/tirdad/issues/29
• Aaron: Done, see Github comments on PRs and the compiler hardening flags issue.

• Happening inside Qubes (R4.2) Template

IPC connection failure!IPC connect: service=usbguard: Operation not permitted

• Aaron: Reproduced on R4.3. Added additional USBGuard configuration to allow members of the qubes group access to USBGuard IPC.
  • security-misc: https://github.com/ArrayBolt3/security-misc/commit/7e016b563239e31c650aece115bb19af0395ec52
• Patrick: Merged.

• Requires clipboard sync between X11 and Wayland clipboards
• Make spice-vdagent start properly and ensure clipboard sync allows two-way clipboard transfer
• spice-vdagent: Upstream is waiting for Wayland support to be contributed. See https://gitlab.freedesktop.org/spice/linux/vd_agent/-/issues/26.
  • Worth attempting to contribute?
• Virtual Machine Manager (virt-manager): https://github.com/virt-manager/virt-manager/issues/918
• Patrick has documented using a shared folder as a workaround for now: KVM, Clipboard Sharing
• We might not want clipboard sharing anyway to prevent a compromised VM from sniffing secrets that are present in the host clipboard.

• Broken with Wayland upstream: https://github.com/VirtualBox/virtualbox/issues/33
• Oracle apparently intends to fix this: https://github.com/VirtualBox/virtualbox/issues/33#issuecomment-3253257020
• Aaron: Probably better to leave alone for now, document the issue and let Oracle fix it eventually? If so, this should be moved to "WAITING ON".
• We might not want clipboard sharing anyway to prevent a compromised VM from sniffing secrets that are present in the host clipboard.
• Patrick has documented using a shared folder as a workaround for now: VirtualBox Clipboard Sharing

• https://github.com/UbuntuBudgie/arc-theme/pull/2
• since upstream is unlikely to react, could you please send a patch to Debian instead if that seems possible/useful?
• or perhaps a different, better theme? separate ticket: #desktop theme improvements
• Aaron: Pinged Ubuntu Budgie upstream via Matrix, got a response, waiting to see how (or if) that develops. Debian is likely not the right place to override this unless we absolutely have to do that. In either event, the dependencies won't be removed until Forky at best.
• Cancelled, we are not using the arc theme any longer.

• todo
• Submitted to Qubes: https://github.com/QubesOS/qubes-linux-pvgrub2/pull/16
• Submitted to FSF: https://lists.gnu.org/archive/html/grub-devel/2025-04/msg00050.html
  • Attempt to get attention for the patch again on April 11, try to smooth out some of the possible issues with the patch before sending if at all possible.
  • If a second attempt at submitting the patch results in complete silence, return to Qubes and explain that attempts to upstream the patch weren't acknowledged.
• Aaron: Accepted by FSF, merged by Qubes. Will resume work on this for Qubes R4.4/R5.0.

• suggestions from https://forums.whonix.org/t/xfce-theming-a-few-suggestions/7205/82 valid?
• useful to change the desktop theme?
• Might be useful to postpone after port to trixie. After the first trixie based release. Because by that time, desktop environment choice (Xfce vs LXqt) and wayland should be settled. No point in improving Xfce based style in case of porting to LXQt.
• Provided suggestions for improving Xfce theming and attempted to port the theming to LXQt. Should defer to Trixie.
• Can be postponed after the first trixie based release.
• Aaron: Mostly implemented as part of the port to LXQt, but we should entirely remote MATE's notification daemon in favor of LXQt's (this hasn't been done yet).
• Aaron: This is now done and has been merged for a while.

• does our compiled code still compile on trixie?
• and compile time warnings to fix?
• any new compile time hardening flags that should be used?
  • Perhaps our own compilation hardening wrapper would be useful?
• this is mostly about kloak but may affect other compiled code
• use -fanalyzer, where sensible.
• For high effort, lower gain items, please create lower priority follow-up issues for post trixie.
  • Aaron: Documented compilation flags at Dev/compiler hardening
    • I seem to have messed up the page title... it says "compiler_hardening" rather than "compiler hardening" in the navbar. Is there a way to fix it?
      • Patrick: Fixed.
  • Aaron: Hardened sclockadj, bindp, and emerg-shutdown. kloak was hardened in earlier tasks. Did not harden tirdad yet, unsure if it's possible / safe to do so.
    • Patrick: Follow-up ticket created.
• Patrick: All merged.
• Patrick: Please try hardening-check and address, if applicable.

hardening-check /usr/libexec/sdwdate/sclockadj 
/usr/libexec/sdwdate/sclockadj:
 Position Independent Executable: yes
 Stack protected: yes
 Fortify Source functions: unknown, no protectable libc functions used
 Read-only relocations: yes
 Immediate binding: yes
 Stack clash protection: unknown, no -fstack-clash-protection instructions found
 Control flow integrity: no, not found!
 Branch Protection: no, not found!

• current default image viewer is Tor Browser, which is non-ideal
• lximage-qt is potentially dangerous
• loupe uses Glycin to load images, which is sandboxed and written in Rust, thus likely less vulnerable
• Done, made changes to tb-starter, developer-meta-files, kicksecure-meta-packages, and anon-meta-packages to change this.
• Patrick: Merged.

• in boot menu, if pressing e on a boot entry:
  • linux ... root=/dev/nvme1n1p6
  • this should be something like linux ... root=UUID=...
• Aaron: Discovered we were explicitly turning UUIDs off. Fixes:
  • dist-base-files: https://github.com/ArrayBolt3/dist-base-files/commit/50405851087c08a5ec60fe83944fa1298266613b
  • user-sysmaint-split: https://github.com/ArrayBolt3/user-sysmaint-split/commit/4d453cda101d40536ab3831ee222a5057fc025f0
• Patrick: Merged.

• Booting into a sysmaint session from a Kicksecure 18 ISO results in a login screen rather than an automatic sysmaint session. Logging in at this screen as "sysmaint" presents a full desktop, not a normal sysmaint session.
• Manually executing /usr/libexec/user-sysmaint-split/sysmaint-session-wayland works fine
• Aaron: Found root cause and fixed it: https://github.com/ArrayBolt3/user-sysmaint-split/commit/8a9586f5cf4a3977e6ee06b78738cad322bd066b
• Patrick: Merged.

• install firmware-nonfree in Kicksecure Qubes. It's also default in Debian Qubes default Template.
  • Aaron: Package wpasupplicant also had to be installed to get Wi-Fi to work.
• Does DNS work when using a Kicksecure 18 based sys-net?
  • Aaron: Yes, DNS seems fine. Was able to reach Google, Bing, Reddit, speedtest.net, and qubes-os.org at least.
• sys-firewall ok?
  • Aaron: Yes, all connectivity from the AppVM used for testing went through sys-firewall and encountered no issues. Reconfiguring sys-firewall to block connections to everything except Wikipedia resulted in Wikipedia working but all other outgoing connectivity breaking, as expected. Undoing that configuration restored outgoing connectivity, as expected. Works both with WiFi and Ethernet.
• Kicksecure Qubes internet speed versus Debian Internet speed?
  • Aaron: WiFi test results (using a Fedora 42 AppVM with Firefox):
    • With sys-net based on Kicksecure 18:
      • Test 1: 55.58 Mbps down, 2.08 Mbps up
      • Test 2: 54.86 Mbps down, 2.20 Mbps up
      • Test 3: 62.13 Mbps down, 2.25 Mbps up
    • With sys-net based on Debian 13:
      • Test 1: 51.89 Mbps down, 2.61 Mbps up
      • Test 2: 50.06 Mbps down, 2.68 Mbps up
      • Test 3: 45.32 Mbps down, 2.11 Mbps up
    • Conclusion: Likely no difference. Debian 13 appears slower than Kicksecure 18 in testing, but that is most likely due to speed fluctuations with my cellular Internet connectivity. Speeds seem coherent with the speeds I usually see with Ubuntu.
  • Aaron: Ethernet test results (using a Fedora 42 AppVM with Firefox):
    • With sys-net based on Kicksecure 18:
      • 18.59 Mbps down, 1.89 Mbps up
      • 19.91 Mbps down, 2.07 Mbps up
      • 18.39 Mbps down, 1.97 Mbps up
    • With sys-net based on Debian 13:
      • 20.58 Mbps down, 2.01 Mbps up
      • 20.95 Mbps down, 1.83 Mbps up
      • 20.29 Mbps down, 1.90 Mbps up
    • Conclusion: Likely no or relatively negligible difference. Debian 13 appears faster than Kicksecure 18 in testing, but again, this is probably because of network speed fluctuations on my end, and this is as good or better than speeds I was seeing using this link previously. (Note that because my hotspot's Ethernet support is buggy, I used NetworkManager internet connection sharing from another laptop with Ethernet, which is probably why this is so much slower than WiFi.)
• Aaron: Should we be pre-installing wpasupplicant in some instances? It appears to be preinstalled in the Debian 13 template.
  • Patrick: Please install.
• Patrick: Please look for other missing packages.
• Aaron: Added wpasupplicant to Kicksecure for Qubes and baremetal.
• Aaron: No additional packages were needed for wired networking to function properly.

• on Aaron's test laptop, the mouse pointer moves far too quickly when using the built-in touchpad.
• same issue as https://github.com/Whonix/kloak/issues/8

Dev/Developer Portal Design Dev/todo/archived Previous page: Dev/Developer Portal Index page: Design Next page: Dev/todo/archived