ToDo for Developers

From Kicksecure
< Dev
Jump to navigation Jump to search
Design Previous page: Dev/Developer Portal Index page: Design Next page: Dev/todo/archived ToDo for Developers

TODO

TODO DEV[edit]

systemcheck - add account_locked_check[edit]

  • check that root account is locked in systemcheck
  • check that other accounts are locked when they are expected to be locked
    • in user session: sysmaint account - if existing - should be locked
    • any other accounts, if any come to mind

wayland - gui applications with root rights[edit]

sudo XDG_RUNTIME_DIR=$XDG_RUNTIME_DIR application-name

  • related wiki chapter: Wayland
  • should use lxsudo instead of plain sudo? This currently contradicts chapter Graphical Applications and Root Rights.
    • Aaron: Tested, lxsudo does not work for launching graphical applications as root under Wayland. sudo with the described environment variable does as long as the graphical toolkit being used attempts to use Wayland.
  • or sudo --set-home?
    • Aaron: Unsure how this would be helpful.
  • Aaron: Added some additional documentation to resolve the contradiction somewhat and fix a Qt-related issue.
  • Patrick: Please reconsider sudo --set-home as mentioned.

dracut initrd compression[edit]

  • research compression options
  • probably use zstd

browser choice[edit]

user-sysmaint-split - Whonix-Gateway[edit]

  • think through what verified_boot=on versus verified_boot=off should do on Whonix-Gateway
  • document on Dev/user-sysmaint-split

SSH wiki page review[edit]

  • review SSH wiki page
  • this is in preparation for later when porting to Debian trixie, because then the SSH client and separate SSH server configuration snippets should be shipped together with security-misc (there is already a separate task for that)
  • should we use UsePAM No?
    • Issue when using UsePAM No: libpam-tmpdir is ignored, because not using PAM and folder /run/user/1000 is not created after login.
  • SSH Login Comparison Table doesn't need a through review.
  • Sane to use PQR (post quantum cryptography) ciphers as much as possible only?
    • Aaron: The default key exchange algorithm in Debian 13 is mlkem768x25519-sha256 (which is quantum-resistant). It might be a good idea to not change the default settings so as to prevent people locking themselves out of their servers on upgrade. Perhaps we should document how to turn off non-quantum-resistant algorithms manually?
      • Patrick: Yes.

investigate Debian Rolling[edit]

  • investigate why Debian Rolling initiative failed
    • From initial research:
      • Lots of disagreement about how exactly to implement it, although https://lists.debian.org/debian-devel/2011/05/msg00275.htmlarchive.org iconarchive.today icon had a very large amount of positive feedback compared to other proposals
      • Limited manpower, no one appears to have tried to actually do it
      • Need to cope with the activity occurring in Debian's unstable and testing repositories, which have some turbulence and can cause issues if one isn't careful
      • Likely worth trying to resurrect
  • contact people involved previously, if that makes sense
  • suggest prospective developers
  • Started to write tooling for this: https://github.com/ArrayBolt3/drkarchive.org iconarchive.today icon Very incomplete, nowhere near usable. Will keep developing this.

emergent shutdown discussion[edit]

emergency shutdown implementation[edit]

calamares - unmount issues[edit]

  • Calamares is not unmounting an encrypted filesystem after installation is complete, thus making livecheck warn about an "unsafe" live state.
  • Investigate, determine if this is already fixed in Trixie or in newer versions of Calamares, or if a bugfix needs to be made.

permission-hardener - live bug[edit]

  • got a bug report by e-mail
sudo apt install network-manager-openvpn-gnome

security-misc (3:44.4-1)  ...
INFO: triggered security-misc: 'security-misc' security-misc DPKG_MAINTSCRIPT_
NAME: 'postinst' $\*: 'triggered /usr' 2: '/usr'
/usr/libexec/security-misc/mmap-rnd-bits: INFO: Successfully written ASLR map
config file:
/etc/sysctl.d/30_security-misc_aslr-mmap.conf
Running SUID Disabler and Permission Hardener... See also:
https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener
/var/lib/dpkg/info/security-misc.postinst: INFO: running: permission-hardener
enable
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root shadow 744 /usr/lib/live/mount/rootfs/filesystem/usr/sbin/unix_chkpwd
dpkg-statoverride: : `/usr/lib/live/mount/rootfs/filesystem/usr/sbin/unix_chkpwd'
permission-hardener: [ERROR]: Command 'dpkg-statoverride --add --update root shadow 744 /usr/lib/live/mount/rootfs/filesystem/usr/sbin/unix_chkpwd' failed with exit code '2'! calling functio
n name: 'commit_policy'
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener-v2/new_mode --add root shadow 744 /usr/lib/live/mount/rootfs/filesystem/usr/sbin/unix_chkp
wd
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/rootfs/filesystem/usr/bin/pkexec
dpkg-statoverride: : `/usr/lib/live/mount/rootfs/filesystem/usr/bin/pkexec'
permission-hardener: [ERROR]: Command 'dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/rootfs/filesystem/usr/bin/pkexec' failed with exit code '2'! calling function name:
'commit_policy'
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener-v2/new_mode --add root root 744 /usr/lib/live/mount/rootfs/filesystem/usr/bin/pkexec
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/rootfs/filesystem/usr/bin/sudo
dpkg-statoverride: : `/usr/lib/live/mount/rootfs/filesystem/usr/bin/sudo'
permission-hardener: [ERROR]: Command 'dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/rootfs/filesystem/usr/bin/sudo' failed with exit code '2'! calling function name: 'c
ommit_policy'
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener-v2/new_mode --add root root 744 /usr/lib/live/mount/rootfs/filesystem/usr/bin/sudo
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root shadow 744 /usr/lib/live/mount/medium/usr/sbin/unix_chkpwd
dpkg-statoverride: : `/usr/lib/live/mount/medium/usr/sbin/unix_chkpwd'
permission-hardener: [ERROR]: Command 'dpkg-statoverride --add --update root shadow 744 /usr/lib/live/mount/medium/usr/sbin/unix_chkpwd' failed with exit code '2'! calling function name: 'co
mmit_policy'
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener-v2/new_mode --add root shadow 744 /usr/lib/live/mount/medium/usr/sbin/unix_chkpwd
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/medium/usr/bin/pkexec
dpkg-statoverride: : `/usr/lib/live/mount/medium/usr/bin/pkexec'
permission-hardener: [ERROR]: Command 'dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/medium/usr/bin/pkexec' failed with exit code '2'! calling function name: 'commit_pol
icy'
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener-v2/new_mode --add root root 744 /usr/lib/live/mount/medium/usr/bin/pkexec
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/medium/usr/bin/sudo
dpkg-statoverride: : `/usr/lib/live/mount/medium/usr/bin/sudo'
permission-hardener: [ERROR]: Command 'dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/medium/usr/bin/sudo' failed with exit code '2'! calling function name: 'commit_polic
y'
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener-v2/new_mode --add root root 744 /usr/lib/live/mount/medium/usr/bin/sudo
permission-hardener: [NOTICE]: To compare the current and previous permission modes, install 'meld' (or preferred diff tool) for comparison of file mode changes:
sudo apt install --no-install-recommends meld
meld /var/lib/permission-hardener-v2/existing_mode/statoverride /var/lib/permission-hardener-v2/new_mode/statoverride
permission-hardener: [ERROR]: Exiting with non-zero exit code: '203'
/var/lib/dpkg/info/security-misc.postinst: ERROR: Permission hardening failed.
  • random guess: Could there be issues with non-latin language settings?
  • Why is it /usr/lib/live/mount/rootfs/filesystem?
  • Could it be that the user booted into live mode?
  • Maybe a case of low RAM where no further writes to RAM were possible?
  • Booting into live mode and using APT should be supported as much as feasible.
  • In case of insufficient information, could you please add debug code to provide more information in the future?
  • Unsure if further information can be requested form the reporter, but I could try.
  • Useful to add:
test -w "${file_name_from_stat}"
  • permission hardener might not be the cause of this issue. However, ideally it would show a better error message pointing out the issue.
  • Aaron: Cannot reproduce on ISO or in LIVE mode USER.
    • The /usr/lib/live/mount path suggests that the issue is the result of attempting to distribution-morph a vanilla Debian Live session. This, IMO, is not something we should support, because:
      • All changes will be lost on reboot, meaning someone who uses this in production will be downloading a lot of Kicksecure packages from our infra every time they start the system.
      • We already offer a live Kicksecure ISO.
      • None of the kernel hardening options will be enabled, and they can't be enabled, because that would require a reboot which will discard everything.
      • And of course, permission-hardener doesn't expect anything under /usr to be read-only.
    • Would suggest adding a warning to the distribution morphing documentation that a live Debian ISO session can't be morphed, and that one should download a live Kicksecure ISO if they need a Kicksecure-enhanced live system.
  • Patrick: Done. Documented.
  • Could you please add better error handling in this case?

audio[edit]

audio generally[edit]

VirtualBox Intel HD Audio and PipeWire Incompatibility / Audio broken after increasing ram to 5 GB / No sound after latest updates - PipeWire Bug?[edit]

live-build - test lb config --dm-verity[edit]

  • Does the ISO still function if build with lb config --dm-verity?
  • Does it break apt-get install pkg-name? It might not break it due to overlayfs.
  • Lacks live-build support when used with dracut:
    • lb config won't even run if you try to enable verity and dracut at the same time, unless you override live-build by commenting that sanity check out
    • The ISO won't build initially because the dm-verity building code is trying to find the live filesystem in the wrong location
    • dracut isn't configured to include systemd-veritysetup-generator, needed for verifying the root FS in the first place
    • No kernel command line options are added to the ISO for verity setup

package refactoring - kicksecure-meta-packages vs qubes-whonix - #2[edit]

sudo apt dist-upgrade --no-install-recommends
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following package was automatically installed and is no longer required:
  qubes-core-agent-passwordless-root
Use 'sudo apt autoremove' to remove it.
The following NEW packages will be installed:
  codecrypt cython3 diceware dmeventd dosfstools extrepo fuse3 geoip-database kicksecure-cli kicksecure-default-applications-cli
  kicksecure-qubes-cli libaio1 libbytes-random-secure-perl libclone-perl libcrypt-passwdmd5-perl libcrypt-random-seed-perl
  libcrypto++8 libcryptx-perl libdevmapper-event1.02.1 libfftw3-double3 libfile-listing-perl libfuse3-3 libgeoip1 libhtml-parser-perl
  libhtml-tagset-perl libhtml-tree-perl libhttp-cookies-perl libhttp-date-perl libhttp-message-perl libhttp-negotiate-perl
  libio-html-perl libio-socket-ssl-perl liblvm2cmd2.03 liblwp-mediatypes-perl liblwp-protocol-https-perl libmath-random-isaac-perl
  libnet-http-perl libnet-ssleay-perl libntfs-3g89 libsnappy1v5 libtry-tiny-perl libwww-perl libwww-robotrules-perl
  libyaml-libyaml-perl lvm2 magic-wormhole makepasswd ntfs-3g perl-openssl-defaults pwgen python3-attr python3-autobahn
  python3-automat python3-base58 python3-bcrypt python3-cbor python3-click python3-colorama python3-constantly python3-cryptography
  python3-ecdsa python3-flatbuffers python3-geoip python3-hamcrest python3-hkdf python3-humanize python3-hyperlink
  python3-incremental python3-lz4 python3-mnemonic python3-msgpack python3-nacl python3-openssl python3-packaging python3-passlib
  python3-pyasn1 python3-pyasn1-modules python3-pyqrcode python3-service-identity python3-setuptools python3-snappy
  python3-sortedcontainers python3-spake2 python3-tqdm python3-trie python3-twisted python3-txaio python3-txtorcon python3-u-msgpack
  python3-ubjson python3-ujson python3-wsaccel python3-zope.interface
  • Workstation:
sudo apt dist-upgrade --no-install-recommends
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following package was automatically installed and is no longer required:
  qubes-core-agent-passwordless-root
Use 'sudo apt autoremove' to remove it.
The following NEW packages will be installed:
  dmeventd dosfstools firefox-esr kicksecure-cli kicksecure-desktop-applications-recommended kicksecure-qubes-cli kicksecure-qubes-gui libaio1 libdevmapper-event1.02.1 libgarcon-1-0
  libgarcon-common liblvm2cmd2.03 libntfs-3g89 libupower-glib3 libxklavier16 lvm2 ntfs-3g xfce4-helpers xfce4-settings

Split the security-misc into security-misc-shared, security-misc-desktop and security-misc-server[edit]

Kicksecure Firewall[edit]

https://forums.kicksecure.com/t/kicksecure-firewall/378/10archive.org iconarchive.today icon

Meta Packages, Kicksecure, Whonix - Desktop versus Server[edit]

https://forums.kicksecure.com/t/meta-packages-kicksecure-desktop-versus-kicksecure-server/415archive.org iconarchive.today icon

wipe video RAM[edit]

# zero video RAM to prevent leakage
# see (CC BY-SA 4.0): https://www.adlerweb.info/blog/2012/06/20/nvidia-x-org-video-ram-information-leak
export R600_DEBUG=zerovram;
export AMD_DEBUG=zerovram;
export RADV_DEBUG=zerovram;
  • if doable with reasonable effort

Tor 0.4.8.9 broken in combination with vanguards[edit]

VirtualBox serial console[edit]

KVM related[edit]

KVM - 3D Graphics Acceleration - SPICE - Testing - drm[edit]

KVM - 3D Graphics Acceleration - Performance Test - Display SDL[edit]

KVM - 3D Graphics Acceleration - Performance Test - Display GDK[edit]

KVM - verify AppArmor sVirt confinement operation[edit]

KVM - use rootless[edit]

KVM - port to unix domain socket based internal networking for Whonix-Gateway to Whonix-Workstation connections[edit]

machine-id research[edit]

  • in preparation for the next task
  • please read prior discussions
  • https://www.whonix.org/wiki/Protocol-Leak-Protection_and_Fingerprinting-Protection#Identifiers_Design_Goalsarchive.org iconarchive.today icon
  • https://forums.whonix.org/t/revisit-handling-of-var-lib-dbus-machine-id/18827archive.org iconarchive.today icon
  • https://forums.whonix.org/t/anonymize-etc-machine-id/7721archive.org iconarchive.today icon
  • https://gitlab.tails.boum.org/tails/tails/-/issues/7100archive.org iconarchive.today icon
  • nowadays implemented in dist-base-files
    • ./packages/kicksecure/dist-base-files/var/lib/dbus/machine-id
    • ./packages/kicksecure/dist-base-files/etc/machine-id
  • but maybe needs to be moved back to anon-base-files when porting to Debian trixie? (hard to migrate within the same release codename)
  • The machine-id files should not be shipped by a package. They are intended to be generated, not hardcoded, thus Debian's code is probably not going to cope well when a package ships these files. Case in point, live-build deleting them to avoid machines with duplicate IDs in the wild, when we want machines with duplicate IDs in the wild.
  • Calamares is designed to write the machine-id files at instalation time. It has a dedicated module for this purpose. However, it does not permit specifying a hardcoded machine-id other than a literal "uninitialized" value or an empty file. So we will have to resort to using a shellprocess for Whonix-Host that will detect when Whonix is in use, and overwrite the machine-id files with a static machine-id. Calamares is the proper location to do this at IMO, since it's designed for this, systemd's docs suggest using the installer for this, and I fear we could run into problems trying to do this on first boot with a systemd unit.
    • Patrick: Please implement.
    • Patrick: Note, Whonix VMs are built using grml-debootstrap. While using a package to handle these files might be the wrong way. Whonix VMs still need these.

Polkit - run only in sysmaint mode[edit]

  • Polkit
  • todo: discuss
  • find solutions on how to have functional shutdown/restart/etc. buttons

per-app UID sandboxing[edit]

  • todo: discuss
  • related to the following tasks

stackable wrappers[edit]

check out bubblejail[edit]

sandbox-app-launcher[edit]

  • sandbox-app-launcher
  • review
  • promising? worth bringing back to life, polishing?
  • at odds with apparmor.d?
  • better using bubblejail?

automated test suite - cli version[edit]

  • todo: discuss

apparmor.d review[edit]

improved server support[edit]

  • documentation
    • rebrand wiki CLI for server
  • Linux account passwords?
  • cloudinit?
  • vm-config-dist versus autologin CLI vs GUI vs server

hidepid[edit]

research shred[edit]

  • research if shred is still useful nowadays
  • if not, should be replaced by safe-rm

WAITING ON[edit]

grml-debootstrap bootloader installation failure in Docker[edit]

  • https://github.com/grml/grml-debootstrap/issues/348#issuecomment-3017083278archive.org iconarchive.today icon
  • please use discretion on how worthwhile it is to spend time on this. as in, if you think it's doable without huge effort and you like docker, please implement. Otherwise, please only provide instructions for reproduction and leave it to upstream or tableseeker to fix.
    • Aaron: Ran into complications trying to fix this myself, handed off to tabletseeker for further investigation.

sysmaint panel items[edit]

Enterprise Laptop style WiFi Switch causes Permanent freeze[edit]

kicksecure Qubes Template - sdwdate qrexec Denied message[edit]

RPi GRUB - contribute to Debian[edit]

add support for GRUB as bootloader for RPi

I've recently succeeded in converting an existing Debian Trixie RPi image to boot using GRUB on the RPi 4B and extensively documented how to do that. [1] I also posted about this on the debian-arm mailing list. [2]

Booting in this way has several substantial advantages over the current Raspberry Pi boot process:

* The kernel command line can be modified via /etc/default/grub and files under /etc/default/grub.d. Some software requires or benefits from such modifications and leverages this mechanism in GRUB to make non-invasive changes to the command line. With direct kernel boot, these changes are silently ignored, while with U-Boot + GRUB, they are correctly applied.
* In the event of a bad kernel update, users can easily boot into older kernels as they would on a typical desktop system.
* Recovering from a broken boot without a secondary system becomes much easier, as users can use the GRUB and U-Boot consoles to debug and manually boot the system.
* Multiboot installations on the Pi become possible.

Is this a feature for which you would welcome a merge request here, either as an option or even as the default?

Obviously, at this point, RPi GRUB support could only be added to Forky and later.

(I've also recently submitted a pull request to `grml-debootstrap` (a Debian bootable image builder tool) [3] [4] implementing "basic" RPi support.)

* [1] https://www.kicksecure.com/wiki/Dev/boot#Booting_Debian_Trixie_with_GRUB_+_u-boot_on_Raspberry_Pi_4
* [2] https://lists.debian.org/debian-arm/2025/04/msg00012.html
* [3] http://packages.debian.org/grml-debootstrap
* [4] https://github.com/grml/grml-debootstrap/pull/335

RPi grml-debootstrap[edit]

qubes boot modes - in-vm kernel support[edit]

grml-debootstrap - EFI partition size[edit]

GRUB - Debian packages grub-pc and grub-efi co-install-ability[edit]

trixie port - misc[edit]

trixie port - dracut - hostonly yes versus no[edit]

  • after Dracut fixes... should Kicksecure images (in trixie) use a different hostonly mode?
  • Yes, we should switch to hostonly sloppy mode, which is now being substantially improved to be a lot more generic upstream.

trixie port - GRUB_DEVICE vs dracut vs initramfs-tools[edit]

  • The following is required for initramfs-tools only:
GRUB_DEVICE="/dev/disk/by-uuid/${GRUB_DEVICE_UUID}"
unset GRUB_DEVICE_UUID
  • grep the source code for this and move it below the following condition because it is not required by dracut:
if pkg_installed initramfs-tools ; then?

trixie port - deprecate initramfs-tools support - consider making dracut a dependency[edit]

  • todo
  • hard depend on dracut?
  • if so, must also hard depend on systemd-cryptsetup
  • do this during release-upgrade
  • related: dracut

trixie port - port to Wayland[edit]

trixie port - update derivative signing key derivative.asc[edit]

  • plan how to use a new signing key

trixie port - meta packages[edit]

calamares - make 3.3.12 available in Bookworm[edit]

  • necessary to fix bugs related to the disk encryption user interface
  • Sid and Trixie are still at 3.3.9, does maintainer need help packaging 3.3.12?
    • Maintainer uploaded 3.3.12 to Sid, should migrate to Testing relatively soon.
    • 3.3.11 was hung up on calamares-extensions 3.3.1, and while calamares-extensions 3.3.11 is technically available, a real release of it hasn't been made. Pinged the Calamares devs to see if they could do that, after than I'll ping the Debian Qt/KDE team to get them to package it and that should release calamares into Trixie.
    • 3.3.12 was uploaded but was slightly wonky, wasn't migrating, maintainer wasn't fixing the issue yet. Got a DD friend to sponsor an NMU to fix the problem, should hopefully migrate on December 22nd if all goes well. (Thanks to Simon Quigley for sponsorship!)
  • Backport 3.3.12 after it is available in Trixie
    • Backport submitted to Debian Mentors, review requested from maintainer.

ISO - GRUB - silence cosmetic errors in live ISO GRUB[edit]

  • Earlier attempts to fix cosmetic errors in GRUB failed, since they introduced bugs into the live-build-provided boot screen.
  • Investigate how to fix this, potentially make an upstream feature request or patch if needed
  • Errors include loadfont issues, Secure Boot loading issues
  • Sent email to grub-devel mailing list to investigate this

ISO - memtest86+[edit]

error: bad shim signature

test SysRq keys under LXQt Wayland[edit]

ISO - changed files issues[edit]

(annoted) 

+ debsums --silent
debsums: changed file /usr/sbin/sources-media (from calamares-settings-debian package) - issue for future verified boot
debsums: missing file /var/lib/dbus/machine-id (from dist-base-files package) - issue for Whonix-Host, non-ideal for Kicksecure but not a blocker

+ debsums --config --silent
debsums: changed file /etc/calamares/modules/unpackfs.conf (from calamares-settings-debian package) - issue for future verified boot
debsums: changed file /etc/cryptsetup-initramfs/conf-hook (from cryptsetup-initramfs package) - issue for future verified boot
debsums: changed file /etc/machine-id (from dist-base-files package) - issue for Whonix-Host, non-ideal for Kicksecure but not a blocker
  • All of these are modified by live-build itself:
    • /usr/sbin/sources-media is modified by live-build/share/hooks/normal/5050-dracut.hook.chroot so that it points to the proper location of the on-ISO apt repo when dracut is in use (the location is different when initramfs-tools is used). The need for this could potentially be removed by modifying the sources-media script to autodetect the correct location, though this requires upstream to be receptive to the idea.
    • /var/lib/dbus/machine-id is deleted by live-build/share/hooks/normal/8020-remove-dbus-machine-id.hook.chroot, which has a note in it as follows: "This removes dbus machine id that cache that makes each system unique." This seems important and I can't think of an obvious way to avoid needing to do this. My Kicksecure VMs appear to have machine IDs, but it's unclear how they're being generated originally, so it may be worth enabling the machineid module in our Calamares configuration to ensure that the machine ID is properly generated.
    • /etc/calamares/modules/unpackfs.conf is modified by live-build/share/hooks/normal/5050-dracut.hook.chroot so that it points to the proper location of the on-ISO squashfs containing the operating system. Again, the location is different when initramfs-tools is used. This is a "hardcoded" configuration file, there isn't a way to add autodetection logic here. It might be possible to make a pull request to Calamares that would allow it to skip squashfses that didn't exist?
    • /etc/cryptsetup-initramfs/conf-hook is modified by live-build/share/hooks/normal/1010-enable-cryptsetup.hook.chroot, where it is used to enable cryptsetup in initramfs-tools. Assuming this isn't legacy configuration, this seems important and I can't think of an obvious way to avoid needing to do this. Might be worth testing to see if this is still necessary though.
    • /etc/machine-id is deleted by live-build/share/hooks/normal/8020-remove-dbus-machine-id.hook.chroot. Has a very similar note to the other machine ID deletion hook. Same concerns apply.
      • Proposal for fixing this made.

ISO - Finish Module Action Follow-Up[edit]

lightdm ssdm[edit]

live-build - add mmdebstrap support[edit]

live-build - use APT with error-on-any[edit]

  • use option apt --error-on=any for all invocations of apt-get (update)
  • only needed for apt-get update, otherwise superfluous but non-issue
  • this is a security feature
  • this is to prevent inconsistent images that succeeded connecting to the "normal" repository but failed to connect to the security repository
  • can be implemented using already existing live-build option --apt-options OPTION|"OPTIONS"?
  • Requires a patch to live-build. Using --apt-options results in a build failure with E: Command line option --error-on=any is not understood in combination with the other options
  • Patch written, submitted upstream as https://salsa.debian.org/live-team/live-build/-/merge_requests/371archive.org iconarchive.today icon. New configuration option now used in my branch of live-build.

security-misc - investigate PAM[edit]

  • there is /etc/pam.d/sudo-i for interactive and /etc/pam.d/sudo
  • pam has concepts of common-session-noninteractive vs common-session (non-interactive)
  • how could we on the PAM level notice if faillock is used interactively or non-interactively?
  • if non-interactive, skip faillock
  • if interactive, do not skip faillock
  • Bug reports:
  • Once we go sudoless, this will no longer be a concern except for VMs that aren't sudoless.

live-build - grub.cfg GRUB configuration - loopback.cfg[edit]

  • add https://www.supergrubdisk.org/wiki/Loopback.cfgarchive.org iconarchive.today icon compatibility (as as Debian Live ISO)
  • Requires fixes in live-build and Dracut to make work:
    • live-build is specifying the wrong kernel parameter for loopback booting when using dracut - it's using findiso when it should be using iso-scan/filename. A fix for this has been integrated into my fork of live-build. MR to upstream here: https://salsa.debian.org/live-team/live-build/-/merge_requests/376archive.org iconarchive.today icon
    • dracut is failing to run udevadm trigger during its device scanning, so even when it finds the ISO and attaches it as a loopback device, it never finds it. Only appears to be a problem on Debian Bookworm, Trixie works just fine.
      • Task is on hold until we migrate to Trixie.
    • (Side note: At least on QEMU, loopback mounts in GRUB fail with out-of-memory errors if the system uses UEFI. With BIOS it works fine. Not quite sure why this happens, very well may be an issue with QEMU's implementation of UEFI hardware or my usage thereof.)

live-build - lb-binary should not run apt-get update[edit]

REVIEW PLEASE[edit]

root account lockdown[edit]

vm-config-dist - add sysmaint support and refactoring[edit]

  • refactoring: out source systemd unit entry ExecStart=/bin/bash -c ... into standalone script
  • sysmaint support: /usr/sbin/adduser sysmaint vboxsf
  • harden permissions: mkdir --mode 777 --parents /mnt/shared might be non-ideal
  • Implemented: https://github.com/ArrayBolt3/vm-config-dist/tree/arraybolt3/enhancearchive.org iconarchive.today icon
    • For permission hardening, the ownership of the directory is set to root:vboxsf (or the KVM equivalent root:kvmsf, which I "made up" for the script), and the permissions are set to 770, allowing any user in the kvmsf or vboxsf group to read and write files in the shared folder.
    • VirtualBox automatic directory mounting was placing the directory at /media/sf_shared and not permitting permission changes, thus VBox shared folders are manually mounted with appropriate settings. We should probably change https://www.kicksecure.com/wiki/VirtualBox/Guest_Additions#Kicksecurearchive.org iconarchive.today icon to match with this. (chown and chmod are no-ops on vboxsf filesystems, likely due to the fact that VirtualBox can't guarantee the host will even understand UNIX file permissions since VirtualBox also works on Windows and macOS.)
    • QEMU passes through file permissions much better than VirtualBox when using 9pfs, but as a result the permissions of the shared folder will carry over directly into the guest and there is no overriding them.
    • We don't have any documentation at all on QEMU/KVM shared folders yet, to my awareness. Should we write some?

clock-random-manual-cli - set hwclock[edit]

sdwdate - set hwclock[edit]

review and improve docker and git integration code[edit]

  • https://forums.whonix.org/t/docker-container-that-builds-whonix-images/17494/136archive.org iconarchive.today icon
  • please start reading from here: https://forums.whonix.org/t/docker-container-that-builds-whonix-images/17494/117archive.org iconarchive.today icon
  • holistic review (security, usability for developers)
  • [1] ./build-steps.d/1200_prepare-build-machine
    • Aaron: Didn't appear to need changes to me. There might be some reorganization we could do around when packages are installed when working with Docker but that's it.
  • [2] ./help-steps/git-gpg-verify
    • Aaron: Obsoleted by derivative-update, removed.
  • [3] ./help-steps/git_sanity_test
    • Aaron: Doesn't look like it needs any changes.
  • [4] developer-meta-files /usr/bin/dm-git-tag-checkout-latest
    • Aaron: Obsoleted by derivative-update option --tag latest. Can be removed once derivative-update is known to be robust.
  • Post-review changes: https://github.com/grml/grml-debootstrap/issues/348#issuecomment-3017083278archive.org iconarchive.today icon
    • Leaving room for tabletseeker to implement the derivative-update script if they want to, otherwise we can add that to the task list for me to work on.
    • Patrick: please implement derivative-update script and re-design/re-factor above scripts [1] [2] [3] [4]
  • https://github.com/derivative-maker/derivative-maker/pull/26archive.org iconarchive.today icon
    • Patrick: please take over
  • Aaron: Current implementation: https://github.com/ArrayBolt3/derivative-maker/tree/arraybolt3/dockerarchive.org iconarchive.today icon
    • All update code has been removed from derivative-maker-docker for reasons explained below.
    • derivative-update is intended to act as a general-purpose checkout, fetch, and merge tool for derivative-maker. It attempts to verify refs and tags BEFORE checking them out if at all possible, and reverts back to known-good refs and tags if that isn't possible. It also verifies the active commit before checking out another ref, allowing it to act as a trust-on-first-use mechanism for users who aren't technically skilled enough to verify the repo themselves. THis provides some level of security even if it isn't perfect.
    • derivative-maker-docker can't safely do updates within the Docker container because it may break (or at least complicate) this TOFU mechanism to some degree. The user would end up with a container-specific keyring and their own GPG keyring, which could result in inconsistencies between what the user thinks they trust and what they actually trust.
    • Code should be considered beta-status. It looks right to me, but it has not been heavily tested, and it needs careful peer review to ensure it never leaves the repository in a state where code in the working tree is malicious in the event of a repo compromise.
  • Patrick: added TODO items to the script
  • Aaron: Implemented remaining TODOs in derivative-update: https://github.com/ArrayBolt3/derivative-maker/commit/6e7bcd108e8a0b397b5be0f4f7ee67a91654a821archive.org iconarchive.today icon
  • Patrick: Please re-review, fix.
  • Aaron: Re-reviewed, fixed some bugs and a possible (minor) security issue related to ambiguous references.

mouse fingerprinting[edit]

review and test IPv6 support pull requests[edit]

ARCHIVED[edit]

Set Mousepad to Launch in New Windows instead of Tabs by Default[edit]

sysmaint - fix screen lock[edit]

timesync support reply - timesync documentation - hwclock integration[edit]

  • https://forums.kicksecure.com/t/inrelease-is-not-valid-yet-invalid-for-another-4h-25min-51s/1113archive.org iconarchive.today icon
  • check if https://forums.whonix.org/t/disable-hwclock-save-service/19067archive.org iconarchive.today icon is applicable
  • consider sdwdate running hwclock --systohc
  • consider clock-random-manual-cli running hwclock --systohc
    • Aaron: Setting the hardware clock ourselves sounds reasonable to me. An accurate clock is generally not sensitive data (though the accuracy of the clock is important). We should provide and document a mechanism for disabling time synchronization.
      • One threat model I can see where time synchronization is dangerous is where the user has to work around an adversary that may physically seize the machine and evaluate the hardware clock to determine if the system was powered on and used recently. In this instance though. the hardware would have to have a non-functional hardware clock that stopped when power was not applied but did not lose the last known time, so this would be a very niche threat model.
      • I have not yet implemented this, but believe it would be good to implement.
  • improve https://www.kicksecure.com/wiki/Network_Time_Synchronizationarchive.org iconarchive.today icon
    • Aaron: Updated with hardware clock information and NTP time synchronization information. ntpdate is used rather than ntpd to prevent conflicting with sdwdate, and the user is instructed on how to avoid man-in-the-middle attacks when using NTP.

fix Qubes versus /etc/hosts during Qubes-Whonix build process[edit]

dist-base-files.postinst import error[edit]

erst_disable pull request review[edit]

IPv6 comments[edit]

livecheck - clean up old genmon widget[edit]

combined stecho plus strip-html[edit]

msgcollector output_func - refactor and add chunking[edit]

  • todo
  • Implemented: https://github.com/ArrayBolt3/msgcollector/tree/arraybolt3/chunkingarchive.org iconarchive.today icon
  • Patrick: Merged.
  • running output_func without arguments error: usr/libexec/msgcollector/msgdispatcher_run_check: line 116: output_args: bad array subscript
    • Aaron: Reproduced, but `output_func` should never be called without at least two arguments. Added check to ensure at least two arguments are passed.
  • running output_func " " error: Cannot break massive argument into chunks!
    • Aaron: Cannot reproduce, attempting the same thing on my end gives these results:
sysmaint@localhost:~$ source /usr/libexec/msgcollector/msgdispatcher_run_check 
sysmaint@localhost:~$ msgdispatcher_init
sysmaint@localhost:~$ output_func " "
msgcollector unknown option:
  • worth fixing these two?
  • should we add a loop protection (maximum run of the loop) to guard against infinite loops?
    • Aaron: The loop shouldn't be able to run infinitely, but guarding against infinite loops when doing complex processing like this is good practice, so yes, we should.
  • Aaron: Polished implementation: https://github.com/ArrayBolt3/msgcollector/tree/arraybolt3/chunkingarchive.org iconarchive.today icon
  • Patrick: Merged.

bluetooth configuration pull request review[edit]

ARP request documentation[edit]

chat messenger research[edit]

separation of system packages from user packages[edit]

  • create or update a wiki page discussion this topic
  • post a Kicksecure feature request to implement this
  • implementation will come much later. After verified boot. This is only to have a ticket to point to and to describe the very long term roadmap.
  • Quick notes:
    • System packages = packages installed directly on the system. User packages = packages installed in a sandbox of some sort. "System" and "user" packages are not used to describe packages, but to describe how packages are installed and where they are located.
    • Android provides a separation between the OS and apps, we're hoping to do something similar to this, but that allows arbitrary Debian packages to be used.
    • Containerization mechanisms do not generally provide strong security guarantees. Docker, for instance, has numerous techniques one can use for escaping a containerarchive.org iconarchive.today icon.
    • Chrome OS implements something similar to what we're looking for with their Crostini technology, by simply using a virtual machine with enough guest-to-host integration to make applications in the VM behave somewhat like native applications. Android support is implemented in a similar fashion.
    • https://github.com/cloud-hypervisor/cloud-hypervisorarchive.org iconarchive.today icon could be used as a base for a virtualization-based sandbox.
  • Threw together some initial concepts and a feature request:

strip html improvements[edit]

polkit - investigate impact of disabling[edit]

  • See how many issues are caused by disabling polkit entirely in user sessions (not sysmaint sessions!)
    • Reboot and poweroff from the GUI is no longer possible, as systemd treats rebooting as a privileged operation.
    • Removable media can no longer be mounted, as udisksd treats removable media mounting as a privileged operation.
    • Graphical user creation tools (i.e. users-admin, from gnome-system-tools) no longer function properly, probably because accountsservice is treating user creation as a privileged operation.
    • Flatpaks can no longer be installed user-local, the installation errors out:
Warning: Failed to get revokefs-fuse socket from system-helper: Failed to activate service 'org.freedesktop.Flatpak.SystemHelper': timed out (service_start_timeout=25000ms)
Warning: Failed to activate service 'org.freedesktop.Flatpak.SystemHelper': timed out (service_start_timeout=25000ms)
Warning: Failed to get revokefs-fuse socket from system-helper: Failed to activate service 'org.freedesktop.Flatpak.SystemHelper': timed out (service_start_timeout=25000ms)
Warning: Failed to activate service 'org.freedesktop.Flatpak.SystemHelper': timed out (service_start_timeout=25000ms)
Warning: Failed to get revokefs-fuse socket from system-helper: Failed to activate service 'org.freedesktop.Flatpak.SystemHelper': timed out (service_start_timeout=25000ms)
Warning: Failed to activate service 'org.freedesktop.Flatpak.SystemHelper': timed out (service_start_timeout=25000ms)
Warning: Failed to get revokefs-fuse socket from system-helper: Failed to activate service 'org.freedesktop.Flatpak.SystemHelper': timed out (service_start_timeout=25000ms)
error: Failed to install org.gnome.Platform: Failed to activate service 'org.freedesktop.Flatpak.SystemHelper': timed out (service_start_timeout=25000ms)
    • Network configuration via nmtui or similar (probably includes the network widget in the panel) will probably no longer be configurable, since networkmanager appears to treat network reconfiguration as a privileged operation.
    • System usually takes longer to boot, probably because of things trying and failing to start polkit.
  • Document how to disable polkit as an opt-in hardening option, possibly useful for browser-only VMs or other situations where a user is not expected to take any privileged operations outside the scope of privleap
    • Using systemd ConditionKernelCommandLine or similar parameter for making polkit refuse to start.
  • Patrick: documented here Polkit

systemcheck improvements[edit]

  • check if root account is locked and warn if it is not
  • user-sysmaint-test check: skip on Whonix-Gateway or point out that it is not yet applicable
  • check secure boot status (see dist-installer-cli for example source code)
  • check if tirdad kernel module is loaded and warn if it is not
  • detect Debian EOL using local files, if available
  • detect Qubes EOL using local files

polkit - review default configuration security[edit]

  • Look for possible flaws in all polkit configuration files installed by default
  • Research done, results shared with Patrick.

3mdeb verified boot discussion[edit]

browser choice - design[edit]

  • wiki text only
  • please review, improve Dev/browser-choice
  • Fleshed out both internal and user-facing design quite a bit more, including creating UI mockups.
  • please review wiki history (Patrick made changes)
  • change to "always cards design" for installation method
  • show installation command (even if hidden behind expand box) before execution (for transparency and so that advanced users can stay in the loop what is actually happening, less "magic")
    • Aaron: Reviewed and added requested changes.
  • boilerplate: https://github.com/Kicksecure/browser-choicearchive.org iconarchive.today icon
  • Patrick:
    • open-link-confirmation might need a better error message if no browser is installed yet
    • Please point out that "Open Source browser only" and link to criteria. If too much text, perhaps a link to the criteria only.
    • Please re-review changes.
    • Maybe the tool could indicated somewhere how the browser is currently installed? - Like either "Firefox is not installed" or "Firefox is installed as Firefox Stable from Flathub"
  • Aaron:
    • Re-reviewed changes, made adjustments as appropriate and added requested adjustments from this task.
    • open-link-confirmation can be dealt with once we start actually implementing code, however the code implementation task should have a note about it once we get to that point
  • Patrick:
    • How to handle user-sysmaint-split?
      • Are we going towards rootless appstore? No.archive.org iconarchive.today icon
    • How to handle Qubes Template implementation?
      • If run inside Template based App Qube: point out that browser choice will be functional but browser will not persist due to Qubes default Template implementation.
      • If run inside Qubes Template: point out being run inside Qubes Template. Prepend required http_proxy variable as documented in Install from Flatpak?
      • If run inside Qubes Standalone: point out being run inside Qubes Standalone.
  • Aaron:
    • Suggestions look good to me. Added additional design documentation to take these edge cases into account.

bash seatbelt[edit]

livecheck python improvements[edit]

dracut - upstream generic initrd default[edit]

fasttrack build error[edit]

Ign:5 http://HTTPS///fasttrack.debian.net/debian-fasttrack bookworm-backports-staging InRelease
Err:4 http://HTTPS///fasttrack.debian.net/debian-fasttrack bookworm-fasttrack InRelease
  503  SSL error: certificate verify failed [IP: 127.0.0.1 3142]
Err:5 http://HTTPS///fasttrack.debian.net/debian-fasttrack bookworm-backports-staging InRelease
  503  SSL error: certificate verify failed [IP: 127.0.0.1 3142]
Fetched 19.9 MB in 32s (625 kB/s)
Reading package lists...
E: Failed to fetch http://HTTPS///fasttrack.debian.net/debian-fasttrack/dists/bookworm-fasttrack/InRelease  503  SSL error: certificate verify failed [IP: 127.0.0.1 3142]
E: Failed to fetch http://HTTPS///fasttrack.debian.net/debian-fasttrack/dists/bookworm-backports-staging/InRelease  503  SSL error: certificate verify failed [IP: 127.0.0.1 3142]
E: Some index files failed to download. They have been ignored, or old ones used instead.
++ exception_handler_general ERR

systemcheck crash when reading livecheck-lsblk file[edit]

user-sysmaint-split - sysmaint user versus R4.3 issue[edit]

privleap - add group[edit]

live-hardener improvements - minor code improvements[edit]

get_writable_fs_lists - minor code improvements[edit]

  • helper-scripts /usr/libexec/helper-scripts/get_writable_fs_lists.sh
  • if [[ "${src_device}" =~ ^/dev/ ]]
    • try to clause the if indentation early if this is false?
[ "$(printf '%s' "${src_device}" | sed 's/[^\/]//g' | wc -c)" = 2 ]
  • Make it multi step?
  • Consider if /sys/class/block/${src_device}/removable is non-existing.
src_device="${BASH_REMATCH[1]}"
  • Might crash with set -o nounset if there is no match?
  • Implemented improvements in unit tests commit.

live-mode.sh - add unit tests[edit]

livecheck - read-only mode[edit]

live-hardener and livecheck - error handling[edit]

  • please review, improve
  • use
source /usr/libexec/helper-scripts/wc-test.sh

kicksecure Qubes Template - app menu[edit]

user-sysmaint-split - investigate polkitd and policykit libraries[edit]

Argon2 pbkdf setup and hardening in Kicksecure[edit]

helper-scripts stcatn CI failing[edit]

live-hardener and livecheck - document[edit]

  • on grub-live
  • de-mystify
  • similar to existing documentation for bash genmon based livecheck
  • Documented, changes were somewhat invasive and should be reviewed carefully in case I removed content that should have stayed.

live-hardener improvements - AI based comments[edit]

  • AI based review - please disregard without comment if nonsensical
  • array and unquoted variables
for kernel_param in ${kernel_cmdline[@]}

read -ra kernel_params <<< "${kernel_cmdline}"
for kernel_param in "${kernel_params[@]}"; do
  ...
done

lowerdir, upperdir, workdir must be part of a single -o option with commas.

mount -t overlay overlay \
  -o "lowerdir=${target_overlay_mount},upperdir=${tmpfs_upper_dir},workdir=${tmpfs_work_dir}" \
  "${target_overlay_mount}"
  • Aaron: The AI is incorrect. Using separate -o arguments works in practice.
  • use mountpoint?
    • Aaron: I don't really see the point of doing so, the directories being treated as mountpoints are read from /proc/self/mounts which should only contain valid mountpoints. That's the file's job.

calamares - re-enable btrfs support[edit]

live mode systray in python[edit]

user-sysmaint-split - document how to whitelist systemd units in sysmaint mode[edit]

user-sysmaint-split - migrate dangerous service dependencies to drop-ins[edit]

  • Wants= could be dangerous if dealing with security-sensitive or mutually exclusive services.
  • Migrate these dangerous services to use drop-in configuration dirs with `WantedBy=` dependencies, so that they obey systemctl enable and systemctl disable directives.
    • This may require some extra code to check if these services are enabled or not already, and re-enable them if they are enabled, so that the needed symlinks for sysmaint sessions are created.
  • Implemented: https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/firewallarchive.org iconarchive.today icon
  • Patrick: Merged.

user-sysmaint-split - minor improvements[edit]

  • consider test -s
-z "$(cat

docker cleanup[edit]

ISO - btrfs versus grub-live bug - real fix[edit]

  • todo
  • report bug upstream
  • systemd bug report: https://github.com/systemd/systemd/issues/35540archive.org iconarchive.today icon
  • fix in dracut
    • Cannot be fixed in dracut, dracut doesn't handle mounting /home. Instead opting to fix in grub-live.
    • Might use kernel parameters using systemd features that may be available in trixie?
  • since no response from systemd, needs to be fixed without systemd upstream support
  • in case a reliable, solid implementation is not easy or not possible, this should either not be implemented or needs runtime sanity tests
  • Current implementation plan:
    • Create script (or augment existing script) that will look at all mounted filesystems, detect unsafe read/write mounts and report the system as either being fully persistent, semi-persistent, or fully live.
    • Make livecheck recheck the system regularly (perhaps with an event-based mechanism if possible) and update messaging and the icon as necessary to indicate the system's state. Popups should be sent with notify-send to alert the user when something happens that affects the system's live state.
      • If no writable drives are mounted, show a green light. If writable, removable drives are mounted under /mnt or /media, show a yellow light. If non-removable drives of any kind are mounted, or if removable drives are mounted anywhere other than /mnt or /media, show a red light. NFS is considered a removable drive.
      • We should reimplement livecheck in Python + PyQt5. Use a system tray icon to indicate the live state, use a poll on /proc/self/mounts to detect when mounts change and rescan for possible danger.
    • Create a systemd unit that will scan /etc/fstab on boot and mount overlayfs filesystems over the top of most persistent filesystems listed in /etc/fstab, with the exception of mounts under /media and /mnt and filesystems that should always be persistent (NFS specifically). This should run early during boot and block boot, and should not run unless the system is booted in live mode.
    • Research how Tails live mode works in this regard and take inspiration from them if possible.
      • Won't boot unless it is booting from a USB medium with the removable media bit enabled
        • Idea - disks mounted that have the removable media bit set are probably OK to mark as yellow, use red when there are mounted "non-removable" disks which are more likely to be internal or external (semi-)permanent hard drives
      • Cannot mount non-removable drives without setting an administrator password on the initial setup screen and then providing that password when prompted
      • Removable media is automounted even without clicking on it in the file manager (?!)
  • related to Comparison between grub-live and Tails
  • research, compare with Tails
    • Avoid writing to arbitrary (non-boot) host disks
    • Disables removable drives auto-mounting
    • Disabled virtual machine shared folders
  • Implemented:
  • Patrick: Merged.

debug USB installation boot failure[edit]

Secure Mount Options for better Security Hardening[edit]

Qubes R4.3 - Tor Browser Template Build Installation Issue[edit]

sysmaint-panel - allow running in dev mode[edit]

  • when enable sudo access in USER session has been enabled, allow running sysmaint
  • i.e. check if privilege escalation tool is actually unavailable. Only if actually unavailable and sysmaint mode required, show the error popup.
  • use and/or improve already existing use_leaprun.sh helper-script library?
  • probably non-issue as discussed
  • can be archived

privleap - redesign command line tool names name and add group[edit]

  • for better multi-user support
  • The currently used Linux user group leaprun-users is kinda confusing (comparable to group "sudo")
  • or should we call this group leaprun for simplicity?
  • even even simpler, call the group privleap?
  • while at it, the different tool names might be confusing. privleap vs leaprun.
  • todo rename:
    • privleapd -> privleap-daemon
    • leaprun -> privleap
    • Linux group name: privleap
  • Discussed with Patrick, archived without completion as:
    • privleap is the protocol, i.e. the set of sockets used by privleapd and leaprun, and the language they speak to each other.
    • privleapd is the reference implementation of a server process that speaks the privleap protocol and runs actions upon request.
    • leaprun is the reference implementation of a client process that speaks the privleap protocol and requests privleapd to do things.
    • Renaming leaprun to privleap would potentially result in more confusing documentation.
    • Lots of Linux server applications use a d to indicate "daemon/background process/server".

stcat - stdin bugfix review[edit]

review docker pull request[edit]

user-sysmaint-split - whitelist firewall related systemd units[edit]

  • such as ufw and other systemd units
  • Implemented in dangerous service drop-in migration task.

sgdisk create-raw-image - add source code comments[edit]

permission hardener - review[edit]

systemd-repart bug - Can't fit requested partitions into available free space[edit]

sudo systemctl status systemd-repart
× systemd-repart.service - Repartition Root Disk
     Loaded: loaded (/lib/systemd/system/systemd-repart.service; static)
    Drop-In: /usr/lib/systemd/system/systemd-repart.service.d
             └─30_grub-live.conf
     Active: failed (Result: exit-code) since Fri 2025-05-23 15:42:31 UTC; 5min ago
       Docs: man:systemd-repart.service(8)
    Process: 577 ExecStart=/bin/systemd-repart --dry-run=no (code=exited, status=1/FAILURE)
   Main PID: 577 (code=exited, status=1/FAILURE)
        CPU: 13ms

May 23 15:42:31 host systemd[1]: Starting systemd-repart.service - Repartition Root Disk...
May 23 15:42:31 host systemd-repart[577]: Can't fit requested partitions into available free space (1004.0K), refusing.
May 23 15:42:31 host systemd-repart[577]: Automatically determined minimal disk image size as 100.0G, current image size is 100.0G.
May 23 15:42:31 host systemd[1]: systemd-repart.service: Main process exited, code=exited, status=1/FAILURE
May 23 15:42:31 host systemd[1]: systemd-repart.service: Failed with result 'exit-code'.
May 23 15:42:31 host systemd[1]: Failed to start systemd-repart.service - Repartition Root Disk.
zsh: exit 3     sudo systemctl status systemd-repart

sudo journalctl --boot -u systemd-repart
May 23 15:42:29 localhost systemd[1]: Starting systemd-repart.service - Repartition Root Disk...
May 23 15:42:29 localhost systemd-repart[445]: Can't fit requested partitions into available free space (1004.0K), refusing.
May 23 15:42:29 localhost systemd-repart[445]: Automatically determined minimal disk image size as 100.0G, current image size is 100.0G.
May 23 15:42:29 localhost systemd[1]: systemd-repart.service: Main process exited, code=exited, status=1/FAILURE
May 23 15:42:29 localhost systemd[1]: systemd-repart.service: Failed with result 'exit-code'.
May 23 15:42:29 localhost systemd[1]: Failed to start systemd-repart.service - Repartition Root Disk.
May 23 15:42:30 host systemd-repart[490]: Can't fit requested partitions into available free space (1004.0K), refusing.
May 23 15:42:30 host systemd-repart[490]: Automatically determined minimal disk image size as 100.0G, current image size is 100.0G.
May 23 15:42:30 host systemd[1]: systemd-repart.service: Main process exited, code=exited, status=1/FAILURE
May 23 15:42:30 host systemd[1]: systemd-repart.service: Failed with result 'exit-code'.
May 23 15:42:30 host systemd[1]: Failed to start systemd-repart.service - Repartition Root Disk.
May 23 15:42:31 host systemd[1]: Starting systemd-repart.service - Repartition Root Disk...
May 23 15:42:31 host systemd-repart[564]: Can't fit requested partitions into available free space (1004.0K), refusing.
May 23 15:42:31 host systemd-repart[564]: Automatically determined minimal disk image size as 100.0G, current image size is 100.0G.
May 23 15:42:31 host systemd[1]: systemd-repart.service: Main process exited, code=exited, status=1/FAILURE
May 23 15:42:31 host systemd[1]: systemd-repart.service: Failed with result 'exit-code'.
May 23 15:42:31 host systemd[1]: Failed to start systemd-repart.service - Repartition Root Disk.
May 23 15:42:31 host systemd[1]: Starting systemd-repart.service - Repartition Root Disk...
May 23 15:42:31 host systemd-repart[577]: Can't fit requested partitions into available free space (1004.0K), refusing.
May 23 15:42:31 host systemd-repart[577]: Automatically determined minimal disk image size as 100.0G, current image size is 100.0G.
May 23 15:42:31 host systemd[1]: systemd-repart.service: Main process exited, code=exited, status=1/FAILURE
May 23 15:42:31 host systemd[1]: systemd-repart.service: Failed with result 'exit-code'.
May 23 15:42:31 host systemd[1]: Failed to start systemd-repart.service - Repartition Root Disk
  • Aaron: Root cause of issue found, reported to Patrick. Some code needs uncommented after I incorrectly advised him it could be removed.

Qubes R4.3 - tb-updater - sysmaint versus user - permission issue[edit]

grml-debootstrap - upstream sgdisk typecode changes[edit]

  • please upstream to grml-debootstrap, if sensible
   ## Change the partition type of the root partition so systemd identifies it
   ## as a root partition.
   ##
   ## The type code used for the root partition differs depending on machine
   ## architecture. See
   ## https://www.toomanyatoms.com/computer/gpt_partition_type_guids.html for
   ## info on what code to use for which architecture.
   ##
   ## grml-debootstrap's generated partition layout will also depend on the
   ## architecture, so we may have to change a different partition depending
   ## on the CPU type we're building for.

   type_code=""
   case "$dist_build_target_arch" in
      amd64)
         $SUDO_TO_ROOT sgdisk --typecode='3:4F68BCE3-E8CD-4DB1-96E7-FBCAF984B709' "$binary_image_raw_file"
         ;;
      arm64)
         $SUDO_TO_ROOT sgdisk --typecode='2:B921B045-1DF0-41C3-AF44-4C6F280D3FAE' "$binary_image_raw_file"
         ;;
   esac

grml-debootstrap - grub issue[edit]

helper-scripts - stecho - review[edit]

ISO - calamares bootloader issue[edit]

grub-live - systemd-repart error message inside VM during boot[edit]

bash livecheck.sh systray broken[edit]

  • unit test is broken
  • shows read-only mode in live mode while not read-only
  • sometimes even shows read-only while booting into persistent mode
  • maybe fixing not required depending on bug cause (backend or frontend) and depending on below
  • some changes by Patrick, maybe fixed

user-sysmaint-split - review sysmaint-boot.target[edit]

user-sysmaint-split - user login without autologin broken[edit]

live mode detection improvements[edit]

  • https://github.com/Kicksecure/helper-scripts/blob/master/usr/libexec/helper-scripts/live-mode.sharchive.org iconarchive.today icon
  • Currently only based on grepping kernel command line.
  • However, a different or the wrong initramfs generator might be in use. Or some other unexpected use case.
  • Ideas on how to make live mode detection more reliable?
  • Aaron: It might be possible to rely on the mount info for the root filesystem, which can be seen by running LC_ALL='C' mount | grep ' on / '. This returns a distinctly different string for each of persistent mode, live mode, and ISO live mode.
    • PERSISTENT mode: /dev/mapper/luks-65abae64-dea9-4e54-b75f-0f545ed4a053 on / type ext4 (rw,relatime)
    • LIVE mode (dracut): overlay on / type overlay (rw,noatime,lowerdir=/live/image,upperdir=/cow/rw,workdir=/cow/work,default_permissions)
    • LIVE mode (initramfs-tools): overlay on / type overlay (rw,noatime,lowerdir=/run/live/rootfs/filesystem/,upperdir=/run/live/overlay/rw,workdir=/run/live/overlay/work,redirect_dir=on)
    • ISO live mode: LiveOS_rootfs on / type overlay (rw,relatime,lowerdir=/run/rootfsbase,upperdir=/run/overlayfs,workdir=/run/ovlwork)
  • Based on the above, we could say "if the string starts with overlay on / type overlay, then we're in GRUB live mode. If it starts with LiveOS_rootfs, we're in ISO live mode. Otherwise, we're in persistent mode.
  • Notes:
    • LiveOS_rootfs appears to be hardcoded throughout dracut, thus I believe this is a string we can rely on to be accurate.
    • For Dracut, overlay for GRUB live mode is hardcoded in the Debian-specific 90overlay-root module and thus can likely be relied upon, see /usr/lib/dracut/modules.d/90overlay-root/overlay-mount.sh.
    • For initramfs-tools, overlay for GRUB live mode is sorta hardcoded in live-boot, but not exactly, aufs is also supported and that might change the mount line. This may or may not be completely reliable.
  • Patrick:
    • Should we combine the existing kernel command line parameters based test with the new mount based test?
      • Aaron: IMO, no, the logic will become too complicated. Notably, if the mount info and kernel parameters say different things, we'll risk either telling the user that their changes will persist when they won't, or telling the user that their changes won't persist when they will. The mount info is likely to be more reliable and there's no need to check the kernel parameters too.
    • Any way for to catch also the BTRFS home folder unexpected persistence bug (live mode indicator said "live" but /home folder was actually persistent bug)? Related: ISO - btrfs versus grub-live bug - real fix
      • Aaron: That is possible.
  • Implemented both enhanced live mode detection and the ability to detect semi-persistence:

umask bug - copy from user to sudo missing permission - others[edit]

  • how to reproduce:

touch a sudo cp a /etc/a ls -la /etc/a

  • expected result: readable by "others" ("public")
  • actual result: unreadable by "others"
  • this is probably happening because file "a" is created unreadable by "others". When copying, permissions are preserved.
  • problematic in context of use cases such as:

sudo overwrite /etc/apt/sources.list.d/cwtch.im.list 'deb [arch=amd64 signed-by=/usr/share/keyrings/deb.cwtch.im-keyring.gpg] https://deb.cwtch.im/cwtch.im/ stable main'

  • Aaron:
    • This is two separate issues. The issue as described with cp is not a bug and isn't fixable - cp's behavior is to simply clone the file mode (permissions) of files it copies. This can be overridden using the --no-preserve=mode option.
    • However, overwrite and other programs that use append-shared are indeed causing permission issues, they appear to be forcing the permissions of any file they touch to 0600. This is because we're creating a temporary file with the contents we want, then moving it into the location where the old file was. The permissions on the temporary file are 0600, so the final file ends up with the same (faulty) permissions.
  • Patrick: created umask

installation failure with en-gb locale[edit]

sysmaint systray[edit]

sysmaint-panel - wifi setup[edit]

verfied boot - specification pull request review[edit]

Kicksecure homepage - search engines comment[edit]

sysmaint-panel feature requests[edit]

sysmaint-panel - distinct wallpapers for Whonix-Gateway and Whonix-Workstation[edit]

security review and improve curl-prgrs[edit]

kvm mouse integration broken in sysmaint session[edit]

Zarhus Developer Meetup 0x1[edit]

  • Includes presentation of Kicksecure ram-wipe test results

ISO - boot menu text consistency[edit]

GRUB - choose boot mode text too small[edit]

  • non-Secure Boot version:
    • boot menu entries looks OK, looks like text size 12 or 14
    • "Choose boot mode" looks like text size 9 -> please check if reproducible and increase text size a bit, if sensible
    • Fixed in boot menu text consistency task changes, I forgot to push an important commit.
  • commit is part of "GRUB - choose boot mode text too small"

libpam-tmpdir - PAM_tmpdir - /tmp/user/1000 owned by uid 0 instead of uid 1000[edit]

  • https://forums.whonix.org/t/systemcheck-fails-for-unclear-reason/21424/29archive.org iconarchive.today icon
  • please investigate unsafe ways to use TMP and similar env vars
  • refactor TMP/security-misc-apt-get-update-pid
  • Discussed with Patrick, we don't believe security-misc-apt-get-update-pid is the likely cause anymore. Can't identify a potential other cause yet.
  • Aaron could not reproduce on Qubes R4.3. Reported to Marek.
  • No response received, assuming not (or no longer) an issue.

kloak upstream discussion[edit]

grub - secure boot signed fonts[edit]

  • discuss upstream, file feature request
  • feature requests are unlikely to get implemented
  • ITP might be possible in theory but too low priority
  • closing

verified boot chat[edit]

  • done

user-sysmaint-split - sysmaint-boot-cleanup.service error message during ISO shutdown[edit]

user-sysmaint-split - Qubes - Selective sudo Access[edit]

research wlroots layer-shell security[edit]

publish debian live-build security comment[edit]

wiki editing - First-Time Source Code Contributor Policy[edit]

grub skin - change text[edit]

sysmaint-panel - add repository-dist-wizard[edit]

tor-ctrl - security review[edit]

repart - systemd-growfs error[edit]

git symlink research[edit]

  • please research security impact of "the most interesting git symlink ever"
  • please review, improve git as that wiki page might be used in case we send feature requests to projects to stop using git symlinks
  • Researched, tweaked documentation slightly, this doesn't seem to be a major issue.

ram-wipe improvements[edit]

page_poison
passing "P" to slub_debug
zeroing heap memory at free time (init_on_free=1)

live-build - use /etc/dracut.conf.d method to speed up the build[edit]

fix - leaprun sdwdate-log-viewer[edit]

user-sysmaint-split - enable in VM images[edit]

  • currently user-sysmaint-split is only enabled on ISOs, enable it for VBox/KVM/etc. images as well
  • already done
    • please grep for user-sysmaint-split
  • Patrick working on this.
  • Done.
  • Aaron: Code looks good, did a VM build and verified that this works.

fix ram-wipe on plain Debian trixie[edit]

systemd-repart Qubes error[edit]

sudo journalctl --boot -u systemd-repart
Apr 15 22:33:30 host systemd-repart[256]: Can't fit requested partitions into available free space (1004.0K), refusing.
Apr 15 22:33:30 host systemd-repart[256]: Automatically determined minimal disk image size as 20.0G, current image size is 20.0G.
Apr 15 22:33:30 host systemd[1]: systemd-repart.service: Main process exited, code=exited, status=1/FAILURE
Apr 15 22:33:30 host systemd[1]: systemd-repart.service: Failed with result 'exit-code'.
Apr 15 22:33:30 host systemd[1]: Failed to start systemd-repart.service - Repartition Root Disk.

user-sysmaint-split - unit fails on first sysmaint login[edit]

  • the sysmaint account specific config routine is failing on the first sysmaint login, because PAM hasn't created the /home/sysmaint directory when this code attempts to run.
  • move the code from sysmaint-boot to sysmaint-session and sysmaint-session-wayland
  • Fixed, also refactored some duplicated code into a shared library: https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/sysmaint-configarchive.org iconarchive.today icon
    • Patrick: Merged.

helper-scripts - strange symlinks issue[edit]

research systemd-repart[edit]

review and improve append-once[edit]

  • append-once
    • Aaron: Documentation updated to match the new implementation.
  • https://github.com/Kicksecure/helper-scripts/blob/master/usr/bin/append-oncearchive.org iconarchive.today icon
  • Had some ideas for improving performance and reliability, shared in chat.
  • use case: simplify writing to files while developing unrelated scripts (such as user-sysmaint-split)
  • please rewrite in python as suggested
  • the following tools should probably be separate tools
    • these might however have shared code inside a library if that is sensible
  • tool requirements:
    • atomic writes
    • error handling (unwriteable parent folder, unwriteable file)
  • required functionality:
    • only for already actually used use cases
  • list of tools
    • append (equivalent of: echo test >> testfile)
    • append-once
    • overwrite (equivalent of: echo test | sponge testfile)
  • unneeded functionality for now:
    • not adding a newline at the end (equivalent of: printf "test" > testfile)
    • appending the the last line of the file (without starting a newline) (equivalent of: printf test >> a)
  • Aaron: Implemented: https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/file-utilsarchive.org iconarchive.today icon
    • All tools implemented as a multicall executable append, with append-once and overwrite symlinks.
      • Patrick: Merged.

sysmaint-panel - support change full disk encryption fde password[edit]

sysmaint-panel - add grub bootloader password support[edit]

  • please review and improve
    • /usr/sbin/grub-password-status-check
    • /usr/sbin/grub-pwchange
    • systemcheck check_grub_security
    • How to set a bootloader password
    • Aaron: Reviewed all of the above, sent comments in chat. Mostly looks good and appears to work on my end.
  • add grub bootloader password support to sysmaint-panel
    • do this on the host only, not inside VMs?
    • Aaron: I don't think we need to restrict it like that - while bootloader passwords aren't theoretically useful in VMs, they might be practically useful against a low-skill adversary, and doing this would complicate development and make testing trickier.
      • Patrick: Agreed.
  • Implemented: https://github.com/ArrayBolt3/sysmaint-panel/commit/0271a053bfc3d1457ff11fc8889d1f088b8068c5archive.org iconarchive.today icon
    • Patrick: Merged.

pstore disabling - please comment[edit]

Debian feature request - Debian's shim signed by Debian's key[edit]

Dev/boot wiki page - review[edit]

  • Patrick made stylistic changes but commands remain all the same. Please review Dev/boot.
    • Aaron: Reviewed, made minor changes. Looked very good for the most part.
  • This is in preparation for the next task.
  • Is command grub-install --force-extra-removable correct? (Unchanged.) It looks a bit short.
    • Aaron: This is the right command. GRUB will automatically figure out where to install the bootloader since we're installing an EFI bootloader. This applies even when the system is not booted with UEFI.
  • Note: While testing to make very sure this command was correct, I discovered USB boot isn't working right with U-Boot in this setup. Noted down the issue, this will probably take further research to resolve.
    • Was resolved in task below.

RPi GRUB - research USB Boot Support[edit]

  • todo
  • Discovered this is a problem with Bookworm, and Trixie is not affected. Documented the likely cause of the issue.

RPi GRUB - Post TLDR Instructions on Debian RPi Salsa Feature Request[edit]

  • rationale, potential issues (speculation): people not wanting to visit external websites / Kicksecure wiki / TLDR / not enough time to read lengthy instructions, planning to look later, then forgetting, stunned by complexity, ...
  • todo: Please review, improve the TLDR version of Booting Debian Trixie with GRUB + u-boot on Raspberry Pi 4
  • can be posted on https://salsa.debian.org/raspi-team/image-specs/-/issues/78archive.org iconarchive.today icon, if appropriate
  • Aaron: Posted. Did not add the short version to the Wiki since it felt awfully redundant and I wasn't sure I was supposed to do that.
    • Patrick: Redundant instructions not required indeed. Task is complete.

FYI - CodeSelect versus pipes[edit]

  • note: (you might already know this.) CodeSelect cannot use pipes ("|"). These need to be excaped as {{!}}.
{{CodeSelect|code=
xzcat raspi_4_trixie.img.xz {{!}} sudo dd of=/dev/mmcblk0 bs=4M
}}
  • This gets rendered as expected as:

xzcat raspi_4_trixie.img.xz | sudo dd of=/dev/mmcblk0 bs=4M

  • Just mentioning this to avoid a copy/paste issue (if copying from wiki source code) in the over next task.
  • This task can be moved to archived.
  • Aaron: Did not know this, will keep this in mind in future edits.

stcatv - review[edit]

user-controlled verified boot UEFI Application review[edit]

user-sysmaint-split - run updatecheck[edit]

user-sysmaint-split - show persistent vs live status[edit]

user-sysmaint-split - bug - prevent account user login in sysmaint mode[edit]

unicode - sanitize suspicious characters in informative lines[edit]

  • as discussed, avoid using repr
  • might not need done after all, see chat

grub-live - GRUB configuration not being regenerated when switching initramfs generator[edit]

  • When installing initramfs-tools on Kicksecure, grub-live-dracut is swapped out for grub-live-initramfs-tools. This seems to work for the most part, however the GRUB configuration isn't regenerated, meaning live boot is broken until the next time the user (or some other part of the system) calls update-grub.
  • This is because update-grub is only called when the master grub-live package is installed or removed. If one of grub-live-dracut or grub-live-initramfs-tools are installed or uninstalled, but the main grub-live package isn't, the GRUB configuration isn't regenerated. This is exactly what happens when switching initramfs engines usually.
  • Fix: https://github.com/ArrayBolt3/grub-live/tree/arraybolt3/initramfs-switch-fixarchive.org iconarchive.today icon

updatecheck, setup-wizard-dist - don't assume sysmaint components are present[edit]

  • Patrick working on this.
  • [DONE] updatecheck assumes sysmaint-panel is preinstalled and instructs the user to use it, even if it's not present
  • setup-wizard-dist does things similarly
  • adjust both to only show sysmaint-related information if the corresponding components are installed
    • Patrick did updatecheck, Aaron did setup-wizard-dist, so this is now solved.

RPi GRUB - notify debian-arm mailing list[edit]

user-sysmaint-split - documentation improvements - #2[edit]

  • document Qubes boot modes on Dev/user-sysmaint-split
  • document difference for user-sysmaint-split installation on Qubes R4.2 versus Qubes R4.3
  • Read through the document, fixed some errors and omissions and added the requested docs.

review - lightweight update notifications - #2[edit]

  • Implemented by Patrick. Please review.
  • [DONE] consider custom languages. Needs LC_ALL=C?
  • [DONE] notify leaprun failures
  • [DONE] consider if update_package_count is not a number?
  • [DONE] grep APT output for errors and notify?
  • [DONE] systemcheck function check_dpkg or equivalent useful? If apt/dpkg is broken due to broken packages, that does not really break apt update?
    • Not needed. DPKG is irrelevant.
  • [DONE] use systemcheck function check_package_manager_running or equivalent?
    • [DONE] if running for a "reasonable time", wait
    • [DONE] if running "forever", notify that update check is broken
  • [DONE] consider systems running for 12 or 18 hours etc:
    • [DONE] Do notifications pile up more and more? Avoidable?
    • [DONE] Can we clear prior notifications?
    • [DONE] Can stale notifications be avoided? Can we clear "update check broken" notification once "updates available" notification came in? Can we clear "updates available" once user updated?
  • Other error cases to notify?
  • Documentation:
  • [DONE] notify https://forums.kicksecure.com/t/notifications-about-new-updates/774archive.org iconarchive.today icon
  • Aaron: Reviewed, added some documentation updates, found and fixed a likely minor bug with debug output.

trailing whitespaces - please comment[edit]

enable X event buffering by default for Whonix[edit]

user-sysmaint-split - sysmaint-panel - add terminal background tinting[edit]

user-sysmaint-split - sysmaint-panel - new features[edit]

  • sysmaint-panel could be used to promote nice but lesser known functionality
  • apt-get-reset
    • should renamed to apt-get-reinstall?
    • rationale: re-installation of a package (if other packages depend on it) while restoring configuration files back to package defaults is very difficult for users. Hence, apt-get-reset has been invented.
  • dummy-dependency
    • use --purge?
    • do not yet --yes, obviously
  • Both features (and some additional software uninstallation features) implemented in https://github.com/ArrayBolt3/sysmaint-panel/commit/320f4bea7faa288b659fc20a35d3e318bf363980archive.org iconarchive.today icon
    • Patrick: Merged.

research depthcharge[edit]

Minimal Firmware combined with Linux Based Bootloader - review and improve the wiki draft[edit]

updatecheck - avoid assuming Internet access[edit]

updatecheck - send_notification_wait_exit fixes[edit]

safe-print follow-up issues[edit]

unicode - don't strip trailing whitespace[edit]

RPi GRUB - Continue Research[edit]

  • non-goal: RPi Secure Boot (due to issues documented in chapter Verified_Boot#Raspberry_Pi_RPi_Based)
  • non-goal: hiding of u-boot
  • goal: complete RPi GRUB support for the purposes of
    • being able to implement RPi GRUB support in grml-debootstrap - maybe - at a later time - depending on grml upstream feedback on RPi support
    • being able to implement the functionality in derivative-maker (in case grml upstream rejects RPI GRUB support)
    • todo items (updated by Patrick) on Dev/boot#Load_GRUB_with_u-boot
  • document raspi-firmware versus clobbering config.txt (by /etc/kernel/postinst.d or similar) and consider how an implementation later could handle this (probably by using config-package-dev hide, dpkg divert or otherwise)
  • Research done, additional notes added to Dev/boot. Likely ready to continue implementation when desirable.

investigate Raspberry Pi GRUB compatibility[edit]

unicode[edit]

user-sysmaint-split - fix live mode sysmaint[edit]

user-sysmaint-split - custom lightdm autologin configuration breaks sysmaint mode boot[edit]

sudo append-once /etc/lightdm/lightdm.conf.d/user-autologin.conf "\
[SeatDefaults]
user-session=xfce
autologin-user=user
"

privleap - better error message in case comm socket cannot be created as expected[edit]

WARNING: Account 'lightdm' is not allowed to have a comm socket
  • new feature "expected-non-user+=lightdm"
  • better:
handle_control_create_msg: INFO: Account 'lightdm' is not allowed to have a comm socket, as expected, ok.

review safe-print[edit]

leaprun - implement --check command line parameter[edit]

user-sysmaint-split - lock screen command broken[edit]

  • to debug, a terminal was started and then sysmaint-panel was started from the terminal emulator
/usr/bin/zsh
[sysmaint ~]% sysmaint-panel
requestActivate() called for  QWidgetWindow(0x120a4600, name="BackgroundScreenWindow")  which has Qt::WindowDoesNotAcceptFocus set.
xscreensaver-command: no screensaver is running on display :0

user-sysmaint-split - sysmaint-panel - check system status button - add delay[edit]

  • systemcheck takes 2-3 seconds until user gets feedback. i pressed the button twice and then had a duplicate systemcheck.
  • please disable the button for 2-5 seconds after it has been clicked.
  • visible disable the button if the effort for that is reasonable
  • perhaps a counter that counts down 5, 4, 3, 2, 1?
  • perhaps generally should be the case for all buttons
  • Implemented: https://github.com/ArrayBolt3/sysmaint-panel/commit/7e39a7df817045ba3c4bc6f7a1f64e82bba71d92archive.org iconarchive.today icon
    • This is implemented for most buttons, except for Open Terminal, Reboot, Shut Down, and Install Software. The user experience when using those doesn't warrant a timeout lock and adding a timeout lock there would probably annoy the user.
    • Visible timeout counter is present, implemented by adding a (5) at the end of each button label for the duration of the lock (where "5" will be replaced with the remaining seconds until the lock times out).
  • Patrick: Merged.

user-sysmaint-split - sysmaint-panel - install updates button confusing[edit]

user-sysmaint-split - sysmaint-panel - output formatting issue[edit]

  • shows:
/usr/bin/sudo
/usr/bin/apt
update

user-sysmaint-split - sysmaint-panel - wrong error message if logging in as wrong user[edit]

  • login with account "user" after booting into sysmaint mode
  • ignore warnings by pam-info during login screen that already advice against logging in with account "user" (because the user might miss them in the future due to PAM bugs, pam-info bugs, other login managers)
  • actual: sysmaint-panel shows error "boot into sysmaint"
  • expected: sysmaint-panel shows error "please login as account "sysmaint"
  • Fixed by implementing a new dialog: https://github.com/ArrayBolt3/sysmaint-panel/commit/b782aa512689242d2a8066a1d7a36bc0ce40fc9barchive.org iconarchive.today icon
  • Patrick: Merged.

user-admin-split - documentation improvements[edit]

  • Qubes R4.2 vs R4.3
  • Qubes uninstallation instructions (passwordless-root)
  • Qubes boot modes
  • user documentation
  • developer documentation
  • anything else missing
    • Aaron: Don't see much missing, added requested points.

autologinchange versus empty password[edit]

  • issue:
    • pwchange at time of writing does not notify if autologin is enabled
    • autologinchange at time of writing does not notify if an empty password is being set
  • the user might intend to secure their by using autologinchange and then be surprised that login without a password is still possible
  • how could setting a password and autologinchange be more connected from a usability point of view?
  • should one tool at the end of its execution recommend the other, if that seems applicable?
    • applicable?
      • when disabling autologin, suggest to user to set a password, if password is currently empty.
      • when setting a password, suggest to user to disable autologin, if autologin is currently enabled.
    • use colorful background to notify user of this potential discrepancy?
  • or suggest or autorun systemcheck login security check only after such changes to make it obvious?
  • Implemented: https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/pwchange-autologinchange-linkarchive.org iconarchive.today icon
    • Went with the strategy of having each tool warn if things are insecure when the user is doing hardening (i.e. warn about autologin when adding a password, or warn about empty password when disabling autologin)
    • Patrick: Merged.

lightweight update notifications[edit]

  • Qubes vs non-Qubes:
    • should not conflict with Qubes internal updater (multiple APT background processes blocking each other) - do this only inside Non-Qubes?
    • on the other hand, systemcheck contains many tests that are useful inside Qubes as well
    • Qubes developers do not wish the user to see a lot duplicate passive popups, active progress bars and active popups
      • Aaron: Qubes already shows upgrade notifications for VMs, so I would say this feature should not be added to Kicksecure or Whonix under Qubes OS. It's redundant and potentially conflicting.
  • non-Qubes: GUI vs CLI?
    • GUI: Implement this for the GUI version only?
    • CLI: msgcollector supports writing to tty1 even for daemons (systemcheck) started in the background but this is probably confusing and disruptive. (Was default in the past.)
      • Aaron: Agreed, should be a GUI-only feature. CLI users can just run apt commands manually easily enough.
  • as a stopgap until one day Dev/Automatic Updates gets implemented
  • re-use systemcheck for this? Could consider to re-enable autostart of systemcheck by default as it contains already lots of tests. "systemcheck --gui" currently shows:
INFO: Kicksecure APT Repository: Enabled. When the Kicksecure team releases BOOKWORM-DEVELOPERS updates, they will be AUTOMATICALLY installed (when you run apt-get dist-upgrade) along with updated packages from the Debian team. Please read https://www.kicksecure.com/wiki/Trust to understand the risk. If you want to change this, use:
dom0 -> Start Menu -> Template: kicksecure-bookworm -> Derivative Repository

WARNING: Debian Package Update Check Result: apt-get reports that packages can be updated.
Please update your 'kicksecure-bookworm' TemplateVM.
1. Open a TemplateVM terminal. (dom0 -> Start Menu -> Template: kicksecure-bookworm -> Terminal)
2. Update.
upgrade-nonroot
3. Shutdown your TemplateVM. (dom0 -> Qubes VM Manager -> right click 'kicksecure-bookworm' -> Shutdown VM)
4. Shutdown and restart this TemplateBased AppVM. (dom0 -> Qubes VM Manager -> right click 'work-main' -> Shutdown VM)
  • The first "INFO: Kicksecure APT Repository" might be too noisy and could easily be disabled in GUI output by default.
  • git history contains /usr/libexec/systemcheckdaemon
    • Aaron: systemcheck shows a lot of info about multiple components, much of which a user may skip over or be tempted to skip over. I would prefer implementing this in such a way that a typical desktop notification (such as what notify-send can produce) is shown to the user when there are updates.
    • Patrick:
      • It's possible to run select functions only, for example: systemcheck --verbose --function check_operating_system.
      • Other functions might be useful as well such as check_package_manager_running and check_dpkg.
  • Aaron: Implemented initial version of update notifications using a user-side daemon.

user-sysmaint-split - add screen lock button[edit]

GRUB - boot related enhancements[edit]

  • Are there any other boot related enhancements outstanding? If so, please create tickets for these.

grml-debootstrap - downstream handling grub-cloud versus /etc/default/grub[edit]

  • After/if https://github.com/grml/grml-debootstrap/pull/299archive.org iconarchive.today icon gets merged...
  • config-package-dev displace /etc/default/grub? Avoid "fighting" for configuration file ownership by moving the file out of the way.
  • Generate a configuration file using do_once. Probably not owned by any package.
  • Ship a default /etc/default/grub configuration file:
## Do not edit this file!
## Please create and add modifications to the following file instead:
## /etc/default/grub.d/50_user.cfg
##
## User documentation:
## https://www.kicksecure.com/wiki/grub
  • minor comment on link: https://www.kicksecure.com/wiki/grub (lower case) vs https://www.kicksecure.com/wiki/Grub (normal case) is OK. Preferring lower case for simplicity thanks to MediaWiki extension SaneCase.
  • Implemented for the most part in (broken link), though the comment at the top was not added yet because no other method of image generation we do adds that link and we cannot safely divert and replace this file. Details explained in chat.
  • Patrick: Pending discussion.
  • Aaron: Tried implementing again after discussion, attempt 2: https://github.com/ArrayBolt3/derivative-maker/commit/6b4e1a38345b69ae9c7e2b3212d7d0488cbd8b60archive.org iconarchive.today icon
  • Patrick: Merged.
  • Patrick: Re-opened.
    • mount image in step build-steps.d/3200_create-raw-image was broken. (file name base_image vs full image filename)
      • Re-factored and moved to 3500_install-packages
    • grub-cloud sets: GRUB_TERMINAL_OUTPUT="gfxterm serial"
    • bug: we used to unset: GRUB_TERMINAL=""
    • Fixed.
    • developer documentation: /etc/default/grub.d/20_dist-base-files.cfg
    • Please review.
      • Aaron: Reviewed implementation and documentation, looks good to me.

reopen:

Patrick:

  • PR seems not needed. See chat.
    • Aaron: Replied in chat, PR seems needed to me, some confusion may be happening with different versions of grub-cloud.
      • Patrick: Merged.

GRUB - lightweight document ISO GRUB[edit]

user-sysmaint-split - qubes - features-request bug[edit]

  • Whonix-Gateway Template and Kicksecure error message during upgrade from developers repository
Setting up dist-base-files (3:12.8-1) ...
Processing triggers for qubes-core-agent (4.2.41-1+deb12u1) ...
Traceback (most recent call last):
  File "/usr/bin/qvm-features-request", line 111, in <module>
    sys.exit(main())
             ^^^^^^
  File "/usr/bin/qvm-features-request", line 102, in main
    subprocess.check_call(
  File "/usr/lib/python3.11/subprocess.py", line 413, in check_call
    raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['qrexec-client-vm', 'dom0', 'qubes.FeaturesRequest']' returned non-zero exit status 1.
Processing triggers for security-misc (3:44.4-1) ...

user-sysmaint-split - qubes - qrexec refactoring[edit]

        new file:   usr/share/user-sysmaint-split/qubes/qubes-rpc/qubes.TemplateDownload
        new file:   usr/share/user-sysmaint-split/qubes/qubes-rpc/qubes.TemplateSearch
        new file:   usr/share/user-sysmaint-split/qubes/rpc-config/qubes.Filecopy
        new file:   usr/share/user-sysmaint-split/qubes/rpc-config/qubes.Gpg

user-sysmaint-split - qubes - autologin message during upgrade[edit]

Setting up user-sysmaint-split (3:4.0-1) ...
GUI autologin is not applicable to Qubes OS.

user-sysmaint-split - systemcheck - autologin check message and documentation[edit]

  • systemcheck recommends the sysmaint wiki page - not applicable for users that upgraded and that are not (yet or not anymore) using user-sysmaint-split
  • also related: Protection against Physical Attacks
  • please modify the wiki for better usability of this part. A wiki page is needed which explains at a glance, links users to more detailed sections.
    • Aaron: Modified the Login, Post Install Advice, and Desktop wiki pages to move all login security related documentation into the Login page. Also added additional information about login security in general to the top of the login wiki page to provide good "at a glance" instructions. Also wrote a wiki page for the System Maintenance Panel itself so it could be referenced by other pages.
  • systemcheck recommends sysmaint-panel - while not yet installed by default. Simplest solution would be to install it by default as it won't create issues for users not using user-sysmaint-split?
  • systemcheck should point out that password / autologin inside VM is not "as important" (needs consideration when this is useful at all) as on the host? or skip login security check inside VMs?
    • Aaron: I think this might be overcrowding the systemcheck output a bit. We currently don't express an opinion on whether the autologin or password protection status for each account is a problem in systemcheck itself, we only hint at it via colors. To me, this feels like the right approach since only the end user will know for sure what is secure for them. I think the login security check is still valuable in VMs though, as some users might have a legitimate reason to password-protect a VM (for instance, in a kiosk-like setup perhaps).
  • documentation should point out that password / autologin inside VM is not "as important" (needs consideration when this is useful at all) as on the host? A lot users getting bothered with passwords and login prompts inside VMs if it does not benefit their threat model would be a usability degradation.
    • Aaron: Agreed, this seems like a good place to put this kind of documentation. Added to the Login wiki page.

older[edit]

Dev/todo/archived

backlog - one day[edit]

fix Qubes OS kloak implementation behavior with XFCE apps[edit]

  • When dragging XFCE applications in Whonix-Workstation by their menu bar (directly underneath the title bar), the window moves erratically across the screen
  • Hover is silently failing to function properly in XFCE application menus
  • Hover seems to work just fine in Tor Browser
  • May have been a random bug, cannot reproduce now. Bring back from backlog if a way to reproduce this is discovered.

calamares - enable GRUB force_efi_extra_removable[edit]

apt-get - implement --restrict-install-recommends proof of concept[edit]

  • todo

Debian Installer Verification[edit]

  • after live-build review queue made progress maybe

Qubes doas ticket[edit]

Qubes umask ticket[edit]

investigate porting from sudo to doas[edit]

doas - send pull requests to Qubes[edit]

  • Qubes doas ticket might be unlikely to get rejected. But replies could take a while.
  • Please send a pull requests. Since it is only 2 packages, 3 files the wasted effort if this gets rejected might be low enough?
qubes-core-agent: /etc/sudoers.d/qt_x11_no_mitshm
qubes-core-agent: /etc/sudoers.d/umask

qubes-input-proxy-sender: /etc/sudoers.d/qubes-input-trigger
  • Superceded by sudoless mode, moved to backlog

create /usr/local/etc/doas.d /etc/doas.d parser and /etc/doas.conf configuration file creator[edit]

  • parse /usr/local/etc/doas.d
  • parse /etc/doas.d
  • parse only configuration files ending with .conf
  • do not overwrite a file that does not contain our auto generated configuration file (could be user custom file)
    • echo a warning in that case
  • atomic, create variable then use sponge
  • add to security-misc
  • add a dpkg trigger
  • /etc/doas.conf would require a header pointing out it is auto-generated.
## Do not edit this file!
## Please create and add modifications to the following file instead:
## /usr/local/etc/torrc.d/50_user.conf

## This file was auto generated by '$BASH_SOURCE' at APT package installation time (a dpkg trigger).
  • Superceded by sudoless mode, moved to backlog

doas - add to security-misc permission hardener whitelist[edit]

  • todo
  • Superceded by sudoless mode, moved to backlog

doas - create /etc/doas.d configuration snippets[edit]

bootloader password[edit]

vm-config-dist re-installs same version[edit]

[user ~]% dpkg -l | grep vm-config
ii  vm-config-dist                                3:10.5-1                        all          usability enhancements inside virtual machines
[user ~]% upgrade-nonroot
Get:1 tor+https://deb.debian.org/debian bookworm InRelease [151 kB]
Get:2 tor+https://fasttrack.debian.net/debian bookworm-fasttrack InRelease [12.9 kB]
Get:3 tor+https://fasttrack.debian.net/debian bookworm-fasttrack/main amd64 Packages [5296 B]
Get:4 tor+https://deb.debian.org/debian bookworm-updates InRelease [55.4 kB]
Get:5 tor+https://fasttrack.debian.net/debian bookworm-fasttrack/non-free amd64 Packages [492 B]
Get:6 tor+https://deb.debian.org/debian-security bookworm-security InRelease [48.0 kB]
Get:7 tor+https://fasttrack.debian.net/debian bookworm-fasttrack/contrib amd64 Packages [7332 B]
Get:8 tor+https://deb.kicksecure.com bookworm InRelease [62.0 kB]
Get:9 tor+https://deb.debian.org/debian bookworm-backports InRelease [59.0 kB]
Get:10 tor+https://deb.kicksecure.com bookworm/non-free amd64 Packages [913 B]
Get:11 tor+https://deb.debian.org/debian bookworm/non-free amd64 Packages [97.3 kB]
Get:12 tor+https://deb.debian.org/debian bookworm/non-free-firmware amd64 Packages [6236 B]
Get:13 tor+https://deb.debian.org/debian bookworm/contrib amd64 Packages [54.1 kB]
Get:14 tor+https://deb.debian.org/debian bookworm/main amd64 Packages [8789 kB]
Get:15 tor+https://deb.kicksecure.com bookworm/main amd64 Packages [33.7 kB]
Get:16 tor+https://deb.kicksecure.com bookworm/contrib amd64 Packages [509 B]
Get:17 tor+https://deb.debian.org/debian bookworm-updates/non-free-firmware amd64 Packages [616 B]
Get:18 tor+https://deb.debian.org/debian bookworm-updates/main amd64 Packages [2712 B]
Get:19 tor+https://deb.debian.org/debian bookworm-updates/non-free amd64 Packages [12.8 kB]
Get:20 tor+https://deb.debian.org/debian bookworm-updates/contrib amd64 Packages [768 B]
Get:21 tor+https://deb.debian.org/debian-security bookworm-security/contrib amd64 Packages [644 B]
Get:22 tor+https://deb.debian.org/debian-security bookworm-security/non-free-firmware amd64 Packages [688 B]
Get:23 tor+https://deb.debian.org/debian-security bookworm-security/main amd64 Packages [206 kB]
Get:24 tor+https://deb.debian.org/debian bookworm-backports/main amd64 Packages [264 kB]
Get:25 tor+https://deb.debian.org/debian bookworm-backports/contrib amd64 Packages [5624 B]
Get:26 tor+https://deb.debian.org/debian bookworm-backports/non-free-firmware amd64 Packages [3852 B]
Get:27 tor+https://deb.debian.org/debian bookworm-backports/non-free amd64 Packages [11.1 kB]
Fetched 9891 kB in 8s (1227 kB/s)
Reading package lists... Done
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
  vm-config-dist
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 40.2 kB of archives.
After this operation, 2048 B of additional disk space will be used.
Do you want to continue? [Y/n] ^Czsh: exit 130   upgrade-nonroot

[user ~]% apt-cache show vm-config-dist
Package: vm-config-dist
Version: 3:10.5-1
Architecture: all
Maintainer: Patrick Schleizer <adrelanos@kicksecure.com>
Installed-Size: 135
Depends: sudo, adduser, p7zip-full
Replaces: power-savings-disable-in-vms, shared-folder-help
Homepage: https://github.com/Kicksecure/vm-config-dist
Priority: optional
Section: misc
Filename: pool/main/v/vm-config-dist/vm-config-dist_10.5-1_all.deb
Size: 40244
SHA256: 41fc4cd7e2f97bdcf23ff80b91cbbc339aca3c60445ffaa4725147e4e28d048a
SHA1: d150305c67a4d3949c714c4b16a6a2c1ebe63353
MD5sum: 471286ecd49b36d287b50f807685036b
Description: usability enhancements inside virtual machines
 Sets environment variable `QMLSCENE_DEVICE=softwarecontext` as workaround for
 "Automatic fallback to softwarecontext renderer".
 .
 It is not useful to open a screensaver or to power down the desktop for
 operating systems that are run inside VMs. There is no real display that could
 be saved and no real power that could be saved. From usability perspective it
 also is counter intuitive when looking at the VM window and only seeing a
 black screen. Therefore it makes sense to disable power savings in VMs.
 `/etc/X11/Xsession.d/20_kde_screen_locker_disable_in_vms.sh`
 `/etc/profile.d/20_power_savings_disable_in_vms.sh`
 `/etc/X11/Xsession.d/20_software_rendering_in_vms.sh`
 `/usr/share/kde-power-savings-disable-in-vms/kdedrc`
 `/usr/share/kde-screen-locker-disable-in-vms/kscreenlockerrc`
 .
 Disables screen locker when running in VMs because that is not useful either.
 .
 Makes setting up a shared folder for virtual machines a bit easier.
 .
  * Creates a folder `/mnt/shared` with `chmod 777`, adds a group
 "vboxsf", adds user "user" to group "vboxsf". Facilitates auto-mounting of
 shared folders.
 .
  * Helps using shared folders with VirtualBox and KVM a bit
 easier (as in requiring fewer manual steps from the user).
 .
  * `/lib/systemd/system/mnt-shared-vbox.service`
  * `/lib/systemd/system/mnt-shared-kvm.service`
 .
 Set screen resolution 1920x1080 by default for VM in VirtualBox and KVM.
 Workaround for low screen resolution 1024x768 at first boot. When using lower
 screen resolutions, Xfce will automatically scale down.
 `/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/displays.xml`
 .
 Installs VirtualBox guest additions if package
 `virtualbox-guest-additions-iso` is installed if environment variable
 `dist_build_virtualbox=true` or if running inside VirtualBox.
 (`systemd-detect-virt` returning `oracle`)
 `/usr/bin/vbox-guest-installer`
Description-md5: 09e095e928a4c962e728f72d712b4c34

Package: vm-config-dist
Status: install ok installed
Priority: optional
Section: misc
Installed-Size: 133
Maintainer: Patrick Schleizer <adrelanos@kicksecure.com>
Architecture: all
Version: 3:10.5-1
Replaces: power-savings-disable-in-vms, shared-folder-help
Depends: sudo, adduser, p7zip-full
Conffiles:
 /etc/dracut.conf.d/30-vm-config-dist.conf 4b17a68bed81773993a0c46d79148986
 /etc/gdm3/daemon.conf.dist b1f35c9655abcc3171af5c10ce4d8292
 /etc/profile.d/20_kde_screen_locker_disable_in_vms.sh e45dd471bc555b906c6c04b208f4066b
 /etc/profile.d/20_power_savings_disable_in_vms.sh bfef62e0edc770197204884b9fc3baea
 /etc/profile.d/20_software_rendering_in_vms.sh 32d99ab4948878c5c790145bdafa88ea
 /etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/displays.xml 573a4880ca28e8e094ea78fa76fb875e
Description: usability enhancements inside virtual machines
 Sets environment variable `QMLSCENE_DEVICE=softwarecontext` as workaround for
 "Automatic fallback to softwarecontext renderer".
 .
 It is not useful to open a screensaver or to power down the desktop for
 operating systems that are run inside VMs. There is no real display that could
 be saved and no real power that could be saved. From usability perspective it
 also is counter intuitive when looking at the VM window and only seeing a
 black screen. Therefore it makes sense to disable power savings in VMs.
 `/etc/X11/Xsession.d/20_kde_screen_locker_disable_in_vms.sh`
 `/etc/profile.d/20_power_savings_disable_in_vms.sh`
 `/etc/X11/Xsession.d/20_software_rendering_in_vms.sh`
 `/usr/share/kde-power-savings-disable-in-vms/kdedrc`
 `/usr/share/kde-screen-locker-disable-in-vms/kscreenlockerrc`
 .
 Disables screen locker when running in VMs because that is not useful either.
 .
 Makes setting up a shared folder for virtual machines a bit easier.
 .
  * Creates a folder `/mnt/shared` with `chmod 777`, adds a group
 "vboxsf", adds user "user" to group "vboxsf". Facilitates auto-mounting of
 shared folders.
 .
  * Helps using shared folders with VirtualBox and KVM a bit
 easier (as in requiring fewer manual steps from the user).
 .
  * `/lib/systemd/system/mnt-shared-vbox.service`
  * `/lib/systemd/system/mnt-shared-kvm.service`
 .
 Set screen resolution 1920x1080 by default for VM in VirtualBox and KVM.
 Workaround for low screen resolution 1024x768 at first boot. When using lower
 screen resolutions, Xfce will automatically scale down.
 `/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/displays.xml`
 .
 Installs VirtualBox guest additions if package
 `virtualbox-guest-additions-iso` is installed if environment variable
 `dist_build_virtualbox=true` or if running inside VirtualBox.
 (`systemd-detect-virt` returning `oracle`)
 `/usr/bin/vbox-guest-installer`
Description-md5: 09e095e928a4c962e728f72d712b4c34
Homepage: https://github.com/Kicksecure/vm-config-dist

[user ~]%
  • SHA256 is OK and matches my locally built package.
myfind . | grep vm-config-dist | grep '.deb$' | xargs sha256sum
+ set -e
+ find . -type f -not -iwholename '*.git*'
41fc4cd7e2f97bdcf23ff80b91cbbc339aca3c60445ffaa4725147e4e28d048a  ./genmkfile-packages-result/vm-config-dist_10.5-1_all.deb
41fc4cd7e2f97bdcf23ff80b91cbbc339aca3c60445ffaa4725147e4e28d048a  ./aptrepo_local/kicksecure/pool/main/v/vm-config-dist/vm-config-dist_10.5-1_all.deb
41fc4cd7e2f97bdcf23ff80b91cbbc339aca3c60445ffaa4725147e4e28d048a  ./aptrepo_remote/kicksecure/pool/main/v/vm-config-dist/vm-config-dist_10.5-1_all.deb
  • The Installed-Size of the package on the VM is listed as one size, but the Packages file in Kicksecure's remote repo lists a different Installed-Size. Thus even though the debs are identical, apt believes the packages are different and wants to update to the remote version of the package as a result. See https://unix.stackexchange.com/questions/581291/why-apt-wants-to-upgrade-already-up-to-date-packagearchive.org iconarchive.today icon. Why this is happening is unclear. Perhaps something is going wrong with using reprepro? See below.
# From https://deb.kicksecure.com/dists/bookworm/main/binary-amd64/Packages:
Package: vm-config-dist
...
Installed-Size: 135
...

# From /var/lib/dpkg/status from the linked OVA file:
Package: vm-config-dist
...
Installed-Size: 133
...
  • I did an OVA build in the background to see what Installed-Size it resulted in, but then accidentally deleted it, I can do redo the build and check it if desired.

str_replace utf-8 bug[edit]

str_replace %%replace-me-clearnet-replace-me%% kicksecure.com /etc/postfix/header_checks.db

Traceback (most recent call last):
  File "/usr/bin/str_replace", line 49, in <module>
    main()
  File "/usr/bin/str_replace", line 26, in main
    file_data = source_fh.read()
                ^^^^^^^^^^^^^^^^
  File "<frozen codecs>", line 322, in decode
UnicodeDecodeError: 'utf-8' codec can't decode byte 0x8e in position 54: invalid start byte
  • Low-priority, could be difficult to fix.

Qubes graphical-session.target missing bug[edit]

add date and time detection to archive.today frontend[edit]

  • This is necessary for the next task.
  • If a link has been archived once in the past, but is severely outdated, we should probably request that archive.today rearchive it. This requires that we know when archive.today archived each page.
  • (It might be worthwhile to detect when a link was added to the Wiki and use that as a deciding factor as to whether or not we should archive the link again. Might be doable by using the archive.today backups from Github.)
  • We decided to not attempt re-archiving already archived content, thus this is no longer needed for now.

mediawiki bot setup[edit]

rootless X11[edit]

  • only if doable with low effort such as just changing some configs (such as in lightdm config) or changing some installed packages
  • Would require switching away from LightDM or enabling rootless X11 support in LightDM, thus moving to backlog.

power9 RAM encryption research[edit]

  • todo

auto-detect, prompt for potential root devices in case the root= device is misconfigured or missing[edit]

dracut add support for undeclared CDLABEL[edit]

as discussed

live-build - Retry button in derivative-maker doesn't work[edit]

  • low priority, move to backlog please

live-build - remove trailing spaces[edit]

  • can be done when upstream review queue of live-build has more room

Footnotes[edit]

Design Previous page: Dev/Developer Portal Index page: Design Next page: Dev/todo/archived

Notification image
Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!

Retrieved from "https://www.kicksecure.com/w/index.php?title=Dev/todo&oldid=98385"