ToDo for Developers

From Kicksecure
< Dev
Jump to navigation Jump to search

TODO

TODO DEV[edit]

verified boot chat[edit]

  • todo

sysmaint-panel - support change full disk encryption fde password[edit]

  • cases to consider: disk not encrypted

user-sysmaint-split - Qubes - Selective sudo Access[edit]

mouse fingerprinting[edit]

investigate Debian Rolling[edit]

  • investigate why Debian Rolling initiative failed
    • From initial research:
      • Lots of disagreement about how exactly to implement it, although https://lists.debian.org/debian-devel/2011/05/msg00275.htmlarchive.org iconarchive.today icon had a very large amount of positive feedback compared to other proposals
      • Limited manpower, no one appears to have tried to actually do it
      • Need to cope with the activity occurring in Debian's unstable and testing repositories, which have some turbulence and can cause issues if one isn't careful
      • Likely worth trying to resurrect
  • contact people involved previously, if that makes sense
  • suggest prospective developers
  • Started to write tooling for this: https://github.com/ArrayBolt3/drkarchive.org iconarchive.today icon Very incomplete, nowhere near usable. Will keep developing this.

live mode detection improvements[edit]

  • https://github.com/Kicksecure/helper-scripts/blob/master/usr/libexec/helper-scripts/live-mode.sharchive.org iconarchive.today icon
  • Currently only based on grepping kernel command line.
  • However, a different or the wrong initramfs generator might be in use. Or some other unexpected use case.
  • Ideas on how to make live mode detection more reliable?
  • Aaron: It might be possible to rely on the mount info for the root filesystem, which can be seen by running LC_ALL='C' mount | grep ' on / '. This returns a distinctly different string for each of persistent mode, live mode, and ISO live mode.
    • PERSISTENT mode: /dev/mapper/luks-65abae64-dea9-4e54-b75f-0f545ed4a053 on / type ext4 (rw,relatime)
    • LIVE mode (dracut): overlay on / type overlay (rw,noatime,lowerdir=/live/image,upperdir=/cow/rw,workdir=/cow/work,default_permissions)
    • LIVE mode (initramfs-tools): overlay on / type overlay (rw,noatime,lowerdir=/run/live/rootfs/filesystem/,upperdir=/run/live/overlay/rw,workdir=/run/live/overlay/work,redirect_dir=on)
    • ISO live mode: LiveOS_rootfs on / type overlay (rw,relatime,lowerdir=/run/rootfsbase,upperdir=/run/overlayfs,workdir=/run/ovlwork)
  • Based on the above, we could say "if the string starts with overlay on / type overlay, then we're in GRUB live mode. If it starts with LiveOS_rootfs, we're in ISO live mode. Otherwise, we're in persistent mode.
  • Notes:
    • LiveOS_rootfs appears to be hardcoded throughout dracut, thus I believe this is a string we can rely on to be accurate.
    • For Dracut, overlay for GRUB live mode is hardcoded in the Debian-specific 90overlay-root module and thus can likely be relied upon, see /usr/lib/dracut/modules.d/90overlay-root/overlay-mount.sh.
    • For initramfs-tools, overlay for GRUB live mode is sorta hardcoded in live-boot, but not exactly, aufs is also supported and that might change the mount line. This may or may not be completely reliable.
  • Patrick:
    • Should we combine the existing kernel command line parameters based test with the new mount based test?
    • Any way for to catch also the BTRFS home folder unexpected persistence bug (live mode indicator said "live" but /home folder was actually persistent bug)? Related: ISO - btrfs versus grub-live bug - real fix

ISO - btrfs versus grub-live bug - real fix[edit]

  • todo
  • report bug upstream
  • systemd bug report: https://github.com/systemd/systemd/issues/35540archive.org iconarchive.today icon
  • fix in dracut
    • Cannot be fixed in dracut, dracut doesn't handle mounting /home. Instead opting to fix in grub-live.
    • Might use kernel parameters using systemd features that may be available in trixie?
  • since no response from systemd, needs to be fixed without systemd upstream support
  • in case a reliable, solid implementation is not easy or not possible, this should either not be implemented or needs runtime sanity tests

permission-hardener - live bug[edit]

  • got a bug report by e-mail
sudo apt install network-manager-openvpn-gnome

security-misc (3:44.4-1)  ...
INFO: triggered security-misc: 'security-misc' security-misc DPKG_MAINTSCRIPT_
NAME: 'postinst' $\*: 'triggered /usr' 2: '/usr'
/usr/libexec/security-misc/mmap-rnd-bits: INFO: Successfully written ASLR map
config file:
/etc/sysctl.d/30_security-misc_aslr-mmap.conf
Running SUID Disabler and Permission Hardener... See also:
https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener
/var/lib/dpkg/info/security-misc.postinst: INFO: running: permission-hardener
enable
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root shadow 744 /usr/lib/live/mount/rootfs/filesystem/usr/sbin/unix_chkpwd
dpkg-statoverride: : `/usr/lib/live/mount/rootfs/filesystem/usr/sbin/unix_chkpwd' 
permission-hardener: [ERROR]: Command 'dpkg-statoverride --add --update root shadow 744 /usr/lib/live/mount/rootfs/filesystem/usr/sbin/unix_chkpwd' failed with exit code '2'! calling functio
n name: 'commit_policy'
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener-v2/new_mode --add root shadow 744 /usr/lib/live/mount/rootfs/filesystem/usr/sbin/unix_chkp
wd
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/rootfs/filesystem/usr/bin/pkexec
dpkg-statoverride: : `/usr/lib/live/mount/rootfs/filesystem/usr/bin/pkexec' 
permission-hardener: [ERROR]: Command 'dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/rootfs/filesystem/usr/bin/pkexec' failed with exit code '2'! calling function name:
'commit_policy'
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener-v2/new_mode --add root root 744 /usr/lib/live/mount/rootfs/filesystem/usr/bin/pkexec
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/rootfs/filesystem/usr/bin/sudo
dpkg-statoverride: : `/usr/lib/live/mount/rootfs/filesystem/usr/bin/sudo' 
permission-hardener: [ERROR]: Command 'dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/rootfs/filesystem/usr/bin/sudo' failed with exit code '2'! calling function name: 'c
ommit_policy'
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener-v2/new_mode --add root root 744 /usr/lib/live/mount/rootfs/filesystem/usr/bin/sudo
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root shadow 744 /usr/lib/live/mount/medium/usr/sbin/unix_chkpwd
dpkg-statoverride: : `/usr/lib/live/mount/medium/usr/sbin/unix_chkpwd' 
permission-hardener: [ERROR]: Command 'dpkg-statoverride --add --update root shadow 744 /usr/lib/live/mount/medium/usr/sbin/unix_chkpwd' failed with exit code '2'! calling function name: 'co
mmit_policy'
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener-v2/new_mode --add root shadow 744 /usr/lib/live/mount/medium/usr/sbin/unix_chkpwd
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/medium/usr/bin/pkexec
dpkg-statoverride: : `/usr/lib/live/mount/medium/usr/bin/pkexec' 
permission-hardener: [ERROR]: Command 'dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/medium/usr/bin/pkexec' failed with exit code '2'! calling function name: 'commit_pol
icy'
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener-v2/new_mode --add root root 744 /usr/lib/live/mount/medium/usr/bin/pkexec
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/medium/usr/bin/sudo
dpkg-statoverride: : `/usr/lib/live/mount/medium/usr/bin/sudo' 
permission-hardener: [ERROR]: Command 'dpkg-statoverride --add --update root root 744 /usr/lib/live/mount/medium/usr/bin/sudo' failed with exit code '2'! calling function name: 'commit_polic
y'
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener-v2/new_mode --add root root 744 /usr/lib/live/mount/medium/usr/bin/sudo
permission-hardener: [NOTICE]: To compare the current and previous permission modes, install 'meld' (or preferred diff tool) for comparison of file mode changes:
sudo apt install --no-install-recommends meld
meld /var/lib/permission-hardener-v2/existing_mode/statoverride /var/lib/permission-hardener-v2/new_mode/statoverride
permission-hardener: [ERROR]: Exiting with non-zero exit code: '203'
/var/lib/dpkg/info/security-misc.postinst: ERROR: Permission hardening failed.
  • random guess: Could there be issues with non-latin language settings?
  • Why is it /usr/lib/live/mount/rootfs/filesystem?
  • Could it be that the user booted into live mode?
  • Maybe a case of low RAM where no further writes to RAM were possible?
  • Booting into live mode and using APT should be supported as much as feasible.
  • In case of insufficient information, could you please add debug code to provide more information in the future?
  • Unsure if further information can be requested form the reporter, but I could try.
  • Useful to add:
test -w "${file_name_from_stat}"
  • permission hardener might not be the cause of this issue. However, ideally it would show a better error message pointing out the issue.
  • Aaron: Cannot reproduce on ISO or in LIVE mode USER.
    • The /usr/lib/live/mount path suggests that the issue is the result of attempting to distribution-morph a vanilla Debian Live session. This, IMO, is not something we should support, because:
      • All changes will be lost on reboot, meaning someone who uses this in production will be downloading a lot of Kicksecure packages from our infra every time they start the system.
      • We already offer a live Kicksecure ISO.
      • None of the kernel hardening options will be enabled, and they can't be enabled, because that would require a reboot which will discard everything.
      • And of course, permission-hardener doesn't expect anything under /usr to be read-only.
    • Would suggest adding a warning to the distribution morphing documentation that a live Debian ISO session can't be morphed, and that one should download a live Kicksecure ISO if they need a Kicksecure-enhanced live system.
  • Patrick: Done. Documented.
  • Could you please add better error handling in this case?

audio[edit]

audio generally[edit]

VirtualBox Intel HD Audio and PipeWire Incompatibility / Audio broken after increasing ram to 5 GB / No sound after latest updates - PipeWire Bug?[edit]

live-build - test lb config --dm-verity[edit]

  • Does the ISO still function if build with lb config --dm-verity?
  • Does it break apt-get install pkg-name? It might not break it due to overlayfs.
  • Lacks live-build support when used with dracut:
    • lb config won't even run if you try to enable verity and dracut at the same time, unless you override live-build by commenting that sanity check out
    • The ISO won't build initially because the dm-verity building code is trying to find the live filesystem in the wrong location
    • dracut isn't configured to include systemd-veritysetup-generator, needed for verifying the root FS in the first place
    • No kernel command line options are added to the ISO for verity setup

package refactoring - kicksecure-meta-packages vs qubes-whonix - #2[edit]

sudo apt dist-upgrade --no-install-recommends 
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following package was automatically installed and is no longer required:
  qubes-core-agent-passwordless-root
Use 'sudo apt autoremove' to remove it.
The following NEW packages will be installed:
  codecrypt cython3 diceware dmeventd dosfstools extrepo fuse3 geoip-database kicksecure-cli kicksecure-default-applications-cli
  kicksecure-qubes-cli libaio1 libbytes-random-secure-perl libclone-perl libcrypt-passwdmd5-perl libcrypt-random-seed-perl
  libcrypto++8 libcryptx-perl libdevmapper-event1.02.1 libfftw3-double3 libfile-listing-perl libfuse3-3 libgeoip1 libhtml-parser-perl
  libhtml-tagset-perl libhtml-tree-perl libhttp-cookies-perl libhttp-date-perl libhttp-message-perl libhttp-negotiate-perl
  libio-html-perl libio-socket-ssl-perl liblvm2cmd2.03 liblwp-mediatypes-perl liblwp-protocol-https-perl libmath-random-isaac-perl
  libnet-http-perl libnet-ssleay-perl libntfs-3g89 libsnappy1v5 libtry-tiny-perl libwww-perl libwww-robotrules-perl
  libyaml-libyaml-perl lvm2 magic-wormhole makepasswd ntfs-3g perl-openssl-defaults pwgen python3-attr python3-autobahn
  python3-automat python3-base58 python3-bcrypt python3-cbor python3-click python3-colorama python3-constantly python3-cryptography
  python3-ecdsa python3-flatbuffers python3-geoip python3-hamcrest python3-hkdf python3-humanize python3-hyperlink
  python3-incremental python3-lz4 python3-mnemonic python3-msgpack python3-nacl python3-openssl python3-packaging python3-passlib
  python3-pyasn1 python3-pyasn1-modules python3-pyqrcode python3-service-identity python3-setuptools python3-snappy
  python3-sortedcontainers python3-spake2 python3-tqdm python3-trie python3-twisted python3-txaio python3-txtorcon python3-u-msgpack
  python3-ubjson python3-ujson python3-wsaccel python3-zope.interface
  • Workstation:
sudo apt dist-upgrade --no-install-recommends
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following package was automatically installed and is no longer required:
  qubes-core-agent-passwordless-root
Use 'sudo apt autoremove' to remove it.
The following NEW packages will be installed:
  dmeventd dosfstools firefox-esr kicksecure-cli kicksecure-desktop-applications-recommended kicksecure-qubes-cli kicksecure-qubes-gui libaio1 libdevmapper-event1.02.1 libgarcon-1-0
  libgarcon-common liblvm2cmd2.03 libntfs-3g89 libupower-glib3 libxklavier16 lvm2 ntfs-3g xfce4-helpers xfce4-settings

Split the security-misc into security-misc-shared, security-misc-desktop and security-misc-server[edit]

Kicksecure Firewall[edit]

https://forums.kicksecure.com/t/kicksecure-firewall/378/10archive.org iconarchive.today icon

Meta Packages, Kicksecure, Whonix - Desktop versus Server[edit]

https://forums.kicksecure.com/t/meta-packages-kicksecure-desktop-versus-kicksecure-server/415archive.org iconarchive.today icon

Secure Mount Options for better Security Hardening[edit]

wipe video RAM[edit]

# zero video RAM to prevent leakage
# see (CC BY-SA 4.0): https://www.adlerweb.info/blog/2012/06/20/nvidia-x-org-video-ram-information-leak
export R600_DEBUG=zerovram;
export AMD_DEBUG=zerovram;
export RADV_DEBUG=zerovram;
  • if doable with reasonable effort

Tor 0.4.8.9 broken in combination with vanguards[edit]

VirtualBox serial console[edit]

KVM related[edit]

KVM - 3D Graphics Acceleration - SPICE - Testing - drm[edit]

KVM - 3D Graphics Acceleration - Performance Test - Display SDL[edit]

KVM - 3D Graphics Acceleration - Performance Test - Display GDK[edit]

KVM - verify AppArmor sVirt confinement operation[edit]

KVM - use rootless[edit]

KVM - port to unix domain socket based internal networking for Whonix-Gateway to Whonix-Workstation connections[edit]

machine-id research[edit]

  • in preparation for the next task
  • please read prior discussions
  • https://www.whonix.org/wiki/Protocol-Leak-Protection_and_Fingerprinting-Protection#Identifiers_Design_Goalsarchive.org iconarchive.today icon
  • https://forums.whonix.org/t/revisit-handling-of-var-lib-dbus-machine-id/18827archive.org iconarchive.today icon
  • https://forums.whonix.org/t/anonymize-etc-machine-id/7721archive.org iconarchive.today icon
  • https://gitlab.tails.boum.org/tails/tails/-/issues/7100archive.org iconarchive.today icon
  • nowadays implemented in dist-base-files
    • ./packages/kicksecure/dist-base-files/var/lib/dbus/machine-id
    • ./packages/kicksecure/dist-base-files/etc/machine-id
  • but maybe needs to be moved back to anon-base-files when porting to Debian trixie? (hard to migrate within the same release codename)
  • The machine-id files should not be shipped by a package. They are intended to be generated, not hardcoded, thus Debian's code is probably not going to cope well when a package ships these files. Case in point, live-build deleting them to avoid machines with duplicate IDs in the wild, when we want machines with duplicate IDs in the wild.
  • Calamares is designed to write the machine-id files at instalation time. It has a dedicated module for this purpose. However, it does not permit specifying a hardcoded machine-id other than a literal "uninitialized" value or an empty file. So we will have to resort to using a shellprocess for Whonix-Host that will detect when Whonix is in use, and overwrite the machine-id files with a static machine-id. Calamares is the proper location to do this at IMO, since it's designed for this, systemd's docs suggest using the installer for this, and I fear we could run into problems trying to do this on first boot with a systemd unit.
    • Patrick: Please implement.
    • Patrick: Note, Whonix VMs are built using grml-debootstrap. While using a package to handle these files might be the wrong way. Whonix VMs still need these.

stackable wrappers[edit]

check out bubblejail[edit]

sandbox-app-launcher[edit]

  • sandbox-app-launcher
  • review
  • promising? worth bringing back to life, polishing?
  • at odds with apparmor.d?
  • better using bubblejail?

automated test suite - cli version[edit]

  • todo: discuss

apparmor.d review[edit]

improved server support[edit]

  • documentation
    • rebrand wiki CLI for server
  • Linux account passwords?
  • cloudinit?
  • vm-config-dist versus autologin CLI vs GUI vs server

hidepid[edit]

WAITING ON[edit]

RPi grml-debootstrap[edit]

pstore disabling - please comment[edit]

qubes boot modes - in-vm kernel support[edit]

grml-debootstrap - EFI partition size[edit]

calamares - enable GRUB force_efi_extra_removable[edit]

GRUB - Debian packages grub-pc and grub-efi co-install-ability[edit]

trixie port - misc[edit]

trixie port - GRUB_DEVICE vs dracut vs initramfs-tools[edit]

  • The following is required for initramfs-tools only:
GRUB_DEVICE="/dev/disk/by-uuid/${GRUB_DEVICE_UUID}"
unset GRUB_DEVICE_UUID
  • grep the source code for this and move it below the following condition because it is not required by dracut:
if pkg_installed initramfs-tools ; then?

trixie port - deprecate initramfs-tools support - consider making dracut a dependency[edit]

  • todo
  • hard depend on dracut?
  • if so, must also hard depend on systemd-cryptsetup
  • do this during release-upgrade
  • related: dracut

trixie port - port to Wayland[edit]

trixie port - update derivative signing key derivative.asc[edit]

  • plan how to use a new signing key

trixie port - meta packages[edit]

calamares - make 3.3.12 available in Bookworm[edit]

  • necessary to fix bugs related to the disk encryption user interface
  • Sid and Trixie are still at 3.3.9, does maintainer need help packaging 3.3.12?
    • Maintainer uploaded 3.3.12 to Sid, should migrate to Testing relatively soon.
    • 3.3.11 was hung up on calamares-extensions 3.3.1, and while calamares-extensions 3.3.11 is technically available, a real release of it hasn't been made. Pinged the Calamares devs to see if they could do that, after than I'll ping the Debian Qt/KDE team to get them to package it and that should release calamares into Trixie.
    • 3.3.12 was uploaded but was slightly wonky, wasn't migrating, maintainer wasn't fixing the issue yet. Got a DD friend to sponsor an NMU to fix the problem, should hopefully migrate on December 22nd if all goes well. (Thanks to Simon Quigley for sponsorship!)
  • Backport 3.3.12 after it is available in Trixie
    • Backport submitted to Debian Mentors, review requested from maintainer.

ISO - GRUB - silence cosmetic errors in live ISO GRUB[edit]

  • Earlier attempts to fix cosmetic errors in GRUB failed, since they introduced bugs into the live-build-provided boot screen.
  • Investigate how to fix this, potentially make an upstream feature request or patch if needed
  • Errors include loadfont issues, Secure Boot loading issues
  • Sent email to grub-devel mailing list to investigate this

ISO - memtest86+[edit]

error: bad shim signature

test SysRq keys under LXQt Wayland[edit]

ISO - changed files issues[edit]

(annoted) 

+ debsums --silent
debsums: changed file /usr/sbin/sources-media (from calamares-settings-debian package) - issue for future verified boot
debsums: missing file /var/lib/dbus/machine-id (from dist-base-files package) - issue for Whonix-Host, non-ideal for Kicksecure but not a blocker

+ debsums --config --silent
debsums: changed file /etc/calamares/modules/unpackfs.conf (from calamares-settings-debian package) - issue for future verified boot
debsums: changed file /etc/cryptsetup-initramfs/conf-hook (from cryptsetup-initramfs package) - issue for future verified boot
debsums: changed file /etc/machine-id (from dist-base-files package) - issue for Whonix-Host, non-ideal for Kicksecure but not a blocker
  • All of these are modified by live-build itself:
    • /usr/sbin/sources-media is modified by live-build/share/hooks/normal/5050-dracut.hook.chroot so that it points to the proper location of the on-ISO apt repo when dracut is in use (the location is different when initramfs-tools is used). The need for this could potentially be removed by modifying the sources-media script to autodetect the correct location, though this requires upstream to be receptive to the idea.
    • /var/lib/dbus/machine-id is deleted by live-build/share/hooks/normal/8020-remove-dbus-machine-id.hook.chroot, which has a note in it as follows: "This removes dbus machine id that cache that makes each system unique." This seems important and I can't think of an obvious way to avoid needing to do this. My Kicksecure VMs appear to have machine IDs, but it's unclear how they're being generated originally, so it may be worth enabling the machineid module in our Calamares configuration to ensure that the machine ID is properly generated.
    • /etc/calamares/modules/unpackfs.conf is modified by live-build/share/hooks/normal/5050-dracut.hook.chroot so that it points to the proper location of the on-ISO squashfs containing the operating system. Again, the location is different when initramfs-tools is used. This is a "hardcoded" configuration file, there isn't a way to add autodetection logic here. It might be possible to make a pull request to Calamares that would allow it to skip squashfses that didn't exist?
    • /etc/cryptsetup-initramfs/conf-hook is modified by live-build/share/hooks/normal/1010-enable-cryptsetup.hook.chroot, where it is used to enable cryptsetup in initramfs-tools. Assuming this isn't legacy configuration, this seems important and I can't think of an obvious way to avoid needing to do this. Might be worth testing to see if this is still necessary though.
    • /etc/machine-id is deleted by live-build/share/hooks/normal/8020-remove-dbus-machine-id.hook.chroot. Has a very similar note to the other machine ID deletion hook. Same concerns apply.
      • Proposal for fixing this made.

ISO - Finish Module Action Follow-Up[edit]

lightdm ssdm[edit]

live-build - add mmdebstrap support[edit]

live-build - use APT with error-on-any[edit]

  • use option apt --error-on=any for all invocations of apt-get (update)
  • only needed for apt-get update, otherwise superfluous but non-issue
  • this is a security feature
  • this is to prevent inconsistent images that succeeded connecting to the "normal" repository but failed to connect to the security repository
  • can be implemented using already existing live-build option --apt-options OPTION|"OPTIONS"?
  • Requires a patch to live-build. Using --apt-options results in a build failure with E: Command line option --error-on=any is not understood in combination with the other options
  • Patch written, submitted upstream as https://salsa.debian.org/live-team/live-build/-/merge_requests/371archive.org iconarchive.today icon. New configuration option now used in my branch of live-build.

security-misc - investigate PAM[edit]

  • there is /etc/pam.d/sudo-i for interactive and /etc/pam.d/sudo
  • pam has concepts of common-session-noninteractive vs common-session (non-interactive)
  • how could we on the PAM level notice if faillock is used interactively or non-interactively?
  • if non-interactive, skip faillock
  • if interactive, do not skip faillock
  • Bug reports:
  • Once we go sudoless, this will no longer be a concern except for VMs that aren't sudoless.

live-build - grub.cfg GRUB configuration - loopback.cfg[edit]

  • add https://www.supergrubdisk.org/wiki/Loopback.cfgarchive.org iconarchive.today icon compatibility (as as Debian Live ISO)
  • Requires fixes in live-build and Dracut to make work:
    • live-build is specifying the wrong kernel parameter for loopback booting when using dracut - it's using findiso when it should be using iso-scan/filename. A fix for this has been integrated into my fork of live-build. MR to upstream here: https://salsa.debian.org/live-team/live-build/-/merge_requests/376archive.org iconarchive.today icon
    • dracut is failing to run udevadm trigger during its device scanning, so even when it finds the ISO and attaches it as a loopback device, it never finds it. Only appears to be a problem on Debian Bookworm, Trixie works just fine.
      • Task is on hold until we migrate to Trixie.
    • (Side note: At least on QEMU, loopback mounts in GRUB fail with out-of-memory errors if the system uses UEFI. With BIOS it works fine. Not quite sure why this happens, very well may be an issue with QEMU's implementation of UEFI hardware or my usage thereof.)

live-build - lb-binary should not run apt-get update[edit]

REVIEW PLEASE[edit]

sysmaint-panel - add grub bootloader password support[edit]

  • please review and improve
    • /usr/sbin/grub-password-status-check
    • /usr/sbin/grub-pwchange
    • systemcheck check_grub_security
    • How to set a bootloader password
    • Aaron: Reviewed all of the above, sent comments in chat. Mostly looks good and appears to work on my end.
  • add grub bootloader password support to sysmaint-panel
    • do this on the host only, not inside VMs?
    • Aaron: I don't think we need to restrict it like that - while bootloader passwords aren't theoretically useful in VMs, they might be practically useful against a low-skill adversary, and doing this would complicate development and make testing trickier.
  • Implemented: https://github.com/ArrayBolt3/sysmaint-panel/commit/0271a053bfc3d1457ff11fc8889d1f088b8068c5archive.org iconarchive.today icon

research systemd-repart[edit]

RPi GRUB - contribute to Debian[edit]

add support for GRUB as bootloader for RPi

I've recently succeeded in converting an existing Debian Trixie RPi image to boot using GRUB on the RPi 4B and extensively documented how to do that. [1] I also posted about this on the debian-arm mailing list. [2]

Booting in this way has several substantial advantages over the current Raspberry Pi boot process:

* The kernel command line can be modified via /etc/default/grub and files under /etc/default/grub.d. Some software requires or benefits from such modifications and leverages this mechanism in GRUB to make non-invasive changes to the command line. With direct kernel boot, these changes are silently ignored, while with U-Boot + GRUB, they are correctly applied.
* In the event of a bad kernel update, users can easily boot into older kernels as they would on a typical desktop system.
* Recovering from a broken boot without a secondary system becomes much easier, as users can use the GRUB and U-Boot consoles to debug and manually boot the system.
* Multiboot installations on the Pi become possible.

Is this a feature for which you would welcome a merge request here, either as an option or even as the default?

Obviously, at this point, RPi GRUB support could only be added to Forky and later.

(I've also recently submitted a pull request to `grml-debootstrap` (a Debian bootable image builder tool) [3] [4] implementing "basic" RPi support.)

* [1] https://www.kicksecure.com/wiki/Dev/boot#Booting_Debian_Trixie_with_GRUB_+_u-boot_on_Raspberry_Pi_4
* [2] https://lists.debian.org/debian-arm/2025/04/msg00012.html
* [3] http://packages.debian.org/grml-debootstrap
* [4] https://github.com/grml/grml-debootstrap/pull/335

review and improve append-once[edit]

  • append-once
    • Aaron: Documentation updated to match the new implementation.
  • https://github.com/Kicksecure/helper-scripts/blob/master/usr/bin/append-oncearchive.org iconarchive.today icon
  • Had some ideas for improving performance and reliability, shared in chat.
  • use case: simplify writing to files while developing unrelated scripts (such as user-sysmaint-split)
  • please rewrite in python as suggested
  • the following tools should probably be separate tools
    • these might however have shared code inside a library if that is sensible
  • tool requirements:
    • atomic writes
    • error handling (unwriteable parent folder, unwriteable file)
  • required functionality:
    • only for already actually used use cases
  • list of tools
    • append (equivalent of: echo test >> testfile)
    • append-once
    • overwrite (equivalent of: echo test | sponge testfile)
  • unneeded functionality for now:
    • not adding a newline at the end (equivalent of: printf "test" > testfile)
    • appending the the last line of the file (without starting a newline) (equivalent of: printf test >> a)
  • Aaron: Implemented: https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/file-utilsarchive.org iconarchive.today icon
    • All tools implemented as a multicall executable append, with append-once and overwrite symlinks.

review and test IPv6 support pull requests[edit]

ARCHIVED

user-sysmaint-split - run updatecheck[edit]

user-sysmaint-split - show persistent vs live status[edit]

user-sysmaint-split - bug - prevent account user login in sysmaint mode[edit]

unicode - sanitize suspicious characters in informative lines[edit]

  • as discussed, avoid using repr
  • might not need done after all, see chat

grub-live - GRUB configuration not being regenerated when switching initramfs generator[edit]

  • When installing initramfs-tools on Kicksecure, grub-live-dracut is swapped out for grub-live-initramfs-tools. This seems to work for the most part, however the GRUB configuration isn't regenerated, meaning live boot is broken until the next time the user (or some other part of the system) calls update-grub.
  • This is because update-grub is only called when the master grub-live package is installed or removed. If one of grub-live-dracut or grub-live-initramfs-tools are installed or uninstalled, but the main grub-live package isn't, the GRUB configuration isn't regenerated. This is exactly what happens when switching initramfs engines usually.
  • Fix: https://github.com/ArrayBolt3/grub-live/tree/arraybolt3/initramfs-switch-fixarchive.org iconarchive.today icon

updatecheck, setup-wizard-dist - don't assume sysmaint components are present[edit]

  • Patrick working on this.
  • [DONE] updatecheck assumes sysmaint-panel is preinstalled and instructs the user to use it, even if it's not present
  • setup-wizard-dist does things similarly
  • adjust both to only show sysmaint-related information if the corresponding components are installed
    • Patrick did updatecheck, Aaron did setup-wizard-dist, so this is now solved.

RPi GRUB - notify debian-arm mailing list[edit]

user-sysmaint-split - documentation improvements - #2[edit]

  • document Qubes boot modes on Dev/user-sysmaint-split
  • document difference for user-sysmaint-split installation on Qubes R4.2 versus Qubes R4.3
  • Read through the document, fixed some errors and omissions and added the requested docs.

review - lightweight update notifications - #2[edit]

  • Implemented by Patrick. Please review.
  • [DONE] consider custom languages. Needs LC_ALL=C?
  • [DONE] notify leaprun failures
  • [DONE] consider if update_package_count is not a number?
  • [DONE] grep APT output for errors and notify?
  • [DONE] systemcheck function check_dpkg or equivalent useful? If apt/dpkg is broken due to broken packages, that does not really break apt update?
    • Not needed. DPKG is irrelevant.
  • [DONE] use systemcheck function check_package_manager_running or equivalent?
    • [DONE] if running for a "reasonable time", wait
    • [DONE] if running "forever", notify that update check is broken
  • [DONE] consider systems running for 12 or 18 hours etc:
    • [DONE] Do notifications pile up more and more? Avoidable?
    • [DONE] Can we clear prior notifications?
    • [DONE] Can stale notifications be avoided? Can we clear "update check broken" notification once "updates available" notification came in? Can we clear "updates available" once user updated?
  • Other error cases to notify?
  • Documentation:
  • [DONE] notify https://forums.kicksecure.com/t/notifications-about-new-updates/774archive.org iconarchive.today icon
  • Aaron: Reviewed, added some documentation updates, found and fixed a likely minor bug with debug output.

trailing whitespaces - please comment[edit]

enable X event buffering by default for Whonix[edit]

user-sysmaint-split - sysmaint-panel - add terminal background tinting[edit]

user-sysmaint-split - sysmaint-panel - new features[edit]

  • sysmaint-panel could be used to promote nice but lesser known functionality
  • apt-get-reset
    • should renamed to apt-get-reinstall?
    • rationale: re-installation of a package (if other packages depend on it) while restoring configuration files back to package defaults is very difficult for users. Hence, apt-get-reset has been invented.
  • dummy-dependency
    • use --purge?
    • do not yet --yes, obviously
  • Both features (and some additional software uninstallation features) implemented in https://github.com/ArrayBolt3/sysmaint-panel/commit/320f4bea7faa288b659fc20a35d3e318bf363980archive.org iconarchive.today icon
    • Patrick: Merged.

research depthcharge[edit]

Minimal Firmware combined with Linux Based Bootloader - review and improve the wiki draft[edit]

updatecheck - avoid assuming Internet access[edit]

updatecheck - send_notification_wait_exit fixes[edit]

safe-print follow-up issues[edit]

unicode - don't strip trailing whitespace[edit]

RPi GRUB - Continue Research[edit]

  • non-goal: RPi Secure Boot (due to issues documented in chapter Verified_Boot#Raspberry_Pi_RPi_Based)
  • non-goal: hiding of u-boot
  • goal: complete RPi GRUB support for the purposes of
    • being able to implement RPi GRUB support in grml-debootstrap - maybe - at a later time - depending on grml upstream feedback on RPi support
    • being able to implement the functionality in derivative-maker (in case grml upstream rejects RPI GRUB support)
    • todo items (updated by Patrick) on Dev/boot#Load_GRUB_with_u-boot
  • document raspi-firmware versus clobbering config.txt (by /etc/kernel/postinst.d or similar) and consider how an implementation later could handle this (probably by using config-package-dev hide, dpkg divert or otherwise)
  • Research done, additional notes added to Dev/boot. Likely ready to continue implementation when desirable.

investigate Raspberry Pi GRUB compatibility[edit]

unicode[edit]

user-sysmaint-split - fix live mode sysmaint[edit]

user-sysmaint-split - custom lightdm autologin configuration breaks sysmaint mode boot[edit]

sudo append-once /etc/lightdm/lightdm.conf.d/user-autologin.conf "\
[SeatDefaults]
user-session=xfce
autologin-user=user
"

privleap - better error message in case comm socket cannot be created as expected[edit]

WARNING: Account 'lightdm' is not allowed to have a comm socket
  • new feature "expected-non-user+=lightdm"
  • better:
handle_control_create_msg: INFO: Account 'lightdm' is not allowed to have a comm socket, as expected, ok.

review safe-print[edit]

leaprun - implement --check command line parameter[edit]

user-sysmaint-split - lock screen command broken[edit]

  • to debug, a terminal was started and then sysmaint-panel was started from the terminal emulator
/usr/bin/zsh
[sysmaint ~]% sysmaint-panel 
requestActivate() called for  QWidgetWindow(0x120a4600, name="BackgroundScreenWindow")  which has Qt::WindowDoesNotAcceptFocus set.
xscreensaver-command: no screensaver is running on display :0

user-sysmaint-split - sysmaint-panel - check system status button - add delay[edit]

  • systemcheck takes 2-3 seconds until user gets feedback. i pressed the button twice and then had a duplicate systemcheck.
  • please disable the button for 2-5 seconds after it has been clicked.
  • visible disable the button if the effort for that is reasonable
  • perhaps a counter that counts down 5, 4, 3, 2, 1?
  • perhaps generally should be the case for all buttons
  • Implemented: https://github.com/ArrayBolt3/sysmaint-panel/commit/7e39a7df817045ba3c4bc6f7a1f64e82bba71d92archive.org iconarchive.today icon
    • This is implemented for most buttons, except for Open Terminal, Reboot, Shut Down, and Install Software. The user experience when using those doesn't warrant a timeout lock and adding a timeout lock there would probably annoy the user.
    • Visible timeout counter is present, implemented by adding a (5) at the end of each button label for the duration of the lock (where "5" will be replaced with the remaining seconds until the lock times out).
  • Patrick: Merged.

user-sysmaint-split - sysmaint-panel - install updates button confusing[edit]

user-sysmaint-split - sysmaint-panel - output formatting issue[edit]

  • shows:
/usr/bin/sudo
/usr/bin/apt
update

user-sysmaint-split - sysmaint-panel - wrong error message if logging in as wrong user[edit]

  • login with account "user" after booting into sysmaint mode
  • ignore warnings by pam-info during login screen that already advice against logging in with account "user" (because the user might miss them in the future due to PAM bugs, pam-info bugs, other login managers)
  • actual: sysmaint-panel shows error "boot into sysmaint"
  • expected: sysmaint-panel shows error "please login as account "sysmaint"
  • Fixed by implementing a new dialog: https://github.com/ArrayBolt3/sysmaint-panel/commit/b782aa512689242d2a8066a1d7a36bc0ce40fc9barchive.org iconarchive.today icon
  • Patrick: Merged.

user-admin-split - documentation improvements[edit]

  • Qubes R4.2 vs R4.3
  • Qubes uninstallation instructions (passwordless-root)
  • Qubes boot modes
  • user documentation
  • developer documentation
  • anything else missing
    • Aaron: Don't see much missing, added requested points.

autologinchange versus empty password[edit]

  • issue:
    • pwchange at time of writing does not notify if autologin is enabled
    • autologinchange at time of writing does not notify if an empty password is being set
  • the user might intend to secure their by using autologinchange and then be surprised that login without a password is still possible
  • how could setting a password and autologinchange be more connected from a usability point of view?
  • should one tool at the end of its execution recommend the other, if that seems applicable?
    • applicable?
      • when disabling autologin, suggest to user to set a password, if password is currently empty.
      • when setting a password, suggest to user to disable autologin, if autologin is currently enabled.
    • use colorful background to notify user of this potential discrepancy?
  • or suggest or autorun systemcheck login security check only after such changes to make it obvious?
  • Implemented: https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/pwchange-autologinchange-linkarchive.org iconarchive.today icon
    • Went with the strategy of having each tool warn if things are insecure when the user is doing hardening (i.e. warn about autologin when adding a password, or warn about empty password when disabling autologin)
    • Patrick: Merged.

lightweight update notifications[edit]

  • Qubes vs non-Qubes:
    • should not conflict with Qubes internal updater (multiple APT background processes blocking each other) - do this only inside Non-Qubes?
    • on the other hand, systemcheck contains many tests that are useful inside Qubes as well
    • Qubes developers do not wish the user to see a lot duplicate passive popups, active progress bars and active popups
      • Aaron: Qubes already shows upgrade notifications for VMs, so I would say this feature should not be added to Kicksecure or Whonix under Qubes OS. It's redundant and potentially conflicting.
  • non-Qubes: GUI vs CLI?
    • GUI: Implement this for the GUI version only?
    • CLI: msgcollector supports writing to tty1 even for daemons (systemcheck) started in the background but this is probably confusing and disruptive. (Was default in the past.)
      • Aaron: Agreed, should be a GUI-only feature. CLI users can just run apt commands manually easily enough.
  • as a stopgap until one day Dev/Automatic Updates gets implemented
  • re-use systemcheck for this? Could consider to re-enable autostart of systemcheck by default as it contains already lots of tests. "systemcheck --gui" currently shows:
INFO: Kicksecure APT Repository: Enabled. When the Kicksecure team releases BOOKWORM-DEVELOPERS updates, they will be AUTOMATICALLY installed (when you run apt-get dist-upgrade) along with updated packages from the Debian team. Please read https://www.kicksecure.com/wiki/Trust to understand the risk. If you want to change this, use: 
dom0 -> Start Menu -> Template: kicksecure-bookworm -> Derivative Repository

WARNING: Debian Package Update Check Result: apt-get reports that packages can be updated. 
Please update your 'kicksecure-bookworm' TemplateVM. 
1. Open a TemplateVM terminal. (dom0 -> Start Menu -> Template: kicksecure-bookworm -> Terminal) 
2. Update. 
upgrade-nonroot
3. Shutdown your TemplateVM. (dom0 -> Qubes VM Manager -> right click 'kicksecure-bookworm' -> Shutdown VM) 
4. Shutdown and restart this TemplateBased AppVM. (dom0 -> Qubes VM Manager -> right click 'work-main' -> Shutdown VM)
  • The first "INFO: Kicksecure APT Repository" might be too noisy and could easily be disabled in GUI output by default.
  • git history contains /usr/libexec/systemcheckdaemon
    • Aaron: systemcheck shows a lot of info about multiple components, much of which a user may skip over or be tempted to skip over. I would prefer implementing this in such a way that a typical desktop notification (such as what notify-send can produce) is shown to the user when there are updates.
    • Patrick:
      • It's possible to run select functions only, for example: systemcheck --verbose --function check_operating_system.
      • Other functions might be useful as well such as check_package_manager_running and check_dpkg.
  • Aaron: Implemented initial version of update notifications using a user-side daemon.

user-sysmaint-split - add screen lock button[edit]

GRUB - boot related enhancements[edit]

  • Are there any other boot related enhancements outstanding? If so, please create tickets for these.

grml-debootstrap - downstream handling grub-cloud versus /etc/default/grub[edit]

  • After/if https://github.com/grml/grml-debootstrap/pull/299archive.org iconarchive.today icon gets merged...
  • config-package-dev displace /etc/default/grub? Avoid "fighting" for configuration file ownership by moving the file out of the way.
  • Generate a configuration file using do_once. Probably not owned by any package.
  • Ship a default /etc/default/grub configuration file:
## Do not edit this file!
## Please create and add modifications to the following file instead:
## /etc/default/grub.d/50_user.cfg
##
## User documentation:
## https://www.kicksecure.com/wiki/grub
  • minor comment on link: https://www.kicksecure.com/wiki/grub (lower case) vs https://www.kicksecure.com/wiki/Grub (normal case) is OK. Preferring lower case for simplicity thanks to MediaWiki extension SaneCase.
  • Implemented for the most part in (broken link), though the comment at the top was not added yet because no other method of image generation we do adds that link and we cannot safely divert and replace this file. Details explained in chat.
  • Patrick: Pending discussion.
  • Aaron: Tried implementing again after discussion, attempt 2: https://github.com/ArrayBolt3/derivative-maker/commit/6b4e1a38345b69ae9c7e2b3212d7d0488cbd8b60archive.org iconarchive.today icon
  • Patrick: Merged.
  • Patrick: Re-opened.
    • mount image in step build-steps.d/3200_create-raw-image was broken. (file name base_image vs full image filename)
      • Re-factored and moved to 3500_install-packages
    • grub-cloud sets: GRUB_TERMINAL_OUTPUT="gfxterm serial"
    • bug: we used to unset: GRUB_TERMINAL=""
    • Fixed.
    • developer documentation: /etc/default/grub.d/20_dist-base-files.cfg
    • Please review.
      • Aaron: Reviewed implementation and documentation, looks good to me.

reopen:

Patrick:

  • PR seems not needed. See chat.
    • Aaron: Replied in chat, PR seems needed to me, some confusion may be happening with different versions of grub-cloud.
      • Patrick: Merged.

GRUB - lightweight document ISO GRUB[edit]

user-sysmaint-split - qubes - features-request bug[edit]

  • Whonix-Gateway Template and Kicksecure error message during upgrade from developers repository
Setting up dist-base-files (3:12.8-1) ...
Processing triggers for qubes-core-agent (4.2.41-1+deb12u1) ...
Traceback (most recent call last):
  File "/usr/bin/qvm-features-request", line 111, in <module>
    sys.exit(main())
             ^^^^^^
  File "/usr/bin/qvm-features-request", line 102, in main
    subprocess.check_call(
  File "/usr/lib/python3.11/subprocess.py", line 413, in check_call
    raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['qrexec-client-vm', 'dom0', 'qubes.FeaturesRequest']' returned non-zero exit status 1.
Processing triggers for security-misc (3:44.4-1) ...

user-sysmaint-split - qubes - qrexec refactoring[edit]

        new file:   usr/share/user-sysmaint-split/qubes/qubes-rpc/qubes.TemplateDownload
        new file:   usr/share/user-sysmaint-split/qubes/qubes-rpc/qubes.TemplateSearch
        new file:   usr/share/user-sysmaint-split/qubes/rpc-config/qubes.Filecopy
        new file:   usr/share/user-sysmaint-split/qubes/rpc-config/qubes.Gpg

user-sysmaint-split - qubes - autologin message during upgrade[edit]

Setting up user-sysmaint-split (3:4.0-1) ...
GUI autologin is not applicable to Qubes OS.

user-sysmaint-split - systemcheck - autologin check message and documentation[edit]

  • systemcheck recommends the sysmaint wiki page - not applicable for users that upgraded and that are not (yet or not anymore) using user-sysmaint-split
  • also related: Protection against Physical Attacks
  • please modify the wiki for better usability of this part. A wiki page is needed which explains at a glance, links users to more detailed sections.
    • Aaron: Modified the Login, Post Install Advice, and Desktop wiki pages to move all login security related documentation into the Login page. Also added additional information about login security in general to the top of the login wiki page to provide good "at a glance" instructions. Also wrote a wiki page for the System Maintenance Panel itself so it could be referenced by other pages.
  • systemcheck recommends sysmaint-panel - while not yet installed by default. Simplest solution would be to install it by default as it won't create issues for users not using user-sysmaint-split?
  • systemcheck should point out that password / autologin inside VM is not "as important" (needs consideration when this is useful at all) as on the host? or skip login security check inside VMs?
    • Aaron: I think this might be overcrowding the systemcheck output a bit. We currently don't express an opinion on whether the autologin or password protection status for each account is a problem in systemcheck itself, we only hint at it via colors. To me, this feels like the right approach since only the end user will know for sure what is secure for them. I think the login security check is still valuable in VMs though, as some users might have a legitimate reason to password-protect a VM (for instance, in a kiosk-like setup perhaps).
  • documentation should point out that password / autologin inside VM is not "as important" (needs consideration when this is useful at all) as on the host? A lot users getting bothered with passwords and login prompts inside VMs if it does not benefit their threat model would be a usability degradation.
    • Aaron: Agreed, this seems like a good place to put this kind of documentation. Added to the Login wiki page.

older[edit]

Dev/todo/archived

backlog - one day[edit]

apt-get - implement --restrict-install-recommends proof of concept[edit]

  • todo

Debian Installer Verification[edit]

  • after live-build review queue made progress maybe

Qubes doas ticket[edit]

Qubes umask ticket[edit]

investigate porting from sudo to doas[edit]

doas - send pull requests to Qubes[edit]

  • Qubes doas ticket might be unlikely to get rejected. But replies could take a while.
  • Please send a pull requests. Since it is only 2 packages, 3 files the wasted effort if this gets rejected might be low enough?
qubes-core-agent: /etc/sudoers.d/qt_x11_no_mitshm
qubes-core-agent: /etc/sudoers.d/umask

qubes-input-proxy-sender: /etc/sudoers.d/qubes-input-trigger
  • Superceded by sudoless mode, moved to backlog

create /usr/local/etc/doas.d /etc/doas.d parser and /etc/doas.conf configuration file creator[edit]

  • parse /usr/local/etc/doas.d
  • parse /etc/doas.d
  • parse only configuration files ending with .conf
  • do not overwrite a file that does not contain our auto generated configuration file (could be user custom file)
    • echo a warning in that case
  • atomic, create variable then use sponge
  • add to security-misc
  • add a dpkg trigger
  • /etc/doas.conf would require a header pointing out it is auto-generated.
## Do not edit this file!
## Please create and add modifications to the following file instead:
## /usr/local/etc/torrc.d/50_user.conf

## This file was auto generated by '$BASH_SOURCE' at APT package installation time (a dpkg trigger).
  • Superceded by sudoless mode, moved to backlog

doas - add to security-misc permission hardener whitelist[edit]

  • todo
  • Superceded by sudoless mode, moved to backlog

doas - create /etc/doas.d configuration snippets[edit]

bootloader password[edit]

vm-config-dist re-installs same version[edit]

[user ~]% dpkg -l | grep vm-config
ii  vm-config-dist                                3:10.5-1                        all          usability enhancements inside virtual machines
[user ~]% upgrade-nonroot 
Get:1 tor+https://deb.debian.org/debian bookworm InRelease [151 kB]                                                                                                          
Get:2 tor+https://fasttrack.debian.net/debian bookworm-fasttrack InRelease [12.9 kB]                         
Get:3 tor+https://fasttrack.debian.net/debian bookworm-fasttrack/main amd64 Packages [5296 B]                            
Get:4 tor+https://deb.debian.org/debian bookworm-updates InRelease [55.4 kB]                                     
Get:5 tor+https://fasttrack.debian.net/debian bookworm-fasttrack/non-free amd64 Packages [492 B]                                          
Get:6 tor+https://deb.debian.org/debian-security bookworm-security InRelease [48.0 kB]     
Get:7 tor+https://fasttrack.debian.net/debian bookworm-fasttrack/contrib amd64 Packages [7332 B]
Get:8 tor+https://deb.kicksecure.com bookworm InRelease [62.0 kB]                    
Get:9 tor+https://deb.debian.org/debian bookworm-backports InRelease [59.0 kB]
Get:10 tor+https://deb.kicksecure.com bookworm/non-free amd64 Packages [913 B]
Get:11 tor+https://deb.debian.org/debian bookworm/non-free amd64 Packages [97.3 kB]
Get:12 tor+https://deb.debian.org/debian bookworm/non-free-firmware amd64 Packages [6236 B]
Get:13 tor+https://deb.debian.org/debian bookworm/contrib amd64 Packages [54.1 kB]
Get:14 tor+https://deb.debian.org/debian bookworm/main amd64 Packages [8789 kB]    
Get:15 tor+https://deb.kicksecure.com bookworm/main amd64 Packages [33.7 kB]      
Get:16 tor+https://deb.kicksecure.com bookworm/contrib amd64 Packages [509 B]
Get:17 tor+https://deb.debian.org/debian bookworm-updates/non-free-firmware amd64 Packages [616 B]                                                                                           
Get:18 tor+https://deb.debian.org/debian bookworm-updates/main amd64 Packages [2712 B]                                                                                                       
Get:19 tor+https://deb.debian.org/debian bookworm-updates/non-free amd64 Packages [12.8 kB]                                                                                                  
Get:20 tor+https://deb.debian.org/debian bookworm-updates/contrib amd64 Packages [768 B]                                                                                                     
Get:21 tor+https://deb.debian.org/debian-security bookworm-security/contrib amd64 Packages [644 B]                                                                                           
Get:22 tor+https://deb.debian.org/debian-security bookworm-security/non-free-firmware amd64 Packages [688 B]                                                                                 
Get:23 tor+https://deb.debian.org/debian-security bookworm-security/main amd64 Packages [206 kB]                                                                                             
Get:24 tor+https://deb.debian.org/debian bookworm-backports/main amd64 Packages [264 kB]                                                                                                     
Get:25 tor+https://deb.debian.org/debian bookworm-backports/contrib amd64 Packages [5624 B]                                                                                                  
Get:26 tor+https://deb.debian.org/debian bookworm-backports/non-free-firmware amd64 Packages [3852 B]                                                                                        
Get:27 tor+https://deb.debian.org/debian bookworm-backports/non-free amd64 Packages [11.1 kB]                                                                                                
Fetched 9891 kB in 8s (1227 kB/s)                                                                                                                                                            
Reading package lists... Done
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
  vm-config-dist
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 40.2 kB of archives.
After this operation, 2048 B of additional disk space will be used.
Do you want to continue? [Y/n] ^Czsh: exit 130   upgrade-nonroot

[user ~]% apt-cache show vm-config-dist 
Package: vm-config-dist
Version: 3:10.5-1
Architecture: all
Maintainer: Patrick Schleizer <adrelanos@kicksecure.com>
Installed-Size: 135
Depends: sudo, adduser, p7zip-full
Replaces: power-savings-disable-in-vms, shared-folder-help
Homepage: https://github.com/Kicksecure/vm-config-dist
Priority: optional
Section: misc
Filename: pool/main/v/vm-config-dist/vm-config-dist_10.5-1_all.deb
Size: 40244
SHA256: 41fc4cd7e2f97bdcf23ff80b91cbbc339aca3c60445ffaa4725147e4e28d048a
SHA1: d150305c67a4d3949c714c4b16a6a2c1ebe63353
MD5sum: 471286ecd49b36d287b50f807685036b
Description: usability enhancements inside virtual machines
 Sets environment variable `QMLSCENE_DEVICE=softwarecontext` as workaround for
 "Automatic fallback to softwarecontext renderer".
 .
 It is not useful to open a screensaver or to power down the desktop for
 operating systems that are run inside VMs. There is no real display that could
 be saved and no real power that could be saved. From usability perspective it
 also is counter intuitive when looking at the VM window and only seeing a
 black screen. Therefore it makes sense to disable power savings in VMs.
 `/etc/X11/Xsession.d/20_kde_screen_locker_disable_in_vms.sh`
 `/etc/profile.d/20_power_savings_disable_in_vms.sh`
 `/etc/X11/Xsession.d/20_software_rendering_in_vms.sh`
 `/usr/share/kde-power-savings-disable-in-vms/kdedrc`
 `/usr/share/kde-screen-locker-disable-in-vms/kscreenlockerrc`
 .
 Disables screen locker when running in VMs because that is not useful either.
 .
 Makes setting up a shared folder for virtual machines a bit easier.
 .
  * Creates a folder `/mnt/shared` with `chmod 777`, adds a group
 "vboxsf", adds user "user" to group "vboxsf". Facilitates auto-mounting of
 shared folders.
 .
  * Helps using shared folders with VirtualBox and KVM a bit
 easier (as in requiring fewer manual steps from the user).
 .
  * `/lib/systemd/system/mnt-shared-vbox.service`
  * `/lib/systemd/system/mnt-shared-kvm.service`
 .
 Set screen resolution 1920x1080 by default for VM in VirtualBox and KVM.
 Workaround for low screen resolution 1024x768 at first boot. When using lower
 screen resolutions, Xfce will automatically scale down.
 `/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/displays.xml`
 .
 Installs VirtualBox guest additions if package
 `virtualbox-guest-additions-iso` is installed if environment variable
 `dist_build_virtualbox=true` or if running inside VirtualBox.
 (`systemd-detect-virt` returning `oracle`)
 `/usr/bin/vbox-guest-installer`
Description-md5: 09e095e928a4c962e728f72d712b4c34

Package: vm-config-dist
Status: install ok installed
Priority: optional
Section: misc
Installed-Size: 133
Maintainer: Patrick Schleizer <adrelanos@kicksecure.com>
Architecture: all
Version: 3:10.5-1
Replaces: power-savings-disable-in-vms, shared-folder-help
Depends: sudo, adduser, p7zip-full
Conffiles:
 /etc/dracut.conf.d/30-vm-config-dist.conf 4b17a68bed81773993a0c46d79148986
 /etc/gdm3/daemon.conf.dist b1f35c9655abcc3171af5c10ce4d8292
 /etc/profile.d/20_kde_screen_locker_disable_in_vms.sh e45dd471bc555b906c6c04b208f4066b
 /etc/profile.d/20_power_savings_disable_in_vms.sh bfef62e0edc770197204884b9fc3baea
 /etc/profile.d/20_software_rendering_in_vms.sh 32d99ab4948878c5c790145bdafa88ea
 /etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/displays.xml 573a4880ca28e8e094ea78fa76fb875e
Description: usability enhancements inside virtual machines
 Sets environment variable `QMLSCENE_DEVICE=softwarecontext` as workaround for
 "Automatic fallback to softwarecontext renderer".
 .
 It is not useful to open a screensaver or to power down the desktop for
 operating systems that are run inside VMs. There is no real display that could
 be saved and no real power that could be saved. From usability perspective it
 also is counter intuitive when looking at the VM window and only seeing a
 black screen. Therefore it makes sense to disable power savings in VMs.
 `/etc/X11/Xsession.d/20_kde_screen_locker_disable_in_vms.sh`
 `/etc/profile.d/20_power_savings_disable_in_vms.sh`
 `/etc/X11/Xsession.d/20_software_rendering_in_vms.sh`
 `/usr/share/kde-power-savings-disable-in-vms/kdedrc`
 `/usr/share/kde-screen-locker-disable-in-vms/kscreenlockerrc`
 .
 Disables screen locker when running in VMs because that is not useful either.
 .
 Makes setting up a shared folder for virtual machines a bit easier.
 .
  * Creates a folder `/mnt/shared` with `chmod 777`, adds a group
 "vboxsf", adds user "user" to group "vboxsf". Facilitates auto-mounting of
 shared folders.
 .
  * Helps using shared folders with VirtualBox and KVM a bit
 easier (as in requiring fewer manual steps from the user).
 .
  * `/lib/systemd/system/mnt-shared-vbox.service`
  * `/lib/systemd/system/mnt-shared-kvm.service`
 .
 Set screen resolution 1920x1080 by default for VM in VirtualBox and KVM.
 Workaround for low screen resolution 1024x768 at first boot. When using lower
 screen resolutions, Xfce will automatically scale down.
 `/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/displays.xml`
 .
 Installs VirtualBox guest additions if package
 `virtualbox-guest-additions-iso` is installed if environment variable
 `dist_build_virtualbox=true` or if running inside VirtualBox.
 (`systemd-detect-virt` returning `oracle`)
 `/usr/bin/vbox-guest-installer`
Description-md5: 09e095e928a4c962e728f72d712b4c34
Homepage: https://github.com/Kicksecure/vm-config-dist

[user ~]%
  • SHA256 is OK and matches my locally built package.
myfind . | grep vm-config-dist | grep '.deb$' | xargs sha256sum
+ set -e
+ find . -type f -not -iwholename '*.git*'
41fc4cd7e2f97bdcf23ff80b91cbbc339aca3c60445ffaa4725147e4e28d048a  ./genmkfile-packages-result/vm-config-dist_10.5-1_all.deb
41fc4cd7e2f97bdcf23ff80b91cbbc339aca3c60445ffaa4725147e4e28d048a  ./aptrepo_local/kicksecure/pool/main/v/vm-config-dist/vm-config-dist_10.5-1_all.deb
41fc4cd7e2f97bdcf23ff80b91cbbc339aca3c60445ffaa4725147e4e28d048a  ./aptrepo_remote/kicksecure/pool/main/v/vm-config-dist/vm-config-dist_10.5-1_all.deb
  • The Installed-Size of the package on the VM is listed as one size, but the Packages file in Kicksecure's remote repo lists a different Installed-Size. Thus even though the debs are identical, apt believes the packages are different and wants to update to the remote version of the package as a result. See https://unix.stackexchange.com/questions/581291/why-apt-wants-to-upgrade-already-up-to-date-packagearchive.org iconarchive.today icon. Why this is happening is unclear. Perhaps something is going wrong with using reprepro? See below.
# From https://deb.kicksecure.com/dists/bookworm/main/binary-amd64/Packages:
Package: vm-config-dist
...
Installed-Size: 135
...

# From /var/lib/dpkg/status from the linked OVA file:
Package: vm-config-dist
...
Installed-Size: 133
...
  • I did an OVA build in the background to see what Installed-Size it resulted in, but then accidentally deleted it, I can do redo the build and check it if desired.

str_replace utf-8 bug[edit]

str_replace %%replace-me-clearnet-replace-me%% kicksecure.com /etc/postfix/header_checks.db

Traceback (most recent call last):
  File "/usr/bin/str_replace", line 49, in <module>
    main()
  File "/usr/bin/str_replace", line 26, in main
    file_data = source_fh.read()
                ^^^^^^^^^^^^^^^^
  File "<frozen codecs>", line 322, in decode
UnicodeDecodeError: 'utf-8' codec can't decode byte 0x8e in position 54: invalid start byte
  • Low-priority, could be difficult to fix.

Qubes graphical-session.target missing bug[edit]

add date and time detection to archive.today frontend[edit]

  • This is necessary for the next task.
  • If a link has been archived once in the past, but is severely outdated, we should probably request that archive.today rearchive it. This requires that we know when archive.today archived each page.
  • (It might be worthwhile to detect when a link was added to the Wiki and use that as a deciding factor as to whether or not we should archive the link again. Might be doable by using the archive.today backups from Github.)
  • We decided to not attempt re-archiving already archived content, thus this is no longer needed for now.

mediawiki bot setup[edit]

rootless X11[edit]

  • only if doable with low effort such as just changing some configs (such as in lightdm config) or changing some installed packages
  • Would require switching away from LightDM or enabling rootless X11 support in LightDM, thus moving to backlog.

power9 RAM encryption research[edit]

  • todo

auto-detect, prompt for potential root devices in case the root= device is misconfigured or missing[edit]

dracut add support for undeclared CDLABEL[edit]

as discussed

live-build - Retry button in derivative-maker doesn't work[edit]

  • low priority, move to backlog please

live-build - remove trailing spaces[edit]

  • can be done when upstream review queue of live-build has more room

Footnotes[edit]

Notification image
Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!

Retrieved from "https://www.kicksecure.com/w/index.php?title=Dev/todo&oldid=93782"