clean up whonix templates

[mfc]

I don't know if this has already been tackled @adrelanos, but in the currently deployed Whonix templates there are still some hold-overs from its VirtualBox version. A couple of examples:

• whonix-gw should have drastically reduced number of default apps installed (i.e. no Iceweasel, etc)
• whonix-gw and whonix-ws should not have the language around default username and password in the terminal, since Qubes doesn't respect sudo magic.
• clean up menu list, lots of redundant/unnecessary default listings (Whonix feature blog, Whonix important blog, donate page, contribute page, Help, documentation online, IRC channel, developer mailing list, etc). that should all be content in Help (for example), and the rest of the listings should be actual apps.

Anything else that still needs to be tackled to get Whonix templates to feel at home in Qubes from a user perspective?

[adrelanos]

Michael Carbone:

• whonix-gw should have drastically reduced number of default apps installed (i.e. no Iceweasel, etc)

This is done in Whonix 12.

There now is a Whonix 12 RC btw:
#1376

• whonix-gw and whonix-ws should not have the language around default username and password in the terminal, since Qubes doesn't respect sudo magic.

Can do for Whonix 13.

• clean up menu list, lots of redundant/unnecessary default listings (Whonix feature blog, Whonix important blog, donate page, contribute page, Help, documentation online, IRC channel, developer mailing list, etc). that should all be content in Help (for example), and the rest of the listings should be actual apps.

This is done in Whonix 12.

[adrelanos]

Michael Carbone:

• whonix-gw should have drastically reduced number of default apps installed (i.e. no Iceweasel, etc)

This is done in Whonix 12.

There now is a Whonix 12 RC btw:
#1376

• whonix-gw and whonix-ws should not have the language around default username and password in the terminal, since Qubes doesn't respect sudo magic.

Can do for Whonix 13.

• clean up menu list, lots of redundant/unnecessary default listings (Whonix feature blog, Whonix important blog, donate page, contribute page, Help, documentation online, IRC channel, developer mailing list, etc). that should all be content in Help (for example), and the rest of the listings should be actual apps.

This is done in Whonix 12.

[mfc]

cool, glad to hear re: whonix 12 RC.

• whonix-ws should not have the language around default username and password in the terminal, since Qubes doesn't respect sudo magic.

Can do for Whonix 13.

great.

[mfc]

cool, glad to hear re: whonix 12 RC.

• whonix-ws should not have the language around default username and password in the terminal, since Qubes doesn't respect sudo magic.

Can do for Whonix 13.

great.

[adrelanos]

whonix-ws should not have the language around default username and password in the terminal, since Qubes doesn't respect sudo magic.

Can do for Whonix 13.

great.

Created https://phabricator.whonix.org/T428 for it.

[adrelanos]

whonix-ws should not have the language around default username and password in the terminal, since Qubes doesn't respect sudo magic.

Can do for Whonix 13.

great.

Created https://phabricator.whonix.org/T428 for it.

[adrelanos]

• clean up menu list, lots of redundant/unnecessary default listings (Whonix feature blog, Whonix important blog, donate page, contribute page, Help, documentation online, IRC channel, developer mailing list, etc). that should all be content in Help (for example), and the rest of the listings should be actual apps.

This is done in Whonix 12.

Note: the menu list will only be improved for newly installed versions. Existing users who update won't see it. This is by Qubes. As far I know, Qubes doesn't remove default whitelisted Qubes menu entries if those are removed in a newer template. If you want such a feature (could be difficult), please report a bug [or feature request?] against Qubes.

[adrelanos]

• clean up menu list, lots of redundant/unnecessary default listings (Whonix feature blog, Whonix important blog, donate page, contribute page, Help, documentation online, IRC channel, developer mailing list, etc). that should all be content in Help (for example), and the rest of the listings should be actual apps.

This is done in Whonix 12.

Note: the menu list will only be improved for newly installed versions. Existing users who update won't see it. This is by Qubes. As far I know, Qubes doesn't remove default whitelisted Qubes menu entries if those are removed in a newer template. If you want such a feature (could be difficult), please report a bug [or feature request?] against Qubes.

[adrelanos]

Anything else that still needs to be tackled to get Whonix templates to feel at home in Qubes from a user perspective?

Maybe not so important from a user perspective, but would reduce the size of the images:
rework / reduce installed packages in Qubes-Whonix

[adrelanos]

Anything else that still needs to be tackled to get Whonix templates to feel at home in Qubes from a user perspective?

Maybe not so important from a user perspective, but would reduce the size of the images:
rework / reduce installed packages in Qubes-Whonix

[adrelanos]

This should be all here. If there is something else, you can always create tickets against the Whonix tracker.

Please close. (And also feel free to re-open if I am a bit too eager. :)

[adrelanos]

This should be all here. If there is something else, you can always create tickets against the Whonix tracker.

Please close. (And also feel free to re-open if I am a bit too eager. :)

[adrelanos]

@marmarek #1411 (comment):

And probably in-pace Whonix upgrade will not
remove any application (#1397), right? Maybe some apt-get autoremove
will do the trick?

apt-get autoremove won't do the trick. (Examples include iceweasel installed on Whonix-Gateway.)

These packages weren't by Qubes Builder using apt-get install pkg-name as part of Qubes default packages.

For example by packages_jessie_standard.list.

So from dpkg perspective, those are set to manually installed. They are not part of a dependency of some other package, only then autoremove could work. So getting rid of them from an older template is very difficult. Those are no longer installed in new templates Whonix 12 RC an above.

Currently for the interested ones, there are these instructions for getting rid of them in older templates:
https://www.whonix.org/wiki/Upgrading_Whonix_10_to_Whonix_11#Qubes-Whonix-Gateway_purge_unneeded_packages

I don't think it would be worth investing a lot effort (inventing some script to clean old templates), since it's only related to disk space, not security.

[adrelanos]

@marmarek #1411 (comment):

And probably in-pace Whonix upgrade will not
remove any application (#1397), right? Maybe some apt-get autoremove
will do the trick?

apt-get autoremove won't do the trick. (Examples include iceweasel installed on Whonix-Gateway.)

These packages weren't by Qubes Builder using apt-get install pkg-name as part of Qubes default packages.

For example by packages_jessie_standard.list.

So from dpkg perspective, those are set to manually installed. They are not part of a dependency of some other package, only then autoremove could work. So getting rid of them from an older template is very difficult. Those are no longer installed in new templates Whonix 12 RC an above.

Currently for the interested ones, there are these instructions for getting rid of them in older templates:
https://www.whonix.org/wiki/Upgrading_Whonix_10_to_Whonix_11#Qubes-Whonix-Gateway_purge_unneeded_packages

I don't think it would be worth investing a lot effort (inventing some script to clean old templates), since it's only related to disk space, not security.

[marmarek]

On Thu, Nov 12, 2015 at 11:27:06AM -0800, Patrick Schleizer wrote:

I don't think it would be worth investing a lot effort (inventing some script to clean old templates), since it's only related to disk space, not security.

And probably some UX because of appmenus for them. But agreed - IMHO not
worth the effort.

Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

[marmarek]

On Thu, Nov 12, 2015 at 11:27:06AM -0800, Patrick Schleizer wrote:

I don't think it would be worth investing a lot effort (inventing some script to clean old templates), since it's only related to disk space, not security.

And probably some UX because of appmenus for them. But agreed - IMHO not
worth the effort.

Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

[mfc]

Currently for the interested ones, there are these instructions for getting rid of them in older templates:
https://www.whonix.org/wiki/Upgrading_Whonix_10_to_Whonix_11#Qubes-Whonix-Gateway_purge_unneeded_packages

also vlc and wireshark shouldn't be installed by default in whonix-gw. if you haven't yet, you should probably list all the packages installed in whonix-gw and then confirm they are actually meant to be installed there vs in the workstation. While wireshark may be useful for power users (and they can later install it there if they want it), there is no reason for vlc to be installed in the whonix-gw. This will probably also help reduce your template sizes.

[mfc]

Currently for the interested ones, there are these instructions for getting rid of them in older templates:
https://www.whonix.org/wiki/Upgrading_Whonix_10_to_Whonix_11#Qubes-Whonix-Gateway_purge_unneeded_packages

also vlc and wireshark shouldn't be installed by default in whonix-gw. if you haven't yet, you should probably list all the packages installed in whonix-gw and then confirm they are actually meant to be installed there vs in the workstation. While wireshark may be useful for power users (and they can later install it there if they want it), there is no reason for vlc to be installed in the whonix-gw. This will probably also help reduce your template sizes.

[adrelanos]

wireshark is no longer installed by default in Whonix 12.

---

vlc is a more difficult case. It's not installed intentionally on the gateway. It's a chain of of dependencies.

• anon-shared-desktop-kde Depends:
• kde-baseapps-bin Depends:
• kde-runtime Depends:
• phonon Depends:
• phonon-backend-vlc Depends:
• vlc-nox, vlc-plugin-pulse, libvlc5 (>= 2.2.0~pre1), libvlccore8 (>= 2.0.0) Depends:
• vlc-plugin-pulse Depends:
• vlc

We might get rid of it in Whonix 13 as part of https://phabricator.whonix.org/T429.

---

Since Whonix 12, the package list is under tight control now. All packages are installed with --no-install-recommends and Qubes flavor minimal. How I always supposed Whonix to be build. The initial Whonix port to Qubes didn't have this.

[adrelanos]

wireshark is no longer installed by default in Whonix 12.

---

vlc is a more difficult case. It's not installed intentionally on the gateway. It's a chain of of dependencies.

• anon-shared-desktop-kde Depends:
• kde-baseapps-bin Depends:
• kde-runtime Depends:
• phonon Depends:
• phonon-backend-vlc Depends:
• vlc-nox, vlc-plugin-pulse, libvlc5 (>= 2.2.0~pre1), libvlccore8 (>= 2.0.0) Depends:
• vlc-plugin-pulse Depends:
• vlc

We might get rid of it in Whonix 13 as part of https://phabricator.whonix.org/T429.

---

Since Whonix 12, the package list is under tight control now. All packages are installed with --no-install-recommends and Qubes flavor minimal. How I always supposed Whonix to be build. The initial Whonix port to Qubes didn't have this.

[mfc]

Since Whonix 12, the package list is under tight control now.

Awesome, great to hear!

anon-shared-desktop-kde

is there a need for minimum KDE desktop for whonix-gw, given that dom0 provides the desktop environment? the Debian template does not have the vlc dependency.

[mfc]

Since Whonix 12, the package list is under tight control now.

Awesome, great to hear!

anon-shared-desktop-kde

is there a need for minimum KDE desktop for whonix-gw, given that dom0 provides the desktop environment? the Debian template does not have the vlc dependency.

[adrelanos]

Michael Carbone:

anon-shared-desktop-kde
is there a need for minimum KDE desktop for whonix-gw, given that dom0 provides the desktop environment? the Debian template does not have the vlc dependency.

Probably not. To be researched and likely fixed for Whonix 13 as part of
https://phabricator.whonix.org/T429.

[adrelanos]

Michael Carbone:

anon-shared-desktop-kde
is there a need for minimum KDE desktop for whonix-gw, given that dom0 provides the desktop environment? the Debian template does not have the vlc dependency.

Probably not. To be researched and likely fixed for Whonix 13 as part of
https://phabricator.whonix.org/T429.

[adrelanos]

For completeness sake. Here is another task, that would reduce image size. A difficult one...
have Qubes Builder build Whonix packages so build dependencies do not get installed inside the template:
https://phabricator.whonix.org/T438

[adrelanos]

For completeness sake. Here is another task, that would reduce image size. A difficult one...
have Qubes Builder build Whonix packages so build dependencies do not get installed inside the template:
https://phabricator.whonix.org/T438