Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
The problem you're addressing (if any)
We continue to run into cases where non-minimal templates lack basic user functionality (PDF reader, image viewer) which is included in the desktop installation of the guest OS itself but is not in the Qubes guest OS template.
For example, default desktop Gnome on Debian 10 comes with
I would like it to be clear what are we basing our OS templates on. When we say "We try to respect each distro’s culture", what are we choosing from that distro to present as the default?
for Debian, is it:
Describe the solution you'd like
For each guest OS template, clear documentation on what we base each guest OS template on.
Where is the value to a user, and who might that user be?
For non-minimal templates, providing the same initial functionality to the user as they expect in the OS the template is based on is our policy.
Relevant documentation you've consulted
Related, non-duplicate issues
this issue is me again trying to approach the same topic of #1781 from another direction, as it continues to be a usability problem with Qubes.
Right now we base on "standard" task. It may be indeed a good idea to switch to
okay great that is good to know. yeah agreed that I think our target should be
my preference (and the easiest solution) is to abandon goal of fitting on DVD. I would be interested in others' thoughts.
should we email
I would also be interested in understanding if it would be possible for Whonix not to ship as images, but instead could be built by the system based on the Debian 10 template if selected by user. probably would take a while. or if there doesn't need to be Whonix images at all, but instead just the latest Debian and some salt stack to configure the qubes to be used as Whonix qubes in the proper way. definitely sounds like something for further down the road tho.
The main reason for including Whonix, is to allow single-file download bootstrapping Tor communication. It's much easier to download just one file (or maybe get it sent some other means) in restricted environment, than connecting your system to clearnet first to bootstrap other parts online. Main concern here is triggering some red flags while bootstrapping Tor/Whonix over clearnet.
Building Whonix on top of Debian locally would be doable, as as you said, it would take significant amount of time. Setting up automation for that also would take some time (both actual installation, and preparing installation packages set to be included on DVD).
Providing different installers (a "minimal" version that fits on a DVD, a "full" version that includes everything, and maybe others in between) would be ideal from a user's perspective, but the time required to implement and maintain this might be better spent elsewhere.
I'm leaning toward "abandon the goal of fitting on DVD" for a few reasons:
This issue came up with the 3.2.1 ISO, and a few users weighed in here:
yeah there is mentioned the argument of a minimal ISO that is just fedora and whonix (without debian), which makes more sense from a bootstrap perspective. I would say that is a good target if there is capacity/interest in a minimal ISO.
that is a nice overview of reasons, and I think a strong argument to abandon "single-layer DVD" ISO goal -- we don't even need to say we are abandoning fitting on a DVD, just on a single-layer DVD.
Possible in theory even with network disabled.
This was implemented and now used in the wild. Whonix reported to be running on POWER9 using distro-morphing. References:
Instead of a remote, online repository the Qubes installer could use a local, offline repository with Whonix packages. But indeed. Setting up automation for that would be quite some work.
Tor Browser will be haunting me until the end of days. That indeed is the only exception. Options:
Don't let the Tor Browser download issue block any progress on this one. [B] seems doable. I could do that part if the approach in this ticket "create Whonix using local repository during Qubes installed" is being worked on.
 /usr/bin/torbrowser (by Whonix developers) would prompt to install after Tor Browser start in VM.
 Tor Browser download during tb-updater package installation can fail open since that should not break the package manager during a system upgrade. It just fails closed during template build since we want to ensure it is really installed by default.
 tb-updater / update-torbrowser script by Whonix developers
 That's really problematic anyhow.
 And signature for easier review.
 I've been contemplating that for a while now anyhow.