Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Clarify process for packages included in OS templates #5367

Open
mfc opened this issue Oct 2, 2019 · 11 comments

Comments

@mfc
Copy link
Member

@mfc mfc commented Oct 2, 2019

The problem you're addressing (if any)

We continue to run into cases where non-minimal templates lack basic user functionality (PDF reader, image viewer) which is included in the desktop installation of the guest OS itself but is not in the Qubes guest OS template.

For example, default desktop Gnome on Debian 10 comes with gnome-core, which includes basic applications like evince, eog... these are not included in the current Qubes Debian 10 template.

I would like it to be clear what are we basing our OS templates on. When we say "We try to respect each distro’s culture", what are we choosing from that distro to present as the default?

for Debian, is it:

Describe the solution you'd like

For each guest OS template, clear documentation on what we base each guest OS template on.

Where is the value to a user, and who might that user be?

For non-minimal templates, providing the same initial functionality to the user as they expect in the OS the template is based on is our policy.

Relevant documentation you've consulted

https://www.qubes-os.org/faq/#what-is-qubes-attitude-toward-changing-guest-distros

Related, non-duplicate issues

this issue is me again trying to approach the same topic of #1781 from another direction, as it continues to be a usability problem with Qubes.

@marmarek

This comment has been minimized.

Copy link
Member

@marmarek marmarek commented Oct 2, 2019

Right now we base on "standard" task. It may be indeed a good idea to switch to desktop task, as indeed standard is minimal.
One challenge to overcome is installation media size. We're on the edge of DVD size. There are few options:

  • abandon the goal of fitting on DVD
  • reduce number of templates on the DVD (currently: Fedora, Debian, 2xWhonix)
  • split into two images: both above points
@mfc

This comment has been minimized.

Copy link
Member Author

@mfc mfc commented Oct 2, 2019

Right now we base on "standard" task. It may be indeed a good idea to switch to desktop task, as indeed standard is minimal.

okay great that is good to know. yeah agreed that I think our target should be desktop.

One challenge to overcome is installation media size.

my preference (and the easiest solution) is to abandon goal of fitting on DVD. I would be interested in others' thoughts.

should we email qubes-users and ask who uses DVDs to install? I would imagine some very small but vocal minority. but maybe they can use write-protected USB instead (if they use DVD for some security purpose). maybe that small minority could maintain a very minimal image with just one initial template?

I would also be interested in understanding if it would be possible for Whonix not to ship as images, but instead could be built by the system based on the Debian 10 template if selected by user. probably would take a while. or if there doesn't need to be Whonix images at all, but instead just the latest Debian and some salt stack to configure the qubes to be used as Whonix qubes in the proper way. definitely sounds like something for further down the road tho.

@marmarek

This comment has been minimized.

Copy link
Member

@marmarek marmarek commented Oct 2, 2019

I would also be interested in understanding if it would be possible for Whonix not to ship as images, but instead could be built by the system based on the Debian 10 template if selected by user. probably would take a while. or if there doesn't need to be Whonix images at all, but instead just the latest Debian and some salt stack to configure the qubes to be used as Whonix qubes in the proper way. definitely sounds like something for further down the road tho.

The main reason for including Whonix, is to allow single-file download bootstrapping Tor communication. It's much easier to download just one file (or maybe get it sent some other means) in restricted environment, than connecting your system to clearnet first to bootstrap other parts online. Main concern here is triggering some red flags while bootstrapping Tor/Whonix over clearnet.

Building Whonix on top of Debian locally would be doable, as as you said, it would take significant amount of time. Setting up automation for that also would take some time (both actual installation, and preparing installation packages set to be included on DVD).

@mfc

This comment has been minimized.

Copy link
Member Author

@mfc mfc commented Oct 2, 2019

good point, the bootstrap argument is very strong

@andrewdavidwong

This comment has been minimized.

Copy link
Member

@andrewdavidwong andrewdavidwong commented Oct 3, 2019

the bootstrap argument is very strong

Agreed.

split into two images

Providing different installers (a "minimal" version that fits on a DVD, a "full" version that includes everything, and maybe others in between) would be ideal from a user's perspective, but the time required to implement and maintain this might be better spent elsewhere.

I'm leaning toward "abandon the goal of fitting on DVD" for a few reasons:

  • The capacity of a single-layer DVD remains fixed as technology progresses. It's not realistic to expect things to fit on DVDs forever, just as it wasn't realistic to expect things to fit on CDs forever. We migrated from CDs to DVDs. Why not from DVDs to Blu-rays? Sure, Blu-rays are more expensive, but new Qubes releases don't come out that often.
  • There are also dual-layer DVDs.
  • There are also USB drives with write-protect switches and firmware that is either non-rewritable or cryptographically-signed.

Related: https://www.qubes-os.org/doc/install-security/#choosing-an-installation-medium

This issue came up with the 3.2.1 ISO, and a few users weighed in here:
https://groups.google.com/d/topic/qubes-devel/PCkVcOqdIbc/discussion

@mfc

This comment has been minimized.

Copy link
Member Author

@mfc mfc commented Oct 4, 2019

This issue came up with the 3.2.1 ISO, and a few users weighed in here:
https://groups.google.com/d/topic/qubes-devel/PCkVcOqdIbc/discussion

yeah there is mentioned the argument of a minimal ISO that is just fedora and whonix (without debian), which makes more sense from a bootstrap perspective. I would say that is a good target if there is capacity/interest in a minimal ISO.

I'm leaning toward "abandon the goal of fitting on DVD" for a few reasons:

  • The capacity of a single-layer DVD remains fixed as technology progresses. It's not realistic to expect things to fit on DVDs forever, just as it wasn't realistic to expect things to fit on CDs forever. We migrated from CDs to DVDs. Why not from DVDs to Blu-rays? Sure, Blu-rays are more expensive, but new Qubes releases don't come out that often.
  • There are also dual-layer DVDs.
  • There are also USB drives with write-protect switches and firmware that is either non-rewritable or cryptographically-signed.

that is a nice overview of reasons, and I think a strong argument to abandon "single-layer DVD" ISO goal -- we don't even need to say we are abandoning fitting on a DVD, just on a single-layer DVD.

@DemiMarie

This comment has been minimized.

Copy link

@DemiMarie DemiMarie commented Oct 10, 2019

Another option is to package the minimal templates by default, but offer to fetch the more full-featured ones from the network during the install process.

@marmarek

This comment has been minimized.

Copy link
Member

@marmarek marmarek commented Oct 10, 2019

I prefer to keep the network disabled during installation, as sys-net and related isolation is not in place yet. It could be done after first boot, but we'll need separate GUI for that. GUI for installing extra templates would be useful anyway.

@adrelanos

This comment has been minimized.

Copy link
Member

@adrelanos adrelanos commented Oct 28, 2019

@mfc

I would also be interested in understanding if it would be possible for Whonix not to ship as images, but instead could be built by the system based on the Debian 10 template if selected by user.

@marmarek

The main reason for including Whonix, is to allow single-file download bootstrapping Tor communication. It's much easier to download just one file (or maybe get it sent some other means) in restricted environment, than connecting your system to clearnet first to bootstrap other parts online. Main concern here is triggering some red flags while bootstrapping Tor/Whonix over clearnet.

Building Whonix on top of Debian locally would be doable, as as you said, it would take significant amount of time. Setting up automation for that also would take some time (both actual installation, and preparing installation packages set to be included on DVD).

@marmarek

I prefer to keep the network disabled during installation,

Possible in theory even with network disabled.

Quote https://www.whonix.org/wiki/Dev/Installation_from_Repository

An installation of Debian can be transformed into Whonix ™ or Kicksecure ™. Also known as proverbial "sudo apt-get install whonix". This is also called distro-morphing.

This was implemented and now used in the wild. Whonix reported to be running on POWER9 using distro-morphing. References:

Instead of a remote, online repository the Qubes installer could use a local, offline repository with Whonix packages. But indeed. Setting up automation for that would be quite some work.

@marmarek

This comment has been minimized.

Copy link
Member

@marmarek marmarek commented Oct 29, 2019

Instead of a remote, online repository the Qubes installer could use a local, offline repository with Whonix packages.

Is it fully true? How TorBrowser is downloaded?

@adrelanos

This comment has been minimized.

Copy link
Member

@adrelanos adrelanos commented Oct 29, 2019

Tor Browser will be haunting me until the end of days. That indeed is the only exception. Options:

  • [A] Either skip installation of Tor Browser. [1] [2] Or,

  • [B] Give up on the download, verify Tor Browser archive through a script approach. [3] [4] Put the binary archive [5] into a package. [6]

Don't let the Tor Browser download issue block any progress on this one. [B] seems doable. I could do that part if the approach in this ticket "create Whonix using local repository during Qubes installed" is being worked on.


Footnotes:

[1] /usr/bin/torbrowser (by Whonix developers) would prompt to install after Tor Browser start in VM.

[2] Tor Browser download during tb-updater package installation can fail open since that should not break the package manager during a system upgrade. It just fails closed during template build since we want to ensure it is really installed by default.

[3] tb-updater / update-torbrowser script by Whonix developers

[4] That's really problematic anyhow.

[5] And signature for easier review.

[6] I've been contemplating that for a while now anyhow.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.