{{Header}}
{{title|title=
Progress Reports
}}
{{#seo:
|description=Overview on the continuous progress for Kicksecure (and Whonix) with individual specific contributions for content, research, implementation etc
|image=Page-progress-reports-thumb.jpg
}}
{{devwiki}}
{{about_mininav}}
<div class="mininav">
* [[#arraybolt3|arraybolt3]]
* [[#Hans|Hans]]
* [[#nurmagoz|nurmagoz]]
</div>
[[File:Page-progress-reports-thumb.jpg|thumb|200px]]
{{intro|
On this page we give an overview on the continuous progress for Kicksecure (and Whonix) on the most active contributors.
}}
= Introduction =
{{#widget:Icon_Bullet_List
|item=fa-solid fa-chart-line cs-green,Kicksecure (and Whonix) are both long standing projects with an established history and both are still continuously further developed.
|item=fa-solid fa-list cs-blue,On this page we like to give an overview on the continuous progress for Kicksecure (and Whonix) and on the most active contributors. They write content, they research, they implement and much more.
|item=fa-regular fa-user cs-blue,Each contributor has a chapter.
}}
= arraybolt3 =
== 2025-07-26 ==
=== Find emergency shutdown hang culprit ===
Date: 2025-07-26
Our <code>panic-on-oops.service</code> unit is causing the hangs on physical hardware with Intel graphics, because the i915 graphics driver is throwing a kernel warning during shutdown and that is turned into a kernel panic by our code. A good workaround will probably be to switch to a TTY before issuing the final shutdown command.
=== Review login security documentation ===
Date: 2025-07-26
Double-checked the existing documentation for login security. Didn't find much missing, except that we didn't mention that SSH is not installed by default. Added that to the SSH wiki page.
=== regreSSHion research ===
Date: 2025-07-26
As discussed with Patrick.
== 2025-07-25 ==
=== Warn about passwordless sysmaint account even when password is locked ===
Date: 2025-07-25
systemcheck's login security check previously considered a missing-but-locked password "good enough" for any account, and thus displayed the password as "Locked" with green-colored text. This has now been changed to "Locked (Absent)" for all accounts. The text is still shown as green for non-sysmaint accounts, but for the sysmaint account specifically (which is automatically unlocked when booting into a sysmaint session), this condition is shown in yellow.
=== Add sysmaint-panel buttons for Whonix-Gateway features, remove irrelevant buttons ===
Date: 2025-07-25
Made it so that networking and browser-related buttons were not displayed on Whonix-Gateway or Whonix-Workstation. Added four tools specific to Whonix-Gateway to the system maintenance panel.
=== Make sysmaint-panel launch automatically on non-Qubes Whonix-Gateway ===
Date: 2025-07-25
Added code to anon-gw-base-files that can detect if the system is a non-Qubes Whonix-Gateway, and that will autolaunch the System Maintenance Panel if so.
=== Attempt to port Kicksecure theme to LXQt + Wayland ===
Date: 2025-07-25
Looked into what would be necessary to mostly or entirely replicate Kicksecure's existing theming on LXQt. After some effort, I managed to get a functional LXQt session working with labwc and Wayland, and after some more fiddling managed to theme the desktop decently well. This will be useful when we port to Wayland in the future.
=== Fix browser-choice bugs ===
Date: 2025-07-25
Patrick found a bug on step 2 of the wizard that would allow proceeding past the page without properly selecting an option. This turned out to be one of a family of bugs affecting this particular page. These issues have now been fixed, however the way in which the button enable/disable code works may need changed if further issues show up.
== 2025-07-24 ==
=== Research, discuss Tor Browser and default browser difficulties ===
Date: 2025-07-24
Talked with Patrick about the current shortcomings of our default browser mechanism, and possible ways to resolve them for Trixie. (Resolving them for Bookworm would likely be too dangerous.) This included discussion of how to make it possible to launch Tor Browser in a sysmaint session.
=== Review zsh configuration ===
Date: 2025-07-24
Found some bugs in, and places to improve, our zsh config. Submitted a relatively small patch to resolve those issues.
=== Add systemcheck test for ensuring su is locked down ===
Date: 2025-07-24
Created a test in systemcheck that checks the permissions and ownership on <code>/usr/bin/su</code> and reports if they differ from <code>744 0:0</code>.
=== Make systemcheck login security check suitable for Qubes OS ===
Date: 2025-07-24
Reworked the autologin code in check_login_security.bsh so it would work as expected under Qubes OS, and removed the condition that caused the test to be skipped on Qubes.
== 2025-07-23 ==
=== Investigate theming improvements, Wayland migration path ===
Date: 2025-07-23
Made several suggestions for improving the Kicksecure and Whonix theming with Xfce, in the hopes that this work could be later transferred to LXQt without too much effort. Also compared Xfce and LXQt on Wayland, and discussed issues and limitations with Patrick.
=== Finish systemcheck audit and fixes ===
Date: 2025-07-23
Finished testing systemcheck's verbose mode on all supported virtualization platforms. Found several bugs and bogus errors in the process, submitted fixes for all of them.
== 2025-07-22 ==
=== Work on fixing systemcheck errors across all supported VM platforms ===
Date: 2025-07-22
Patrick noticed a lot of spurious errors being spit out by systemcheck, and some more serious looking errors under Whonix. I started debugging some of these - some of them can safely be silenced, others are the result of actual bugs in livecheck that (so far just AppArmor config issues). Will finish this tomorrow most likely.
=== Add livecheck applet name to context menu, fix some bugs ===
Date: 2025-07-22
Fixed bugs in livecheck, and added an extra "action" to the livecheck context menu showing the applet's name. (Also made an alternate implementation that put the applet name in the exit button in case that was desirable. Me and Patrick both didn't like that variation as much, and Patrick merged the one with the applet name below the exit button.)
=== Add further browser-choice integrations ===
Date: 2025-07-22
Added browser-choice to the Kicksecure Qubes template app menu, added a mention of it to setup-wizard-dist, and improved the wording in open-link-confirmation to hint to the user that they may need to install a browser themselves if they haven't already.
=== Implement browser-choice improvements ===
Date: 2025-07-22
Went through Patrick's list of requested improvements to browser-choice and implemented all but one of them. The remaining one looked too complicated, so I left notes about difficulties there for our consideration.
== 2025-07-21 ==
=== Find firmware component resulting in shutdown issues ===
Date: 2025-07-21
Narrowed down the problematic firmware causing emerg-shutdown failure to the i915 firmware. Either that firmware or the corresponding driver is most likely interacting poorly with some configuration present in Kicksecure.
=== Integrate browser-choice with Kicksecure, Whonix ===
Date: 2025-07-21
Fixed some browser-choice user interface issues, added a launcher for it to sysmaint-panel, removed Firefox and Thunderbird from Kicksecure and Whonix, added browser-choice, made dummy-dependency able to replace browser-choice, and worked on the derivative-update script since I ended up syncing my derivative-maker fork with Whonix upstream.
=== Resend GRUB Xen command line patch ===
Date: 2025-07-21
No reply from the GRUB developers has been received since the last time I sent the patch, so I rebased it onto the current tip of GRUB's git master, then resent it.
== 2025-07-20 ==
=== Investigate read-only root on Debian 12, Kicksecure 17 ===
Date: 2025-07-20
Determined what was needed to get Debian and Kicksecure to boot with a read-only root filesystem. Mounted minimal RAM-based overlays to get things working. In production, we'd also need to have a persistent data partition. Both Debian 12 and Kicksecure 17 were able to be configured to boot to a working GUI with a read-only root partition, and Firefox worked for web browsing.
=== Attempt to fix rtests for Whonix-Workstation after hardening qrexec ===
Date: 2025-07-20
The new Whonix-Workstation qrexec behavior when opening files in other VMs broke the regression tests for it. Attempted to fix these by adding code to confirm opening a file in a new DispVM.
=== Add back legacy policies for sdwdate-gui-qubes ===
Date: 2025-07-20
This should prevent breakage when sdwdate-gui is upgraded to use the new architecture.
=== Study sdwdate code and timesync wiki, take notes ===
Date: 2025-07-20
Looked at requested enhancements and potential implementation strategies, security concerns, and limitations. No concrete changes made yet, just getting a good understanding of the theory and a working understanding of code internals.
=== Find package causing shutdown failures on Kicksecure ===
Date: 2025-07-20
After much searching, I finally narrowed down the shutdown failures to the firmware-* package group, and eventually narrowed it down to firmware-misc-nonfree. This package does not cause shutdown to fail on vanilla Debian 12, but it does cause problems on Kicksecure, so presumably something we're doing is interfering with a device in an unexpected way. Further research still needed.
=== Attempt to file Tor Browser feature request for signed metadata ===
Date: 2025-07-20
Used Anon-Ticket to file the request, and also requested a Tor Gitlab account. Both are pending moderation.
== 2025-07-18 ==
=== Fix Whonix-Workstation StandaloneVM bugs ===
Date: 2025-07-18
Fixed a couple of sysmaint-related issues (failure to format home disk, incorrectly attempting to access the update proxy when it isn't necessary) and some deeper issues with Whonix StandaloneVM creation (NetVM set incorrectly to sys-firewall, default DispVM set incorrectly to default-dvm).
=== Add software installation risk warning to browser-choice ===
Date: 2025-07-18
Added warnings for browser installation options that enable a third-party apt repository. Also added a general warning about how software installation is inherently risky, and linked it to a newly written warning on the wiki explaining why one must trust software they run.
== 2025-07-17 ==
=== Improve Qt UI build process for browser-choice, sysmaint-panel ===
Date: 2025-07-17
Stopped including autogenerated UI code files in Git. Integrated UI-to-Python translation into the package build process for both packages and added a "clean" feature for getting rid of obsolete autogenerated code.
=== Research improving systemd shutdown reliability ===
Date: 2025-07-17
Did not find a setting in systemd to provide a "master kill switch", the closest that can be done is creating a unit that force-kills the system using magic sysrq (to my awareness). Should file a systemd feature request for this.
=== Write ticket for discussing stable vs. rolling release concerns ===
Date: 2025-07-17
Created a post on Kicksecure's developer forums for stable and rolling release discussion. Mapped out some pros and cons, some possible ways forward, and linked to the existing wiki page on the topic.
=== Test, bugfix browser-choice ===
Date: 2025-07-17
Ensured that browser-choice worked on Whonix-Workstation and in Whonix qubes under Qubes OS. Found and fixed several bugs in the process.
=== Document problems with read-only Debian ===
Date: 2025-07-17
Wrote down known issues with making Debian fully read-only, and possible ways of resolving them. Useful for future Verified Boot research.
== 2025-07-16 ==
=== browser-choice enhancements ===
Date: 2025-07-16
Implemented several enhancements for browser-choice, including creating new plugins, adding a network check, removing the "launch after install" checkbox from sysmaint sessions, etc. Still needs testing.
=== Fix "Open in other qube" button in Whonix-Workstation with qrexec PR ===
Date: 2025-07-16
The qrexec PR against qubes-core-admin-addon-whonix currently in flight was breaking the "Open in other qube" button in Whonix-Workstation. Marek suggested a fix for this, which I tested, verified worked, and implemented.
=== Final emerg-shutdown debug attempt ===
Date: 2025-07-16
Discovered that emerg-shutdown worked properly under plain Debian 12. Attempted to determine what configuration in Kicksecure was breaking it. So far, the kernel command line does not seem to be the issue, nor does the modprobe settings, sysctl settings, or any modprobe or sysctl settings embedded in the initramfs (if any). Still did not find a workaround or a fix. Delaying further emerg-shutdown development until the Trixie port.
== 2025-07-15 ==
=== Debug emerg-shutdown failure to shut down ===
Date: 2025-07-15
While developing emerg-shutdown, I discovered that many times the system would only partially shut down when emerg-shutdown was triggered. The screen would go black, and external drives would lose power, but the power LED would remain lit and the fans of the machine would keep spinning. This is happening on two different computers with radically different hardware. The cause for this is still unknown. Attempted to find a workaround, did not succeed.
=== Audit, polish application menus for Kicksecure and Whonix qubes ===
Date: 2025-07-15
Compared existing app menu entries to those of other qubes and reviewed app menu entries available in VirtualBox VMs to determine what app menu items would be best to include for each VM variant. Changed qube configuration accordingly.
=== Further work on Qubes-Whonix qrexec hardening ===
Date: 2025-07-15
Added and tested qrexec configuration to qubes-core-admin-addon-whonix that allows opening new files in already-open AppVMs. Also documented some shortcomings with this solution.
== 2025-07-14 ==
=== Continued emergency shutdown development ===
Date: 2025-07-14
Added the ability to specify alternative keys in the rescue key mechanism, so for instance you can make Ctrl+Alt+Delete work as an instant shutdown without having to rely on left ctrl or right ctrl specifically. Also fixed optical disk support, and tested on both physical and virtual hardware. Virtual machines are working perfectly, but physical hardware is getting "stuck" during shutdown for unknown reasons. Further investigation needed.
=== Document development and use considerations for stable and rolling releases ===
Date: 2025-07-14
Wrote down detailed information about the security impact of stable vs. rolling release models and how those release models interact with other software release models. Also wrote suggestions for staying secure when using a stable release, which we may use when developing new features.
=== Implement dracut initramfs xz compression ===
Date: 2025-07-14
Set the <code>compress="xz"</code> setting in Dracut using dist-base-files.
== 2025-07-13 ==
=== Add panic key support to emergency shutdown code ===
Date: 2025-07-13
The emergency shutdown service is now capable of monitoring for a particular "panic" key combo and immediately shutting down the system when that key combo is detected. It operates at the evdev layer, thus does not depend on a GUI to work right. Needs real-world testing, but some testing outside of a real-world setting has already been done.
=== Review qrexec config on Qubes R4.3 for possible Whonix-Workstation guest escapes or IP leaks ===
Date: 2025-07-13
Was not able to find an easy escape mechanism, but I did find a possible IP leak mechanism that required substantial user interaction. Files a Qubes feature request for locking this down, along with a pull request to implement it.
=== Test dracut zstd compression with maximum compression settings ===
Date: 2025-07-13
Determined that this mode generated a slightly larger file than xz while performing significantly worse.
=== Add explanatory comments to derivative-update ===
Date: 2025-07-13
Noted down why it is more detailed refs/* specifiers cannot be used in particular parts of the code, and why a use of <code>git symbolic-ref -q -- HEAD</code> was safe.
== 2025-07-11 ==
=== Document how a verified boot mode would work with Whonix-Gateway and others ===
Date: 2025-07-11
Took the discussion around verified boot implementation I had with Patrick, and attempted to use that info to update the documentation in the user-sysmaint-split wiki page.
=== Finish SSH wiki page review ===
Date: 2025-07-11
Polished the server configuration file a bit (allowing IPv6, enhancing MAC choices), and reviewed the rest of the page.
=== Document shared folder usage for Kicksecure and Whonix ===
Date: 2025-07-11
Documented how to use the revamped vm-config-dist functionality, both for VirtualBox and KVM.
=== Review more suggestions and fixes for derivative-update ===
Date: 2025-07-11
Looked at some more changes Patrick made to derivative-update and TODO comments he left in the code. Code changes looked good. Left some notes in chat, implemented suggestions that could be implemented.
== 2025-07-10 ==
=== Research SSH cryptography algorithms ===
Date: 2025-07-10
Fixed some minor issues on the SSH wiki page, and revamped the recommended client configuration file. Did a lot of research into the security properties of the various algorithms offered by SSH and which ones were best in various scenarios, and documented that research to justify the changes to the recommended encryption settings.
== 2025-07-09 ==
=== Whonix-Gateway verified boot discussion ===
Date: 2025-07-09
Talked with Patrick about how verified boot should work on the software side of things, and how it would look on Whonix-Gateway (and other machines without user-sysmaint-split) as opposed to machines with user-sysmaint-split.
=== Fix known browser-choice issues ===
Date: 2025-07-09
Worked through the list of known issues in browser-choice and fixed all of them. Also created further TODOs and a list of things to consider for further development.
== 2025-07-08 ==
=== Get browser-choice into an alpha quality state ===
Date: 2025-07-08
browser-choice is now mostly functional. There are several known issues and the code has not been thoroughly tested, but it's to the point where it can be used to install and uninstall some browsers.
== 2025-07-07 ==
=== More browser-choice development ===
Date: 2025-07-07
Got the second screen of the wizard mostly implemented.
=== Research, benchmark, and suggest a new default for Dracut compression algorithms ===
Date: 2025-07-07
Suggested that we switch to xz compression by default since it provides a very small initramfs and is still acceptably fast (a bit faster than what we use now). Suggested zstd as an acceptable alternative if xz was undesirable.
=== Add --set-home switch to sudo command for running Wayland GUI apps as root ===
Date: 2025-07-07
<code>--set-home</code> appeared to be the default anyway, but it doesn't hurt anything and it's useful to keep from accidentally creating root-owned files in other users' home directories.
== 2025-07-06 ==
=== Continue browser-choice development ===
Date: 2025-07-06
Got functional code written for parsing plugin files, displaying browsers to the user, and checking for if a browser is installed and how. So far it's mostly working.
=== Add root account to systemcheck login security check ===
Date: 2025-07-06
Made the root account be listed along with other accounts in systemcheck's login security check. Also added special fields for account with a locked or restricted password, and made it so that login security issues on the root account would be shown in red text.
=== Rewrite vm-config-dist shared folder code ===
Date: 2025-07-06
The previous code in vm-config-dist wasn't fully functional and didn't allow the sysmaint user to access shared folders. Rewrote the code to be more flexible, take into account all needed edge cases, and avoid using flaky VirtualBox automounting.
=== Add hwclock sync to sdwdate and bootclockrandomization ===
Date: 2025-07-06
Added code to sync the hardware clock with the system clock to both of the above mentioned packages.
=== More derivative-update polish and simplification ===
Date: 2025-07-06
Rewrote parts of derivative-update with Patrick's help. Most of the more complicated features were removed in favor of keeping the script easy to use and less complex.
== 2025-07-04 ==
=== Research SSH post-quantum cryptography ===
Date: 2025-07-04
Looked into how PQC currently worked in the version of OpenSSH in Trixie, and wrote some suggestions for how we should configure and document OpenSSH cryptography in Kicksecure.
=== Update documentation for running Wayland applications as root ===
Date: 2025-07-04
Added a note about an environment variable Qt needs to work right in this situation. Also verified that lxsudo didn't work for this purpose, and clarified documentation around launching applications as root to guide users to using sudo rather than lxsudo when dealing with Wayland.
=== Start implementing browser-choice widgets and plugins ===
Date: 2025-07-04
Got many UI widgets for browser-choice working. Also wrote the plugins, added icons to the repo, and wrote a helper script for architecture support checks.
=== Create Qubes /etc/hosts ominous warning fix ===
Date: 2025-07-04
Moved the protected files config for <code>/etc/hosts</code> (and also <code>/etc/hostname</code>) to whonix-base-files. This should hopefully fix the ominous warning issues.
=== Hand off remaining Docker issues to tabletseeker ===
Dare: 2025-07-04
Documented current progress on derivative-maker-docker and set it aside as per Patrick's recommendations in the task list.
== 2025-07-03 ==
=== Begin writing browser-choice ===
Date: 2025-07-03
Worked on several Qt Designer UI files for various parts of the browser-choice UI. Not all of the UI has been laid out yet, and no functional code has been written yet.
=== Research, find possible fix for /etc/hosts issue in Qubes-Whonix ===
Date: 2025-07-03
Found the likely cause of Qubes-Whonix "ominous warning" error messages mentioning /etc/hosts, and suggested a solution. Patrick approved the suggestion, so I will likely be implementing the solution soon.
=== Enhanced time synchronization docs ===
Date: 2025-07-03
Read through and added some NTP and hardware clock info to the Network Time Synchronization wiki page.
=== derivative-update fixes ===
Date: 2025-07-03
Fixed bugs and TODOs in derivative-update. It should still probably be considered beta-quality, but it's significantly more robust than previously now. Also researched Docker UUID issues, did not find an good fix yet.
=== Double-check erst_disable pull requests ===
Date: 2025-07-03
Made sure the erst_disable pull requests were safe and correct after they were merged.
== 2025-07-02 ==
=== Create derivative-update, revamp Docker code in derivative-maker ===
Date: 2025-07-02
Created the derivative-update script for checking out refs in derivative-maker and fetching new commits for it in a secure fashion. Also applied a bunch of fixes to the Docker code that were previously offered for tabletseeker's repository.
=== Comment on remaining IPv6 discussion ===
Date: 2025-07-02
Added a comment to a previously missed IPv6 discussion.
== 2025-07-01 ==
=== File feature request for user/system package separation in Kicksecure ===
Date: 2025-07-01
Filed a feature request for separating user and system packages on the forums, and documented a possible way of implementing it using virtualization. Will continue discussion on this.
=== Research, document Status messenger ===
Date: 2025-07-01
Determined that Status was most likely not a good messenger to recommend, and documented why.
=== Research lsblk failure in Docker, file bug report against Docker ===
Date: 2025-07-01
Determined that zeha's suggested fix for the Docker issue would not work. Filed a bug against Docker for the issue. We'll probably have to port the appropriate location in the grml-debootstrap code to use blkid to resolve this, or wait for Docker to be fixed.
=== Submit derivative-maker-docker changes to tabletseeker's repo ===
Date: 2025-07-01
Integrated my previous work on derivative-maker-docker into tabletseeker's work, and also added a prototype of an <code>--update-repo</code> option. Filed a PR to integrate it.
=== Investigate clock widgets for sysmaint session ===
Date: 2025-07-01
Did more clock widget research and tested a widget, <code>tdc</code>. Didn't find one that would work. We'll have to write our own in some way most likely.
=== Review, suggest fixes for erst_disable removal PR in debug-misc ===
Date: 2025-07-01
Reviewed a debug-misc PR from raja-grewal that removed the <code>erst_disable</code> kernel parameter from the kernel command line, along with a few other fixes. Noticed some errors in the PR and suggested fixes for them.
=== Fix screen locker in sysmaint sessions ===
Date: 2025-07-01
Added xscreensaver to the appropriate Kicksecure metapackage and added configuration for it in vm-config-dist to prevent it from automatically locking the screen or displaying a real screansaver by default.
== 2025-06-30 ==
=== Research, document Wire messenger ===
Date: 2025-06-30
Determined that Wire was likely not a good chat messenger choice due to experimental Linux support and previously broken end-to-end encryption.
=== Investigate grml-debootstrap /dev cloning ===
Date: 2025-06-30
To fix a grml-debootstrap bug resulting in mis-detection of partition type UUIDs, I implemented a <code>/dev</code> filesystem cloner as a proof-of-concept, to see if cloning <code>/dev</code> was even practical. It turned out to be doable. Shared the code in the appropriate grml-debootstrap bug report and requested feedback.
=== Review, approve PR for fixing potentially unsafe Bluetooth config ===
Date: 2025-06-30
bluez upstream mis-documented their <code>TemporaryTimeout</code> option, leading us to believe that setting it to <code>0</code> would prevent temporary Bluetooth devices from persisting. What it actually did was made temporary Bluetooth devices always persist. Ensured that the PR for removing the incorrect configuration looked correct, and that the fixed documentation for <code>TemporaryTimeout</code> was actually accurate.
=== Review, approve erst_disable PR for security-misc ===
Date: 2025-06-30
Reviewed a PR from raja-grewal that disables ACPI ERST support to make it harder to persist dangerous crash data in firmware flash storage. Approved. I did not manage to review the accompanying PR for debug-misc yet.
=== Documented arp_ignore=1 settings for advanced networking with Whonix-Gateway ===
Date: 2025-06-30
Wrote documentation for downgrading <code>arp_ignore=2</code> to <code>arp_ignore=1</code>, along with when doing so would be necessary. This will be needed for users who are putting a VPN after their Tor connection, and for users who are using Windows as a Whonix-Custom-Workstation.
=== Added comments to IPv6 and tb-updater Github issues ===
Date: 2025-06-30
Commented on some Github issues Patrick asked me to look at. tb-updater may need automation to make it faster to update, and some IP addresses in the IPv6 PRs from Daniel were verified as safe.
=== Add battery indicator to user and sysmaint system trays ===
Date: 2025-06-30
Determined why a battery indicator wasn't appearing in the systrays in both user and sysmaint modes, and added additional configuration to fix that for new builds of Kicksecure and newly created user accounts. This won't fix it for existing user accounts, there's not a whole lot that can be done about that.
== 2025-06-29 ==
=== Write and integrate sanitize-string ===
Date: 2025-06-29
Wrote a Python library and utility that combined the functionality of the stecho and strip-html utilities. Named it sanitize-string as Patrick's suggestion. Integrated it throughout Kicksecure's codebase.
=== Fix minor issues with livecheck output_func chunking implementation ===
Date: 2025-06-29
Added an infinite loop guard, fixed behavior when only a single argument was passed, and added argument count checking.
=== Remove old genmon livecheck widget ===
Date: 2025-06-29
After rewriting livecheck as a Python applet, we forgot to actually remove the old XFCE-specific genmon widget that was once serving the equivalent purpose. Removed now.
=== Finish derivative-maker-docker review ===
Date: 2025-06-29
Fixed several TODOs, discussed challenges with Patrick and got ISO builds working. Also filed a grml-debootstrap bug for fixing VM image builds.
== 2025-06-27 ==
=== Begin full audit of derivative-maker-docker ===
Date: 2025-06-27
Started a thorough usability and code quality audit of derivative-maker-docker. Wrote down several notes in my local repository, will be fixing noted issues soon.
=== Enhance msgcollector output_func ===
Date: 2025-06-27
Made it so that <code>output_func</code> could handle very long strings, such as journalctl output. Took a while to figure out an efficient chunking algorithm that was also resistent to problems caused by UTF-8 characters.
=== Fix missing rm_conffile migration command in sdwdate-gui ===
Date: 2025-06-27
Ensured that <code>rm_conffile</code> could be safely reverted later, then added the needed commands to sdwdate-gui's maintainer scripts to enable a smooth migration to the new architecture.
== 2025-06-26 ==
=== Add Delta Chat and IRC client documentation to Whonix chat client docs ===
Date: 2025-06-26
Briefly documented the installation and use of irssi, WeeChat, and Quassel Chat (all IRC clients) on the Whonix wiki. Added a warning to the HexChat wiki page that HexChat is no longer maintained. Documented Delta Chat on its own wiki page.
=== Review "seat belts and airbags for Bash" ===
Date: 2025-06-26
Watched a presentation on writing robust Bash code at Patrick's request. Learned some new tips in the process. The presentation had some errors in it, some of which were practical in nature (i.e. mis-describing how to use Bash features such as regexes), so I tried to pull out what I could verify as accurate, added notes to the dev/bash wiki page, and made some notes of my own for new tricks I didn't know before.
=== Add user-sysmaint-split and Qubes-specific design changes to browser-choice ===
Date: 2025-06-26
Patrick pointed out several shortcomings with our current browser-choice design specifications related to user-sysmaint-split and Qubes OS. Integrated his suggestions into the design documentation and also added some design changes of my own to resolve the issues.
=== Rename sdwdate-client/server tag to sdwdate-gui-client/server ===
Date: 2025-06-26
Fixed the qubes-core-admin-addon-whonix and qubes-core-admin-addon-kicksecure code to use a different, more accurate tag name for qrexec policies used by sdwdate.
== 2025-06-25 ==
=== Research and implement robust HTML stripping ===
Date: 2025-06-25
Implemented an HTML stripper and integrated it into Kicksecure's codebase. The stripper uses Python's HTML parser for part of its job, but should work under adversarial conditions.
=== Review, approve 3mdeb verified boot spec ===
Date: 2025-06-25
Reviewed the full verified boot specification made by collaboration with 3mdeb. Looked good, approved.
=== Finish sdwdate-gui rewrite and accompanying Qubes OS changes ===
Date: 2025-06-25
Pushed all sdwdate-gui changes and opened an issue for adding qubes-core-admin-addon-kicksecure to Qubes OS. Once everything is merged, sdwdate-gui should work in Kicksecure qubes properly.
== 2025-06-24 ==
=== Ported Xen command line parsing patch back to Qubes OS and fully retested the patch on Qubes ===
Date: 2025-06-24
The pvgrub pull request for in-vm kernel boot mode support was outdated. I finally managed to get the patch for Xen command line parsing that was most recently submitted to the FSF ported back to Qubes OS's pvgrub code, tested it against the same test suite used for the upstream patch, and submitted it for review and hopefully merging later on.
=== Public zuluCrypt security bug report ===
Date: 2025-06-24
The zuluCrypt local privilege escalation issue discovered during the polkit audit task has been taken out of embargo after the Debian Security Team recommended I upload the bug report directly to the BTS. This is now done.
=== Fix memory management issues in sdwdate-gui rewrite ===
Date: 2025-06-24
PyQt5 makes it possible to corrupt or leak memory even in Python as it turns out, typical Python automatic memory management can't be fully trusted to do the right thing. Attempted to resolve this, fixing a client crash issue caused by faulty memory management. Further auditing may be necessary to ensure these kinds of issues are fully resolved. Also got confirmation from Marek that creating a "qubes-core-admin-addon-kicksecure" would be a good way forward for fixing the root bug this rewrite was intended to fix (the qrexec errors caused by Kicksecure templates).
=== Contribue to 3mdeb verified boot discussion ===
Date: 2025-06-24
Tried to clarify a potentially confusing point related to Microsoft key handling in Sovereign Boot.
== 2025-06-23 ==
=== Debug and polish sdwdate-gui rewrite ===
Date: 2025-06-23
Got the rewrite of sdwdate-gui working on both Qubes OS and on "vanilla" Kicksecure and Whonix. A significant amount of additional effort will be needed to get all the moving pieces (mostly qrexec policies and Qubes-specific config) in place, but the application itself is now working quite well and can likely be considered beta-quality.
== 2025-06-22 ==
=== Further development, debugging on sdwdate-gui rewrite ===
Date: 2025-06-22
Rewritten sdwdate-gui is relatively close to functional at this point. Further debugging and testing on Qubes OS still needed, but it's very close to working.
== 2025-06-19 ==
=== Finish polkit configuration audit ===
Date: 2025-06-19
Finished compiling the results of the audit and shared them with Patrick.
== 2025-06-18 ==
=== Begin audit of default polkit configuration ===
Date: 2025-06-18
Began auditing the existing polkit rules and actions in my Kicksecure development VM for possible security weaknesses.
== 2025-06-13 ==
=== More sdwdate-gui rewrite work ===
Date: 2025-06-13
Mostly worked on writing the client component, still untested. Most of the remaining work will be testing and bugfixing from here.
== 2025-06-12 ==
=== Continue work on sdwdate-gui rewrite ===
Date: 2025-06-12
Finished writing the server component, still untested. Started work on writing the client component and researched how to proxy a UNIX socket over qrexec to make it work properly in Qubes OS.
=== Finish approx package caching work in derivative-maker ===
Date: 2025-06-12
Finished working out most of the bugs in the approx package caching implementation in derivative-maker. This should get our ability to build working again. (Patrick discovered some remaining minor bugs and has added fixes for them as well.)
== 2025-06-11 ==
=== Work on replacing apt-cacher-ng with approx in derivative-maker ===
Date: 2025-06-11
Something changed about the SSL configuration for fasttrack.debian.net, and now apt-cacher-ng is exhibiting extremely weird and non-functional behavior with that repository. There is no clear fix, so we're replacing it with the approx package caching proxy. Did most of the work for this, I have clearnet builds working and Tor builds almost working.
== 2025-06-10 ==
=== Start work on sdwdate-gui rewrite ===
Date: 2025-06-10
Used current implementation plan and existing code as a guide and started rewriting sdwdate-gui into a client-server system. So far things seem to be working fairly well.
=== Write down results of polkit research ===
Date: 2025-06-10
Replied on the Kicksecure forums to the development task for researching polkit's security. Also discussed security concerns and future work in this area with Patrick.
=== Remove Firefox from Kicksecure template app menu ===
Date: 2025-06-10
Successfully got a template build of Kicksecure for Qubes R4.3 that lacked Firefox in the application menu. Uploaded the change needed for this. Also added sysmaint-panel to the application menu at the same time since it's useful in sysmaint mode.
== 2025-06-09 ==
=== Research polkitd security concerns ===
Date: 2025-06-09
Looked into how polkitd works and whether it was a possible security risk. I don't personally see anything wrong with its method of operation, and it is a critical component of the system used with systemd, so it cannot simply be removed. I did notice what appeared to be a sandbox escape vulnerability in polkitd's systemd configuration, but the issue didn't appear serious, doesn't appear mitigatable, and isn't considered an issue by systemd upstream after discussion with them.
=== Get Kicksecure template builds to work on Qubes R4.3 again ===
Date: 2025-06-09
Set up qubes-builderv2 on my Qubes machine again after having reinstalled it recently. Discovered that the <code>builder.yml</code> file had to be configured specially to work on R4.3. Documented the needed config change.
=== Redesign sdwdate-gui-qubes backend ===
Date: 2025-06-09
Read through previous discussions and discussed with Patrick and Marek how to reimplement the sdwdate-gui-qubes backend to fix existing architectural issues. Came up with a new design that appears to be agreed upon as good, will be implementing soon.
== 2025-06-08 ==
=== Lots of improvements to systemcheck ===
Date: 2025-06-08
Added several new features to systemcheck at Patrick's request, including OS EOL detection, Secure Boot detection, and more. They should probably be tested more thoroughly, but seem to work initially.
=== Add BTRFS support back to Calamares ===
Date: 2025-06-08
Now that we have live-hardener, it is theoretically possible to boot a BTRFS system in live mode and have live mode actually do its job correctly, so BTRFS is now added back to the list of supported filesystems and will be accessible from the user interface.
=== Add read-only mode back to livecheck ===
Date: 2025-06-08
Read-only mode had gotten dropped during the development of the new livecheck applet, since it was missing from <code>live-mode.sh</code> in helper-scripts. Re-added the feature and tested it to make sure it worked.
=== Document live-hardener and livecheck Python applet ===
Date: 2025-06-08
Added documentation to the Kicksecure wiki for live-hardener and the new implementation of livecheck.
=== Make live-hardener more robust ===
Date: 2025-06-08
Made live-hardener's error handling more robust. Also added a test script, and fixed up lsblk output parsing.
=== Debug stprint helper-scripts CI failure ===
Date: 2025-06-08
A bug that slipped by both me and Ben during development and review of the stprint closed stdin fix patches resulted in <code>stcatn</code> only fixing up the last line of a file passed to it. This resulted in CI failure when trying to sanitize one Java file in the trojan-source repo. Found and fixed bug.
=== Research argon2id LUKS hardening for Kicksecure ===
Date: 2025-06-08
Researched how to increase argon2id memory consumption, whether it was worth doing, and whether it was worth documenting. Replied to the Kicksecure forums user who suggested hardening in this area.
== 2025-06-06 ==
=== Create unit tests for live-mode.sh and get_writable_fs_lists.sh ===
Date: 2025-06-06
The tests simulate a large number of mount configurations and ensure that the scripts behave as expected in all tested situations.
=== Add additional privileged "privleap" group to privleap ===
Date: 2025-06-06
In our privleap config, we originally had the <code>sudo</code> group as a privileged group that was able to run all or nearly all predefined privleap actions. This failed to take into account the possibility that someone would not want to grant <code>sudo</code> group membership to an account that needed to run privleap actions, since the <code>sudo</code> group could be a security risk even if the sudo executable could not normally be run.
To resolve this, the <code>privleap</code> group is now automatically created when privleap is installed, that group is allowed to run all of the same privleap actions that could be executed by the <code>sudo</code> group, and privleap is now able to take a group name in the <code>allowed-users</code> group, allowing one to grant a user account access to privleap by simply adding it to the <code>privleap</code> group, no further config modifications required.
=== Document new remount-secure implementation plan ===
Date: 2025-06-06
Added documentation for the remount-secure daemon idea to the remount-secure development wiki page.
== 2025-06-05 ==
=== Research remount-secure implemention ideas ===
Date: 2025-06-05
Read through the existing <code>remount-secure</code> code and some of the discussions. Shared some thoughts on the existing design and an idea for a new design that could detect at runtime when new filesystems are introduced and remount them securely. Also discussed these ideas with Patrick in chat.
=== Improve live-hardener writable filesystem detection ===
Date: 2025-06-05
live-hardener now parses only <code>/proc/self/mounts</code> rather than parsing <code>/etc/fstab</code> directly, allowing it to catch more writable filesystems.
=== Make Calamares tell livecheck when an OS is being installed ===
Date: 2025-06-05
Added functionality to livecheck to monitor for when a particular file is created to know when Calamares is installing the OS. livecheck will now show a notice in the system tray that OS installation is underway and not show an error indicator while that is happening. Once Calamares is done installing the OS, livecheck will return to its original mode. Added a couple of shellprocesses to our Calamares config to actually create and remove the signal file for this.
=== Discover bootloader installation bug, create fix ===
Date: 2025-06-05
Debugged why the fallback bootloader wasn't being properly installed for someone using the most recent Kicksecure ISO. Found out this was because of our boot entry naming changes. Created and tested a fix.
== 2025-06-04 ==
=== Integrate Marek's review suggestions into Xen command line GRUB patch ===
Date: 2025-06-04
Implemented all of Marek's suggestions, then fully retested the patch using the test suite designed previously. All tests passed. Submitted new version of patch to GRUB upstream.
=== Thoroughly test, fix up enhanced live mode ===
Date: 2025-06-04
Tested enhanced live mode code thoroughly, fixing a bunch of bugs and reducing logic duplication in the process. Should be ready for review and merge.
=== Approve stprint utilities PR from Ben ===
Date: 2025-06-04
Looked at the latest changes to the stprint utilities PR from Ben for fixing crashes when stdin is closed. Everything looked good, approved PR and Patrick has now merged it.
== 2025-06-03 ==
=== Develop live mode enhancements ===
Date: 2025-06-03
Created a systemd service that would find dangerous writable filesystems in fstab and remount them read-only, then mount RAM-based overlays on them. Also enhanced the livecheck code even further to be able to handle NFS, virtual machine shared folders, and removable vs. non-removable disks (not just mountpoints).
=== Clean up Docker-related issues in derivative-maker ===
Date: 2025-06-03
Fixed some remaining issues in the derivative-maker-docker code, and submitted fixes for several other derivative-maker bugs that impacted ISO builds done in Docker.
=== Another review of stprint utilities PR ===
Date: 2025-06-03
Reviewed latest changes to stprint utilities PR, one fix needed made still but otherwise it's ready.
== 2025-06-02 ==
=== Finish Python implementation of livecheck ===
Date: 2025-06-02
Tested and added some features to the Python livecheck implementation. Seems to be working well, pushed all code changes to Git and submitted for review.
=== Review new derivative-maker-docker commits from tabletseeker ===
Date: 2025-06-02
tabletseeker added some additional features to the derivative-maker-docker PR, which I reviewed and left some comments on.
=== Review updated stprint utilities from Ben Grande ===
Date: 2025-06-02
Ben Grande updated some of the stprint-family utilities to avoid a closed stdin file descriptor from causing utility crashes. Reviewed the new code, suggested a few changes. Looks mostly good.
== 2025-06-01 ==
=== Develop Python implementation of livecheck ===
Date: 2025-06-01
Got a Python implementation of livecheck mostly working, and made changes to other packages to adjust for the new livecheck and live-mode.sh code. Haven't fully tested or pushed yet.
=== Get derivative-maker-docker PR to build a working Kicksecure image ===
Date: 2025-06-01
Did enough debugging of derivative-maker and the Docker PR that I was able to get a working Kicksecure image to boot. Approved pull request, will be contributing additional fixes to derivative-maker later.
== 2025-05-31 ==
=== Continue debugging of derivative-maker-docker pull request ===
Date: 2025-05-31
Found another bug in the Docker pull request, reported it and suggested a fix. Also found a bug in derivative-maker itself with disabling initramfs rebuilds, and another one with genmkfile installation of dependencies. This seems pretty close to working.
== 2025-05-30 ==
=== Document how to add additional systemd units to sysmaint-boot.target ===
Date: 2025-05-30
Documented how to configure a systemd unit to start in a sysmaint session, without requiring modifying sysmaint-boot.target's config file. This avoids problems with system files being overwritten during a system update.
=== derivative-maker fix, review, docker work ===
Date: 2025-05-30
Found and fixed a build failure in derivative-maker, tested Docker pull request and found some issues that needed resolved.
=== Verified boot discussion, create framework for mocking up user interface ===
Date: 2025-05-30
Reviewed the latest verified boot spec document, pointed out some issues, and submitted a UI mockup + framework for mocking up further parts of the user interface.
== 2025-05-29 ==
=== Mostly finish new version of Xen command line GRUB patch ===
Date: 2025-05-29
Fixed all issues mentioned by Daniel Kiper, then did a thorough re-review of the code and fixed several other issues. Still need to actually submit the patch to the GRUB mailing list.
== 2025-05-28 ==
=== Begin work on fixing Xen command line GRUB patch ===
Date: 2025-05-28
Got an Arch Linux installation with Xen working (which took a significant amount of time). Attempted to build GRUB, but gnu.savannah.org was operating in a degraded state so I wasn't able to finish the job.
=== Review derivative-maker-docker PR from tabletseeker ===
Date: 2025-05-28
Looked through the code, pointed out some issues and made suggestions for improving things. Looks like a very good change in general. Did not scan the patch for malicious Unicode or attempt to run the code yet.
=== Reply to review from Daniel Kiper on GRUB Xen command line parsing patch ===
Date: 2025-05-28
Daniel reviewed my patch submitted to GRUB, pointing out several coding style and readability changes that needed to be made and several areas where I forgot to check for errors after allocating or reallocating memory. Responded to the review, will be fixing the issues he brought up soon. Also clarified the methodology for environment variable exports after another developer expressed a concern about how data was being passed from Xen to grub.cfg.
=== Sovereign Boot discussion on bootloader enumeration ===
Date: 2025-05-28
Talked with MichaĆ from 3mdeb about whether we want to enumerate all bootloaders available to the system, what heuristics we should use for prioritizing them, and what the behavior should be when dealing with large numbers of bootloaders.
== 2025-05-27 ==
=== Review, approve maybebyte's permission-hardener bugfix ===
Date: 2025-05-27
Reviewed the final iteration of maybebyte's bugfix for allowing ssh-agent's permissions to be set properly. Looked correct to me, worked properly in my testing. Approved the PR, Patrick has merged it.
=== Review Kicksecure and Whonix codebase changes over last two weeks, determine systemd repart issue root cause ===
Date: 2025-05-27
Due to a mistake on my part, we ended up with commented-out code in derivative-maker that previously fixed partition type UUIDs for systemd-repart. This resulted in systemd-repart breaking, as one would expect. Suggested that we put the commented-out code back into production to fix this. Also reviewed all changes in the Kicksecure and Whonix main codebases that occurred over the earlier two-week hiatus, pointing out some bugs I noticed in the process.
=== Finish fixing default user code in Qubes OS boot modes ===
Date: 2025-05-27
Marek pointed out another few issues in my default user patch, one that could potentially cause a unit test failure, and some issues with code formatting. Fixed all of them. Also started getting a system prepared that would allow me to run dom0-specific unit tests on Qubes OS.
=== More discussion on Sovereign Boot ===
Date: 2025-05-27
Replied to more comments in the 3mdeb sovereign boot (previously "verified boot") discussion.
== 2025-05-26 ==
=== Review Ben Grande bugfix for closed stdin with stcat and similar tools ===
Date: 2025-05-26
Ben noticed that stcat, stcatn, sttee, and stsponge all misbehaved if they were given a blank, closed stdin (i.e. by running them as <code>stcat <&-</code>). I reviewed the bugfix he submitted for this. Unfortunately it was not sufficient on its own to fix the issue, but it was a good step in the right direction.
=== Review permission-hardener pull requests from maybebyte ===
Date: 2025-05-26
A Github user named "maybebyte" submitted a bug fix and a performance improvement to permission-hardener. Reviewed both pull requests and commented on them. The performance improvement looks mergeable and good, the bug fix needs a change to avoid introducing a possible security issue.
=== Ensure /var/cache/tb-binary permissions aren't a problem with user-sysmaint-split ===
Date: 2025-05-26
Marek noticed that <code>/var/cache/tb-binary</code> would end up owned by <code>sysmaint</code> due to user-sysmaint-split on Whonix-Workstation templates. Looked through the code and did testing to ensure this wasn't a problem.
=== Verified boot discussion ===
Date: 2025-05-26
Read through some critical verified boot related chats, replying to them to clear up confusion, point out possible issues. and highlight ideas I thought were good.
=== Add default user customization fixes to boot modes as suggested by Marek ===
Date: 2025-05-26
Marek had some suggestions for how to improve the default user code submitted earlier. Implemented those suggestions, ensured regression tests passed after changes were added.
== 2025-05-12 - 2025-05-25 ==
Scheduled hiatus from Kicksecure and Whonix work to help with an imminent hardware release for Kubuntu Focus. Ad-hoc work done during that time:
=== Add default user customization mechanism to Qubes OS boot modes ===
Date: 2025-05-18
Marek reported an issue where the default user qrexec overrides set by user-sysmaint-split resulted in the software updater breaking. After discussion with Marek and some experimentation, we decided to make it so that boot modes can customize the default user for a VM on the dom0 side. Implemented this and submitted a PR for it.
== 2025-05-11 ==
=== Study Simplex Chat ===
Date: 2025-05-11
Part of chat messenger research. Determined the features and defenses built into Simplex Chat, experimented with actually using it, and documented its features, how to install it, and how to get started using it.
=== Review sysmaint-boot.target wanted units ===
Date: 2025-05-11
Looked at all systemd units depended upon by sysmaint-boot.target. Removed some potentially unnecessary or dangerous units, enabled a unit that looked important and has been previously left as a TODO.
=== Fix broken user login without autologin when using user-sysmaint-split ===
Date: 2025-05-11
Fixed some logic errors that resulted in the sysmaint session being incorrectly selected when attempting to log in manually.
== 2025-05-10 ==
=== Review Whonix wiki chat messenger page ===
Date: 2025-05-10
Reviewed the page, fixed a few things, also added some data about Matrix chat and its shortcomings.
=== Review stecho PR from Ben Grande ===
Date: 2025-05-10
Reviewed an stecho PR from Ben, suggesting some changes and verifying that the code worked as expected.
== 2025-05-09 ==
=== Begin development of Python implementation of livecheck ===
Date: 2025-05-09
Researched what would be needed to reimplement livecheck in Python and began writing it. This will allow live-monitoring of the system's persistence state.
=== Get initial iteration of emergency shutdown feature working ===
Date: 2025-05-09
Got the emergency shutdown C executable and associated tooling working. More testing needed and an additional feature needs implemented before this is ready to deploy.
=== Fix file permission problem with append-shared ===
Date: 2025-05-09
There was a bug in append-shared (part of helper-scripts) that was resulting in files being set to 0600 file permissions. Determined the root cause and wrote a patch to fix the problem.
=== Fix GRUB being improperly configured with installations that use grub-cloud ===
Date: 2025-05-09
Discussed and helped fix a bug that resulted in the grub-cloud-amd64 package being configured with a variable it doesn't actually use.
== 2025-05-08 ==
=== Research, continue to develop emergency shutdown feature ===
Date: 2025-05-08
Discovered the original approach I was taking for the emergency shutdown utility was not suitable for our purposes, as it was crash-prone when the root device vanishes. Planned out and started implementing a new program that should be immune to crashing before shutdown.
=== Fix installation failure with UK English locale ===
Date: 2025-05-08
Discovered a superior way of setting the console keymap based on the X11 keymap, allowing us to avoid problems with mismatched names between X11 and console keymaps. Implemented this new method.
=== Implement systray for sysmaint session ===
Date: 2025-05-08
Used Trayer to provide a systray in sysmaint sessions. Did not yet add trayer to any particular metapackage for Kicksecure, but suggested to Patrick that it might go in <code>non-qubes-enhancements-gui</code>. This allows the user access to things like the sdwdate GUI and network manager applet.
== 2025-05-07 ==
=== Mostly implement emergency shutdown on USB key removal ===
Date: 2025-05-07
Got a proof-of-concept to work for the most part, there's still some bugs in the device detection code and the current implementation of the shutdown routine is unsafe and can't be relied on. The basic concept works though. Will continue to polish.
=== Review, polish browser-choice design changes ===
Date: 2025-05-07
Reviewed Patrick's latest changes to the browser-choice application design, added some extra requested UI elements. Also tried to document better what would happen if someone created an unofficial plugin that allowed installing a closed-source browser.
=== Add network management features to sysmaint-panel ===
Date: 2025-05-07
Added a button for launching <code>nmtui</code> to the panel. Also added a network status indicator.
After discussion with Patrick, we would like to implement some form of systray to avoid duplicating code.
=== Review verified boot spec PR ===
Date: 2025-05-07
Left some notes about the verified boot spec PR, looked mostly good to me.
== 2025-05-06 ==
=== Research, begin prototyping emergency shutdown feature ===
Date: 2025-05-06
Started to work on developing a feature that will allow the user to emergency-shutdown a Kicksecure system (live or otherwise) by abruptly removing the USB drive containing the operating system from the running system. Obviously for systems that have Kicksecure installed on an internal drive this won't be very useful, but anyone that has Kicksecure installed or flashed to an external USB will benefit from this.
=== Further research for grub-live enhancements ===
Date: 2025-05-06
Suggested the creation of a dedicated PyQt5 application to replace the current implementation of livecheck, which would be desktop-environment-independent and use mount event monitoring to trigger updates of the current persistence state (i.e., are all writable mounts on the system "live", are some of them persistent, and if some of them are persistent, are some of those persistent mounts likely to be dangerous).
=== Fix broken mouse integration in sysmaint sessions under KVM ===
Date: 2025-05-06
Discovered that mouse integration required spice-vdagent to be launched as the end user on login for mouse integration to work. Added it to the list of non-root services to run on sysmaint login.
=== Attend Zarhus Developer Meetup 0x1 ===
Date: 2025-05-06
Attended a virtual event hosted by 3mdeb where several projects related to 3mdeb's Zarhus operating system and surrounding technologies were discussed and demonstrated. Patrick also attended this. Research results from ram-wipe testing were shared. Gave some feedback on that and some of the other projects.
== 2025-05-05 ==
=== Fix systemcheck update advice, add log search to sysmaint-panel ===
Date: 2025-05-05
Added a button for searching the system logs in sysmaint-panel. Also made it so that systemcheck offers the right advice about how to update the system regardless of whether the user is booted into a sysmaint session or a user session (or doesn't have user-sysmaint-split installed at all).
=== Discuss proper fix for grub-live semi-persistence bug with Patrick ===
Date: 2025-05-05
Discussed with Patrick how to properly fix this bug. Added some points to research and came up with a preliminary implementation plan for fixing the issue.
=== Fix environment variable handing in grml-debootstrap RPi PR ===
Date: 2025-05-05
Mika pointed out that my PR made it so that the size of the virtual machine to be generated could not longer be passed in through a <code>VMSIZE</code> environment variable. Fixed, tested the fix and it worked.
=== Research, comment on search engine discussion on Kicksecure forums ===
Date: 2025-05-05
Did some research into suggested search engines on Kicksecure's forums, offered suggestions on which ones are likely worth inclusion based on the security and privacy each engine looked like it most likely provided from my perspective.
== 2025-05-04 ==
=== Improve live mode detection ===
Date: 2025-05-04
Switched to using mount point checking rather than kernel command line parsing to detect the live mode the system was booted in. Also made livecheck detect the "semi-persistent mode" bug where the root directory is read-only but /home is writable.
=== Get kloak v2 ready for alpha testing ===
Date: 2025-05-04
Fixed remaining known bugs in kloak v2, implemented command line parsing. There are likely still bugs and memory leaks, but it appears mostly usable at this point.
== 2025-05-03 ==
=== Mostly finish Kloak functionality ===
Date: 2025-05-03
Fixed tap to click and monitor hotplug issues, added input device hotplug support (libinput did most of the heavy lifting there for me), fixed a UI bug resulting in the virtual cursor not being fully drawn, and ''finally'' implemented jitter insertion! At this point the program is mostly done, there's some more bugs to fix and some code quality improvements to make but most of the functionality is now there!
== 2025-05-02 ==
=== More kloak v2 bugfixing, polish build system ===
Date: 2025-05-02
Removed generated code from the codebase and included the Wayland protocol XML files directly. Running <code>make</code> will generate needed additional files from those protocol files. Also fixed some mouse behavior issues, enabled touchpad tap-to-click, improved GUI update performance by doing incremental buffer updates, and removed a spurious warning.
== 2025-05-01 ==
=== Fix mouse and virtual cursor behavior in kloak v2 prototype when using multiple monitors ===
Date: 2025-05-01
Prevented the virtual cursor from going off-screen when using a monitor layout that leaves voids in the compositor-global space. This ended up being shockingly difficult but doable. The current implementation is somewhat rough and probably can be polished further, which is part of what I'll be working on tomorrow.
=== Test more changes to Dracut hostonly fixes ===
Date: 2025-05-01
Was pinged by a Fedora developer to retest a Dracut PR that makes sloppy hostonly initrds significantly more generic than previously. Tested on an encrypted Trixie VM, worked.
=== Make sysmaint-panel background for Whonix VMs distinct ===
Date: 2025-05-01
Previously sysmaint-panel always used a Kicksecure-like desktop background. This was confusing, so now a Kicksecure-like background is used on Kicksecure, a Whonix-Gateway background is used on Whonix-Gateway, a Whonix-Workstation background is used on Whonix-Workstation, and a black background is used on everything else.
=== Fix documentation and networking for RPi grml-debootstrap PR ===
Date: 2025-05-01
Documented the new RPi-related options in grml-debootstrap in the manpage. Also noticed that virtual machine images automatically use <code>--defaultinterfaces</code>, and made it so that Raspberry Pi installations worked the same way in that regard.
=== Further design work on browser-choice ===
Date: 2025-05-01
Reviewed Patrick's changes to the design documentation. Reworked some parts of plugin design, removed the ability to install or remove multiple packages for a single browser at once.
== 2025-04-30 ==
=== Multi-monitor support in kloak v2 prototype ===
Date: 2025-04-30
Got multi-monitor support and monitor hotplug *mostly* working. Some things aren't quite correct still, but the bulk of the work needed for this to be functional is now done. Still need to write code to keep the mouse from going beyond the boundaries of the screens, and there's some glitchiness that needs worked out.
=== curl-prgrs security review and polish ===
Date: 2025-04-30
Read through the source code of curl-prgrs (from helper-scripts), noticed some things that could use fixing and fixed them. Didn't find anything particularly worrying from a security standpoint.
=== Discuss, design browser choice application with Patrick ===
Date: 2025-04-30
Discussed the need for a browser choice application, internal and UI design elements, created mockups and tried to flesh out a rough idea of how it would be implemented under the hood.
== 2025-04-29 ==
=== Fix keyboard handling in kloak v2 prototype ===
Date: 2025-04-29
Got modifier keys to work. At this point multiple monitor and monitor hotplug support are our main remaining hurdles, once that's done we should be able to simply add the anonymizing code and this should be ready for testing.
=== Fix ISO boot menu consistency ===
Date: 2025-04-29
Figured out how to get the boot menu entries for the ISO's boot menu to be similar to those used on installed systems. Committed changes to three repos to make this work right.
== 2025-04-28 ==
=== Submit grml-debootstrap PR for following the Discoverable Partition Specification ===
Date: 2025-04-28
Got the DPS compliance code working, submitted it upstream for review. Only works on host operating systems that have a <code>parted</code> that supports the <code>type</code> command (for Debian that means Trixie and newer).
=== Document Wayland security shortcomings for labwc and other wlroots-based compositors ===
Date: 2025-04-28
Keylogging is still a possible concern on many Wayland compositors, including labwc. Documented why and gave links to info about the issues resulting in this problem.
=== Fix sysmaint-boot-cleanup error message during ISO shutdown ===
Date: 2025-04-28
This was only occurring if the ISO was booted in unrestricted admin mode, and was simply due to the fact that the unit was missing after uninstalling user-sysmaint-split (which is done automatically when booting in unrestricted admin mode). Changed user-sysmaint-split's prerm script to disable the systemd units shipped in user-sysmaint-split during uninstallation.
=== Fix inconsistencies in boot menu handling on installed systems ===
Date: 2025-04-28
Made it so that similar terminology was used whether user-sysmaint-split is installed or not, fixed font size for "Choose boot mode" text. Applied changes to both Kicksecure and Whonix.
== 2025-04-27 ==
=== More work on emulated input in kloak v2 ===
Date: 2025-04-27
Emulated input is now mostly working, the mouse works well on a single-screen system. Keyboard is still a bit of a mess since modifier keys aren't working, that will have to be sorted out later.
=== Add unrestricted admin boot mode for Kicksecure on Qubes ===
Date: 2025-04-27
This boot mode removes the user-sysmaint-split package during system boot to allow access to sudo. When used in AppVMs, this removal is only temporary due to the ephemeral nature of most of an AppVM's root filesystem.
=== Add CI to RPi grml-debootstrap PR ===
Date: 2025-04-27
Developed working Github Actions CI tests for the Raspberry Pi images. Added to the existing pull request.
== 2025-04-26 ==
=== Bugfixes and more features for Kloak v2 ===
Date: 2025-04-26
Fixed a few bugs in the kloak v2 implementation. Added relative pointer movement support, implemented mouse grabbing and some emulated input stuff. Next steps are to intercept keyboard events, then support for display and input hotplug, then the actual anonymization features can be implemented.
=== Review first-time source code contributor policy ===
Date: 2025-04-26
Read through the policy. Made a suggestion for how to clarify it, which Patrick approved of and implemented.
== 2025-04-25 ==
=== Work on grml-debootstrap CI for Raspberry Pi ===
Date: 2025-04-25
Played with QEMU on arm64 some, discovered limitations in ARM virtualization and asked upstream grml-debootstrap what approach I should take for further development.
=== Overhaul GRUB theme to avoid hardcoding ===
Date: 2025-04-25
Removed all hardcoded text from the GRUB theme images, replacing them with text labels. Also changed wording in order to work with Patrick's new boot menu design.
== 2025-04-24 ==
=== Fix spurious systemd-growfs errors on boot ===
Date: 2025-04-24
Patrick discovered that newly built VMs were showing systemd-growfs errors for no apparent reason. This was the result of an fstab file being erroneously included in the initramfs. Fixed this issue. Also reviewed a lot of previous changes to derivative-maker and fixed some bugs.
=== Add repository-dist-wizard button to sysmaint-panel ===
Date: 2025-04-24
Added a launcher button for repository-dist-wizard. Also discovered that pkexec was launching processes with the wrong umask value, asked for some help resolving this in #debian on OFTC and was able to fix the issue with their help. Pushed changes to both sysmaint-panel and security-misc.
=== Review and test further dracut PRs ===
Date: 2025-04-24
Work is underway upstream to make hostonly sloppy mode much more generic than previously. Tested some more code to help with this effort.
== 2025-04-23 ==
=== Harden tor-ctrl a bit more ===
Date: 2025-04-23
Add some extra code to tor-ctrl to make it more robust.
=== Finish preparing pvgrub2 patch, test on Arch Linux and submit to FSF ===
Date: 2025-04-23
Got the patch working on upstream GRUB, tested it thoroughly using both upstream GRUB and upstream Xen on Arch Linux. Submitted the patch to the FSF and informed ITL of the new submission attempt.
== 2025-04-22 ==
=== Make pvgrub2 patch more robust in preparation for resubmission to FSF ===
Date: 2025-04-22
Made the validation code stricter, also made it so that paramaters from Xen will only be turned into GRUB environment variables if they start with <code>xen_grub_env_</code>. Still need to test this in a vanilla setting before this is ready to send to the FSF a second time.
=== Test Dracut hostonly-related PRs ===
Date: 2025-04-22
Tested a couple of PRs from jozzsi and reported back the results. Looks like we likely have a good path forward for getting hostonly mode to work as needed and avoid problems with encrypted systems.
=== Discuss movement of kloak project maintenance to Whonix ===
Date: 2025-04-22
Wrote a comment to vmonaco indicating that Whonix would be fine with being the official kloak upstream, and also mentioning our current plans for rewriting kloak. vmonaco intends to comment on our current implementation plans on the Whonix forums.
=== Research P argument to slub_debug ===
Date: 2025-04-22
Researched what the P argument (poisoning) to slub_debug would do and whether it would be useful for us to improve security. Discovered that it will actually reduce security, and advised against setting it.
== 2025-04-21 ==
=== More kloak v2 development, publish current prototype state on Github ===
Date: 2025-04-21
Got a layer-shell surface with a transparent overlay displaying a sort of virtual cursor to work. Hardware support is still very limited and functionality is sorely lacking (there aren't actually any anonymization features yet), but most of the proof-of-concept work is done at this point and further development should hopefully be substantially easier and quicker.
=== Further discussion on Dracut hostonly configuration ===
Date: 2025-04-21
Continued to discuss problems with the current state of Dracut's hostonly options with the maintainers and other distro developers. Probably will be testing PRs tomorrow.
== 2025-04-20 ==
=== Continue to work on kloak v2 prototype ===
Date: 2025-04-20
So far I have managed to create a drawable surface under Wayland, which will be important to the virtual cursor feature intended for kloak v2. Working on wiring in libinput.
=== Security audit tor-ctrl source code ===
Date: 2025-04-20
Read through the entire source code of tor-ctrl, looking for potential security issues. Reported results to Patrick in chat.
== 2025-04-18 ==
=== Investigate issues caused by invalid symlinks in Git repositories and other contexts ===
Date: 2025-04-18
After we had a symlink in helper-scripts who's target filename was actually the file contents of a script, Patrick asked me to research the security impact of weird symlinks like this. In my testing, the only real problem I could cause with weird symlinks is making a Git repo unable to be cloned until symlinks were disabled, by committing and pushing a symlink with an overly long name to the repository. This is not a severe issue and is not considered a security problem by Git upstream. I also observed that symlinks could be used as a form of data storage, but this in and of itself isn't a security hazard.
=== Attempt to reproduce /tmp/user/1000 root ownership issue under Qubes ===
Date: 2025-04-18
Marek reported that a Whonix-Gateway template was encountering issues with <code>/tmp/user/1000</code> being owned by the root user during a test. I attempted to reproduce this on Qubes R4.3, but was unable to do so and could not find a likely culprit for the issue.
=== Switch derivative-maker and live-build to using new Dracut autobuild prevention mechanism ===
Date: 2025-04-18
For the sake of build speed, we wanted to stop building and rebuilding the initramfs multiple times during the image build procedures for Kicksecure and Whonix. Patrick implemented a very good solution for this for VMs, I ported that solution to work for ISO builds as well.
=== Verify ram-wipe on Trixie works without LUKS ===
Date: 2025-04-18
Successfully got ram-wipe working on a Debian Trixie VM without LUKS disk encryption. Reported steps for build and installation to 3mdeb.
== 2025-04-17 ==
=== Fix privleapd stdout streaming and sdwdate-log-viewer ===
Date: 2025-04-17
Discovered why privleapd's stdout streaming wasn't working properly (using blocking I/O when non-blocking was needed), and fixed it. Also resolved some buffering issues and added the ability for leaprun to tell privleapd to prematurely terminate an action it requested. Finally, made sdwdate-log-viewer stream log output rather than only sending info once.
=== Review systemd-repart changes by Patrick ===
Date: 2025-04-17
Reviewed, looks good to me, should keep systemd-repart from being used on anything except newly built VMs.
=== Debug dracut+LUKS failure on Trixie, help fix ram-wipe issues on LUKS systems ===
Date: 2025-04-17
Discovered that dracut was failing to install the crypttab file into the initramfs during initramfs generation. Filed a Debian bug for fixing this and shared a workaround with 3mdeb. Also found and helped fix some ram-wipe problems. Reportedly ram-wipe is still not working on non-LUKS systems for some reason though, going to continue debugging that tomorrow.
== 2025-04-15 ==
=== Fix sysmaint-boot failure on first sysmaint login ===
Date: 2025-04-15
Discovered that user-sysmaint-split's sysmaint-boot script was failing on the first sysmaint login, due to an issue with the home directory for the sysmaint account not yet existing. Resolved this by moving some configuration writing code to sysmaint-session and sysmaint-session-wayland. Also did some refactoring to reduce code duplication between the two session scripts.
=== Fix weird symlinks in helper-scripts ===
Date: 2025-04-15
Patrick had symlinks turned off in Git, and so the symlinks for <code>append-once</code> and <code>overwrite</code> were appearing as plaintext files for him. He then attempted to replace the symlinks with scripts, but Git converted the scripts back into symlinks in a very weird way. Fixed this, replacing the broken symlinks with real script files.
=== Rework systemd-repart code ===
Date: 2025-04-15
My initial systemd-repart root resizing implementation was wrong, because it enabled systemd-repart for all systems, including existing systems. We only want it enabled on newly built VMs. Reworked systemd-repart support to do this (though Patrick has pointed out since then that it will still be enabled on distribution morphed systems, so this wound up being incomplete).
=== Further research for kloak version 2, start writing boilerplate code ===
Date: 2025-04-15
Did a lot of research for figuring out how to create a Wayland client that will allow drawing the virtual cursor planned for this. Also wrote a high-level overview of how the updated kloak code will work internally to use as a roadmap. Still mostly in the research stage at this point.
== 2025-04-14 ==
=== Research libei, layer-shell, xtest implementation details for kloak mouse fingerprinting prevention ===
Date: 2025-04-14
Did a lot of research into different components that could be used in implementing mouse fingerprinting prevention, on both X11 and Wayland. An implementation that works on both platforms may be difficult, but Patrick has indicated he'd be happy with a Wayland-only solution. Unless an X11-capable implementation turns out to be relatively easy to implement, Wayland will be the target for the new features of kloak.
=== Find "fix" for RPi4 USB boot, publish abridged instructions on RPi Debian bug tracker ===
Date: 2025-04-14
Discovered that the issue with RPi4 USB boot not working with U-Boot was a consequence of the version of U-Boot in Bookworm, and isn't a problem in Trixie. Also found a likely reason for why things were broken, which I documented. Posted instructions on converting a Debian RPi installation to using U-Boot + GRUB on the Debian RPi bug tracker.
=== Review, discuss RAM dump utility from 3mdeb ===
Date: 2025-04-14
Looked over the UEFI application code for dumping RAM created by 3mdeb. Suggested some efficiency improvements.
== 2025-04-13 ==
=== Continue verified boot firmware discussion ===
Date: 2025-04-13
Reviewed a video shared by 3mdeb on implementing the measured boot and firmware authentication features currently in Heads, in UEFI. Left some feedback.
=== Review, correct some information on Raspberry Pi 4 boot ===
Date: 2025-04-13
Looked at Patrick's reformatting of the RPi 4 boot documentation, noticed some inaccuracies in the data I had previously written and some issues and fixed them.
== 2025-04-11 ==
=== Review stcatv from Ben Grande ===
Date: 2025-04-11
Code looked good to me and worked in testing. Asked for a change to be made, otherwise approved of the new utility.
=== Re-review and test pstore crash log disabling PR ===
Date: 2025-04-11
Reviewed latest changes, tested and verified they work. Approved and handed off to Patrick.
=== Further debugging and research on mouse fingerprinting ===
Date: 2025-04-11
Managed to get touchpad fingerprinting resistance working to some degree. The current implementation of mouse fingerprinting resistence causes significant lag and choppiness in mouse movement, me and Patrick discussed some ideas for how we could avoid that in the final version of the code.
=== File feature request for Debian-signed shim binaries ===
Date: 2025-04-11
Filed a wishlist bug upstream asking for Debian-signed shim binaries to be made available. This should eventually help Debian be better-supported by the verified boot firmware that we're currently designing.
=== Implement FDE passphrase changing in helper-scripts and sysmaint-panel, firmware discussion ===
Date: 2025-04-11
Created the crypt-pwchange script in helper-scripts and integrated it into sysmaint-panel. Tested, works well. Also discussed firmware and verified boot some more with Patrick and 3mdeb.
== 2025-04-10 ==
=== Polish, publish enhanced mouse fingerprinting prevention for kloak ===
Date: 2025-04-10
Found and resolved a bug that was causing horizontal motion to be strangely restricted when kloak was enabled. Also fixed an undesirable behavior leading to the mouse pointer jumping in straight horizontal and vertical lines. Pushed changes to Git, and left notes on the forums. Touchpad events still need to be anonymized better.
=== Add button for changing the GRUB password to sysmaint-panel ===
Date: 2025-04-10
Patrick wrote a GRUB password changer utility, this utility is now exposed in the sysmaint-panel user interface for easy access.
=== Research, implement systemd-repart automatic resizing ===
Date: 2025-04-10
Learned how to use systemd-repart and systemd-growfs to automatically take advantage of all space in a grown disk image. Once the research was done, it turned out to be relatively easy to implement for real, so I did so.
=== File upstream feature requests to Debian for U-Boot + GRUB RPi support ===
Date: 2025-04-10
Also asked the grml-debootstrap people if they'd be happy with implementing such support when and if it is present upstream.
=== Finish writing append, append-once, overwrite utilities ===
Date: 2025-04-10
Wrote all three utilities into one file as a multicall executable with symlinks for accessing the other modes.
== 2025-04-09 ==
=== Rewrite append-once ===
Date: 2025-04-09
The bash version of <code>append-once</code> had some shortcomings both functionally and code-related. Rewrote it in Python to provide better error handling, performance, and edge case handling. Still need to implement a couple of other tools (namely <code>append</code> and <code>overwrite</code>).
=== Run updatecheck in sysmaint sessions ===
Date: 2025-04-09
updatecheck is now usable and useful in a sysmaint session after Patrick's extensive enhancements, so it is now enabled in sysmaint sessions.
=== Fix possible lockout scenario with a normal user account automatically logging into a sysmaint session ===
Date: 2025-04-09
Due to changes that had been made to the sysmaint session script, it was no longer terminating when the sysmaint-panel application terminated. This meant if you attempted to log into a sysmaint session using a normal user account, you would be given a failure message and then left on a black screen. If this happened automatically due to corrupted autologin state, this would essentially lock the user out of the system until they disabled autologin in sysmaint mode. Resolved this by making the entire sysmaint session terminate once sysmaint-panel terminates.
=== Discuss verified boot and firmware with 3mdeb ===
Date: 2025-04-09
Discussion ongoing, initial chat was relatively brief but a ''lot'' of good info was shared by both sides.
=== Test and polish RPi grml-debootstrap pull request, mark as ready for review ===
Date: 2025-04-09
Ran thorough tests for both native and cross builds on the RPi image support PR. Found and fixed a couple of issues in the process. The PR is now marked ready for review, and can hopefully be merged soon.
== 2025-04-08 ==
=== Prototype enhanced mouse fingerprinting protection ===
Date: 2025-04-08
Implemented the mouse fingerprinting protection algorithm I described earlier on the Whonix forums. This ended up running into a substantial hurdle, which I mentioned on the forums. The general idea appears sound, but some additional effort will be required to make it actually work correctly. See
https://forums.whonix.org/t/better-mouse-obfuscation/21445/3
=== Ensure update-grub is called when switching initramfs generators ===
Date: 2025-04-08
While researching live mode detection, I found out that the GRUB configuration wasn't being regenerated when switching from dracut to initramfs-tools or vice versa. Determined why and pushed a fix in grub-live.
=== Research more robust live mode detection ===
Date: 2025-04-08
Looked at the mount info for the root directory in various different boot modes (persistent, live dracut, live initramfs-tools, iso live). The returned info is different for the modes that need to be differentiated, and can potentially be used rather than kernel parameters. Also looked at the source code of live-boot and dracut to see how reliable the mount info was.
=== Review updatecheck in detail ===
Date: 2025-04-08
Read through all of the goals Patrick wrote down for updatecheck and reviewed the code to see if they were implemented as intended. Found and fixed a minor bug and polished the documentation a bit in the process.
=== Fix assumption that user-sysmaint-split is installed in setup-wizard-dist ===
Date: 2025-04-08
Fixed setup-wizard-dist so that it can detect whether user-sysmaint-split is installed or not and adjust the documentation it shows accordingly.
=== Polish and add Qubes information to user-sysmaint-split documentation ===
Date: 2025-04-08
Read through the entire user-sysmaint-split Wiki page, corrected some issues and added missing data, and added documentation related to Qubes OS.
=== Review, suggest ways of improving append-once ===
Date: 2025-04-08
Read through append-once, wrote down some possible shortcomings and how they could be resolved. I'm wanting to port this to Python, so I didn't actually do the work yet, since I don't want to do this and then find out that was the wrong thing to do.
=== Start discussion about RPi GRUB + U-Boot support upstream ===
Date: 2025-04-08
Sent an email to the Debian RPi image maintainer and the debian-arm mailing list regarding our work on GRUB + U-Boot support on the Raspberry Pi. Gave links to the currently ongoing work and guides and offered to help with upstreaming it.
=== Research, comment on trailing whitespace dangers ===
Date: 2025-04-08
Wrote a comment about trailing whitespace and its potential dangers on the Whonix forums, after researching ways it could be used maliciously and creating examples.
== 2025-04-07 ==
=== Enhance software management in sysmaint-panel ===
Date: 2025-04-07
Added package reinstall, remove, purge, and override actions to the software management window in sysmaint-panel. Also added some built-in documentation.
=== Work out rough edges in Raspberry Pi bootloader documentation ===
Date: 2025-04-07
Figured out how to get u-boot to boot the Pi automatically and documented how. Also fixed a few more issues, added detailed documentation on the configuration placed in config.txt, and added ideas for working around a problematic postinst script in raspi-firmware.
=== Review minimal firmware + advanced bootloader wiki draft ===
Date: 2025-04-07
Reviewed Patrick's writeup on a firmware and bootloader combination that might make Verified Boot simpler and more secure. Added some fixes and enhancements, including a more in-depth boot flow concept.
== 2025-04-06 ==
=== Tint terminal red in sysmaint mode ===
Date: 2025-04-06
Added some framework to sysmaint-boot for doing one-time sysmaint user configuration modifications. Used that new framework to set the sysmaint user's terminal color to a shade of dark-ish red to warn about admin access and remind the user what mode they're in.
=== Research depthcharge firmware ===
Date: 2025-04-06
Looked into what depthcharge was, how the boot process works with it, and what features it offers. Does not appear to be directly usable for our use case. Documented what features it offers and why it is likely non-ideal.
=== Fix updatecheck UI, add Internet connection checking ===
Date: 2025-04-06
Added a test to updatecheck to see if a non-loopback IP was available (indicating possible Internet access), this way updatecheck can stay quiet if it is being used on a fully airgapped system. (This can be fooled if the system is connected to a network without Internet access, however we don't want to ping an external IP for privacy reasons.) Also fixed a user interface issue so that notifications look and work better.
=== Polish Unicode scanning utility ===
Date: 2025-04-06
Looked at Patrick's unicode-show script, made it more efficient and made it show trailing whitespace as potentially dangerous.
=== Research, document booting Debian on the RPi 4 with U-Boot and GRUB ===
Date: 2025-04-06
Successfully got Debian 13 to boot on a Raspberry Pi 4B with 8 GB RAM, using U-Boot and GRUB rather than using direct kernel boot. Documented the full process on the boot development wiki page.
== 2025-04-05 ==
=== Review bad Unicode detection tooling, discuss firmware ===
Date: 2025-04-05
Reviewed all of the new tooling Patrick wrote for bad Unicode detection. Identified some potential issues and filed followup tickets. Also discussed RPi and firmware development with Patrick.
=== Review latest safe-print changes, fix minor issues and file followup ticket ===
Date: 2025-04-05
Fixed a couple manpage issues, an unneeded dependency in debian/control, and filed a ticket for improving the efficiency of sttee.
=== Fix bug preventing grml-debootstrap OS installation on some physical devices ===
Date: 2025-04-05
Discovered that it was impossible to use grml-debootstrap to install to a device named <code>/dev/sda</code>, due to how device names were being handled. Created a bugfix and appended it to my RPi support PR.
== 2025-04-04 ==
=== Develop preliminary Raspberry Pi support in grml-debootstrap ===
Date: 2025-04-04
Added the ability to generate Raspberry Pi images to grml-debootstrap. So far seems to work fairly well, I was able to create a bootable image that I could flash to an SD card and boot up on the Pi. Still needs thoroughly tested.
=== Submit GRUB boot mode patch on grub-devel mailing list ===
Date: 2025-04-04
Finished preparing the patch and sent it upstream as a draft, requesting feedback and noting some potential issues.
== 2025-04-03 ==
=== Attempt to test GRUB boot mode patch on Fedora, prep to send upstream ===
Date: 2025-04-03
Attempted to build vanilla Xen and GRUB from source, so I could test my patch in an otherwise unmodified environment. Used Fedora 41 as the host OS. Unfortunately, due to seemingly pervasive linker bugs, I was unable to actually test in this environment. Did most of the prep work for sending the patch upstream to the FSF.
== 2025-04-02 ==
=== Test PV mode for pvgrub PR for boot modes ===
Date: 2025-04-02
Figured out why PV mode wasn't working for me (it was most likely an issue with the VM itself), and managed to test PV mode pretty thoroughly. Posted test results on the GitHub draft PR.
=== Improve privleap messaging when trying to create a comm socket for an expected disallowed user ===
Date: 2025-04-02
There are some users on a Kicksecure or Whonix system that can be expected to try to create a comm socket, but that shouldn't actually be allowed to have one. (The <code>lightdm</code> and <code>sddm</code> users are good examples - these users are fully logged into when the greeter screen is displayed, but they shouldn't be allowed to run leaprun actions.) Added the needed bits to privleap so that expected disallowed users can be configured and the error messages surrounding them can be handled properly.
=== Fix Whonix X event buffering PR ===
Date: 2025-04-02
Marek pointed out that newly created Whonix VMs wouldn't end up with event buffering enabled until a qubesd restart with the current PR. Fixed this.
=== Prevent custom autologin configuration from breaking sysmaint boot ===
Date: 2025-04-02
Made the configuration files that trigger graphical sysmaint autologin much higher in priority than they were previously, to keep user configuration from overriding them. If a user overrides them anyway, they will almost certainly have done so intentionally.
=== Get sysmaint live mode working ===
Date: 2025-04-02
Some of our bootloader config generator scripts had a bug that was resulting in the root disk not being mounted in sysmaint live mode. This has now been corrected.
== 2025-04-01 ==
=== Polish pvgrub Xen cmdline support, begin thorough testing ===
Date: 2025-04-01
Fixed several issues with the Xen command line parsing in pvgrub, including adding string sanitization and working overflow checking. PVH mode seems to be working very well, however PV mode is broken for unknown reasons (the command line isn't being seen at all).
== 2025-03-31 ==
=== Create prototype PR with pvgrub Xen cmdline support ===
Date: 2025-03-31
Got Xen command line parsing to work reasonably well in pvgrub. Published a draft PR with the patch. It's not perfect yet, but the concept is working well and points to work on are identified.
== 2025-03-30 ==
=== Further work on pvgrub and boot modes ===
Date: 2025-03-30
Got the prototype code to work entirely. Now working on writing an actual parser for the Xen command line passed to pvgrub, making it export secondary kernel parameters as an environment variable that can be used within grub.cfg (as per Marek's request in the Qubes Matrix room).
=== Implement --check option in leaprun ===
Date: 2025-03-30
Added a --check option to leaprun (and support for it in privleapd) for checking if a user is authorized to run a particular action. Also wrote regression tests for it.
== 2025-03-29 ==
=== More pvgrub experimentation ===
Date: 2025-03-28
Got basic kernel parameter passing to work with PV virtualization, still working on getting PVH to work. (Fighting with symbol definitions there, I can't quite get the Linux kernel loader code to access a pvh start info structure from Xen. Probably just a linker issue.) isn't Also discussed the eventual implementation end goal with Marek.
== 2025-03-28 ==
=== Investigate pvgrub modifications for enabling boot modes with in-vm kernels on Qubes ===
Date: 2025-03-28
Looked into what pvgrub was, how it worked, what features it offered at the moment, and what could be done to extend it to allow getting kernel parameters from dom0 into a VM using an in-vm kernel. Created a prototype patch that takes the Xen-provided command line to GRUB, and appends it to the Linux kernel command line. It doesn't build properly yet, and this implementation won't be usable in the long run, but once the basic idea works, it can be fleshed out into something better.
=== Test and debug IPv6 PRs ===
Date: 2025-03-28
Did a significant amount of testing on Daniel's IPv6 PRs. Found and reported some bugs, overall looks very promising, just has some rough edges to smooth out.
== 2025-03-27 ==
=== Re-review DanWin's IPv6 PRs ===
Date: 2025-03-27
Did a full review of DanWin's IPv6 pull requests, finding a few points of concern and pointing them out. Also prepared to test the PRs, I intend on doing the testing tomorrow.
=== Lots of bug discovery and fixing ===
Date: 2025-03-27
While trying to get the screen lock button working in sysmaint-panel, I uncovered quite a few bugs in the Kicksecure stack (autologinchange warning about missing passwords at the wrong times, updatecheck's systemd unit starting improperly in sysmaint sessions, and repository-dist not making a derivative.list file on first boot if first boot is into a sysmaint session). Got the screen lock button fixed, and also fixed the other discovered bugs.
== 2025-03-26 ==
=== Add screen lock button to sysmaint-panel (mostly working) ===
Date: 2025-03-26
Added a button to sysmaint-panel for immediately locking the screen. Doesn't entirely work yet as the xscreensaver daemon isn't being started, and my initial attempts at getting it to start properly are not working.
=== Implement lightweight update notifier ===
Date: 2025-03-26
Added a lightweight notification system to systemcheck for informing the user when system updates are available. This does NOT offer to install the updates for the user, but does direct them to use the system maintenance panel for installing updates. It might be useful in the future to remove the redirect to sysmaint-panel if sysmaint-panel isn't actually installed.
=== Added autologin and password warnings to pwchange and autologinchange respectively ===
Date: 2025-03-26
Changed pwchange to warn when setting a password for a user if autologin is enabled for that user. Also changed autologinchange to warn if no password is set for a user when disabling autologin for that user.
=== Improve documentation for user-sysmaint-split ===
Date: 2025-03-26
Added more detailed Qubes OS documentation for user-sysmaint-split. Also documented how to use the user-sysmaint-split uninstallation boot option.
=== Fix error message when launching sysmaint-panel from account 'user' in sysmaint mode ===
Date: 2025-03-26
Added a new dialog to sysmaint-panel for dealing with this particular error edge case, directing the user to sign in with account <code>sysmaint</code>.
=== Add timeout locking for sysmaint-panel buttons ===
Date: 2025-03-26
Added code to sysmaint-panel to make it so most buttons in the panel lock into disabled mode after being clicked and take five seconds to unlock, thus reducing the likelihood of accidental double-clicks.
=== Remedy confusion with updates installation button in sysmaint-panel ===
Date: 2025-03-26
Made it so that both the "Check for Updates" and "Install Updates" buttons work without password authentication even if a password is set on the sysmaint account. Also made the "Install Updates" button check for updates first.
=== Fix output formatting issue with sysmaint-panel launched commands ===
Date: 2025-03-26
Fixed the output format so that commands run with terminal-wrapper show with all arguments on one line rather than one argument per line.
== 2025-03-25 ==
=== Polish login security documentation ===
Date: 2025-03-25
Moved around and polished the documentation for password and autologin configuration. Also wrote documentation for the System Maintenance Panel, and added some info about login security and when it matters to the Login wiki page. Adjusted systemcheck to point to the Login wiki page for documentation on login security, and also made sysmaint-panel be installed by default on Kicksecure.
=== Fix autologinchange output ===
Date: 2025-03-25
autologinchange was outputting information to both stdout and stderr without any clear reason for why each stream was chosen. Corrected this. Also prevented notifications about GUI autologin not being configurable under Qubes OS from showing up during upgrades, and added an "INFO:" prefix to that same notification.
=== Refactor qrexec overrides in user-sysmaint-split ===
Date: 2025-03-25
Discussed downsides of the qrexec override mechanism in user-sysmaint-split, and ways to improve it. Came up with a better method to use here and implemented it.
=== Document purposes of GRUB configuration files on the Kicksecure ISO ===
Date: 2025-03-25
Documented each file in the Kicksecure ISO's GRUB configuration, along with what purpose it serves. Documentation is in a similar style to the previously written documentation about how Kicksecure and Whonix packages affect GRUB configuration.
=== Discuss and fix grub-cloud handling ===
Date: 2025-03-25
Discussed whether or not to nullify the GRUB_TERMINAL and GRUB_TERMINAL_OUTPUT variables in VM images with Patrick. Ultimately we decided to nullify both variables.
== 2025-03-24 ==
=== Research mouse fingerprinting prevention techniques ===
Date: 2025-03-24
Looked into how to better frustrate mouse fingerprinting with kloak. Wrote down an implementation plan and rationale on the Whonix forums and also asked Qubes OS developers for input in the Qubes OS Matrix room.
=== Briefly research how to implement software update notifications ===
Date: 2025-03-24
Looked at systemcheckdaemon, which later became canary-daemon. Discussed how to implement software update notifications with Patrick.
=== Adjust X event buffering enablement PR for Qubes ===
Date: 2025-03-24
Adjusted my PR to qubes-core-admin-addon-whonix so that existing Whonix VMs also had X event buffering enabled. Tested, works.
=== Review grml-debootstrap sw-raid simplification PR ===
Date: 2025-03-24
Reviewed a PR from zeha on grml-debootstrap that merged non-sw-raid and sw-raid code paths for GRUB installation. Looked good, worked well for Kicksecure.
== 2025-03-23 ==
=== Reduce derivative-maker ISO build times by avoiding some needless initramfs updates ===
Date: 2025-03-23
Got dracut to be installed earlier in the build process when making a Kicksecure ISO, and modified live-build so that it skips some unneccessary initramfs regenerations. This patch isn't perfect, but it took the number of initramfs updates from nine down to five, a 50% reduction in unnecessary builds. This made amd64 builds about two and a half minutes faster.
=== Documented Kicksecure and Whonix packages that affect GRUB ===
Date: 2025-03-23
Added documentation to the GRUB development page about what packages in Kicksecure and Whonix affect GRUB, and how. Also reorganized some of the existing documentation about upstream bootloader packages.
=== Fix fallback bootloader installation in upstream Calamares ===
Date: 2025-03-23
Made a PR in Calamares for fixing fallback bootloader installation for Debian, by adding distro-specific code. This PR might not end up being merged however, as dalto8 does not like the idea of adding distro-specific code like this to Calamares. Discussed briefly on Github.
=== Adjust Calamares configuration to write to /etc/default/grub.d rather than /etc/default/grub ===
Date: 2025-03-23
Calamares provides a <code>prefer_grub_d</code> option in its grubcfg module, so I enabled that. Unfortunately, the feature was broken for Debian (it didn't add a <code>.cfg</code> filename extension at the end of the configuration file it generates), so this wasn't enough on its own. Added some workaround configuration and made a (now merged) PR fixing the feature upstream.
=== Create PR for enabling X event buffering on new Whonix VMs ===
Date: 2025-03-23
Created a PR for qubes-core-admin-addon-whonix that enables event buffering on new VMs. This isn't complete though, Patrick would prefer if it was effective for existing VMs as well.
=== Thoroughly review stprint, specifically utility emulation ===
Date: 2025-03-23
Re-reviewed the entirety of stprint, focusing particularly on the utility emulation features. Left change requests.
== 2025-03-22 ==
=== Fix fallback bootloader installation with GRUB code improvements in grml-debootstrap ===
Date: 2025-03-22
The continuous integration tests for grml-debootstrap stopped passing after my last PR, because ARM64 images couldn't boot. This was because I was failing to instruct grub-install to install GRUB to the fallback bootloader location as well.
== 2025-03-21 ==
=== Deduplicate GRUB installation code in grml-debootstrap ===
Date: 2025-03-21
Refactored parts of grml-debootstrap to remove the <code>grub_install</code> function from the main grml-debootstrap script, leaving only the GRUB installation code in chroot-script.
== 2025-03-20 ==
=== Review and comment on stprint utility emulation ===
Date: 2025-03-20
Patrick requested that Ben add some features to the stprint PR for emulating several common tools like cat, echo, sponge, tee, etc., adding ANSI sequence sanitization to the functionality generally offered by these tools. I looked over a sample implementation proposed by Ben and left some comments.
=== Adapt user-sysmaint-split to work seamlessly with Qubes OS ===
Date: 2025-03-20
Modified several Kicksecure components so that user-sysmaint-split "just works" on Qubes OS. Boot modes are advertised and set up, qrexec and qubesdb overrides are put in place to switch the default user to <code>sysmaint</code>, and several things that didn't work right under Qubes (such as some buttons in sysmaint-panel and the feature that kept the sysmaint user from logging into a non-sysmaint graphical session) were fixed so they work right. Waiting on an upstream PR to qubes-core-qrexec before this is ready for review and merge.
== 2025-03-19 ==
=== Review and comment on 3mdeb verified boot work ===
Date: 2025-03-19
Read through all of the documentation written in 3mdeb's Verified Boot repository, adding comments where appropriate. Also discussed solutions for verified boot on mutable Linux distros with Patrick.
=== Polish qrexec enhancement for user-sysmaint-split ===
Date: 2025-03-19
Working on the patch to allow ephemeral qrexec config to work. The existing implementation manually made a directory using <code>mkdir</code> in a systemd unit, which was clunky and able to be replaced with the help of systemd-tmpfiles. Reimplemented the change with systemd-tmpfiles at Marek's request.
=== Review final implementation of grml-debootstrap compatibility patch ===
Date: 2025-03-19
Patrick made changes to my existing patch to make it cleaner and make it work on his machine (for some reason my patch worked on my machine but not his). Looked good to me.
== 2025-03-18 ==
=== Investigate, begin work on enabling user-sysmaint-split and boot modes by default in Qubes-Whonix-Workstation ===
Date: 2025-03-18
Started looking into what's necessary to get user-sysmaint-split installed by default, enabled, and working properly on Whonix-Workstation under Qubes OS. The current plan after discussion with Marek is to force apps to launch as user <code>sysmaint</code> when booted in sysmaint mode, and override several other things to "sysmaint-ify" the system when booted in this mode. A Qubes feature that allows configuration for qrexec to be put in an ephemeral location is currently being worked on by me.
=== Improve systemcheck login security table output ===
Date: 2025-03-18
Made the table systemcheck displays in the check_login_security step more orderly and easier to understand.
=== Research permission-hardener failure with files under /usr/lib/live/mount ===
Date: 2025-03-18
Investigated a bug report with permission-hardener failing to harden several files located under /usr/lib/live/mount. In conclusion, it looks like the user probably tried to distribution-morph a Debian Live ISO rather than using Kicksecure's Live ISO. This isn't supported. We should add code to permission-hardener to warn if a user tries this.
== 2025-03-17 ==
=== Clarify autologin details ===
Date: 2025-03-17
Added some lightweight documentation so that users would know that the autologin configuration tooling in Kicksecure only handled GUI autologin, not CLI autologin.
=== Redo grml-debootstrap compatibility patch for derivative-maker ===
Date: 2025-03-17
Discussed with Patrick the best way to implement the derivative-maker patch for making it compatible with the newest version of grml-debootstrap. Re-implemented the patch in a different way based on our discussion. Tested, works.
=== Fix user mixup bug in privleap ===
Date: 2025-03-17
While fixing a bug with PAM integration, I accidentally introduced a bug that resulted in environment variables in privleap actions being mixed up as a result of getting the calling user and target user confused. This is now fixed, and additional tests have been added to the test suite so that that this kind of bug is very unlikely to go unnoticed in the future.
== 2025-03-16 ==
=== Adjust derivative-maker to work with new grml-debootstrap code ===
Date: 2025-03-16
The grml-debootstrap PR for better GRUB UEFI handling was merged a few days back, but derivative-maker was not yet ready to use it for building Kicksecure images. Added code that enables the newer version of grml-debootstrap to be used properly. This currently directly edits /etc/default/grub rather than diverting it to avoid causing problems with the normal, non-cloud GRUB bootloader packages (which use ucf rather than traditional conffiles). Patrick had wanted to use a diverting solution, so more discussion and possibly reworking will probably be done on this before merge.
=== Review and benchmark new safe-print code from Ben Grande ===
Date: 2025-03-16
Ben found a (generally) much faster way to sanitize text in stprint, and requested I benchmark it to ensure it actually was faster reliably. I reviewed the new code, then did benchmarking and reported the results. The new way of sanitizing text is indeed much faster in almost all situations, with the exception of being barely slower when dealing with very short input strings.
=== Audit and complete privleap logging improvements ===
Date: 2025-03-16
Looked at all places where privleap executables (including privleapd) log or output data for the user to look at, and ensured the wording changes requested by Patrick were applied and passed regression tests.
=== Discuss, review, polish password and autologin handling ===
Date: 2025-03-16
All of the password and autologin handling code was merged, but there were (seemingly) a few loose ends to clean up. After some discussion and study, it turned out there were quite a few things left to fix up, such as sysmaint account handling when user-sysmaint-split wasn't installed, proper handling of run_once flags and user configuration, re-enabling setup-wizard-dist on Kicksecure, etc. Fixed all remaining known issues.
== 2025-03-15 ==
=== Review merge conflict resolution on user-sysmaint-split ===
Date: 2025-03-15
Ensured a merge conflict Patrick had to resolve when working with user-sysmaint-split password / autologin polish was resolved properly, at Patrick's request. Everything looked good to me.
== 2025-03-14 ==
=== Improve privleapd logging ===
Date: 2025-03-14
Changed wording in many log messages, and added username information in places that didn't have it before. Would like to do one more thorough audit before considering this completely done.
=== Fix umask handling in privleap ===
Date: 2025-03-14
Discovered that privleapd was starting processes with the wrong umask settings in some situations, due to the new PAM integration. umask is applied process-wide, not thread-local, which caused problems. Fixed the issue by moving the PAM integration code out of privleapd and into a shim script.
=== Fix
[email protected] trying to start too early ===
Date: 2025-03-14
There was a missing <code>After=</code> line in the systemd unit for
[email protected]. Added, should be fixed now.
=== Add comment about module load prevention and exiting with code 1 ===
Date: 2025-03-14
Made a comment on a bug report by Patrick arguing that we should continue to use <code>exit 1</code> in scripts that block kernel module loading.
== 2025-03-13 ==
=== Update default browser development docs and read discussions ===
Date: 2025-03-13
Read through prior discussion on what the default browser for Kicksecure should be and where it should be gotten from. Updated some documentation, and am thinking about potential ways to get a browser more secure than firefox-esr into Kicksecure. Added a comment on the Whonix forums with some ideas.
=== Check up on IPv6 and GRUB co-installation conflict resolution PRs ===
Date: 2025-03-13
Pinged Daniel about his IPv6 PRs, to see if there were any updates. There were some issues I ran into last time I tried to use the PRs that I haven't received a response to yet.
Also checked up on the GRUB BIOS+UEFI co-installation conflict resolving MR in Debian. After a conversation in #debian-devel, I learned this is indeed too late to go into Debian Trixie, thus it will have to wait until Forky or until a rolling-release form of Debian is implemented.
=== Harden the sysmaint manual login assistance code slightly ===
Date: 2025-03-13
Made it harder to run into issues with the wrong X session being selected during login. This should ease the use of user-sysmaint-split for users who disable autologin.
=== Fix pre-existing issue in Qube Manager with list modification ===
Date: 2025-03-13
Marta reviewed my Qube Manager PR for adding boot mode support, and disliked a workaround I was using to avoid having to change a function in Qube Manager that modified a list in-place when it should have operated on a copy of the list. After explaining the rationale for the workaround, she asked if I could try to fix the core issue. I was able to successfully do this. Changes are pushed and ready for review.
== 2025-03-12 ==
=== Make it easier to use sysmaint mode without sysmaint autologin ===
Date: 2025-03-12
Added code to user-sysmaint-split that automatically selects the sysmaint session for login when booting in sysmaint mode, by manipulating display manager state files. The file changes that are done when booting in sysmaint mode are reverted when booting in user mode again. This could probably use more polish though, if a user logs into sysmaint mode twice in a row I believe the display manager will get "stuck" in sysmaint mode until the user selects a different desktop session manually.
=== Added notes about Lubuntu Update and the creation of a minimal update notifier to the wiki ===
Date: 2025-03-12
Added some info about Lubuntu Update to the Automatic Updates wiki page, since we may be able to use it as the base of an updater application or update notifier. Also wrote down some things about making a minimal update notifier that doesn't handle the task of installing updates.
=== Fix qubes-manager PR for boot mode support ===
Date: 2025-03-12
Added some missing tests, rebased changes.
=== Finish fixing up password and autologin polish ===
Date: 2025-03-12
Finished all remaining requested changes from Patrick and submitted the code for re-review. open-link-confirmation is working, autologin changes are working, ISO builds are working. Note that setup-wizard-dist hasn't actually been enabled on Kicksecure GUI systems, so notifications won't show up yet. That probably should still be done, but the ticket for this task has gotten very long and we probably should make a new ticket for re-enabling setup-wizard-dist.
== 2025-03-11 ==
=== Get open-link-confirmation to work in sysmaint mode ===
Date: 2025-03-11
Finally figured out the remaining issues with getting open-link-confirmation to work in sysmaint mode, and pushed fixes for those issues. It turned out to be because we were failing to call <code>dbus-update-activation-environment --systemd --all</code> in the sysmaint-session script.
=== Debug test failures for stprint with Ben Grande, more review ===
Date: 2025-03-11
Determined the root cause of the stprint test failures with help from Ben (a missing ncurses-related runtime dependency). Also re-reviewed all code. I only saw one potential issue remaining, and proposed a change that will resolve it.
== 2025-03-10 ==
=== Polish default password and autologin enhancements ===
Date: 2025-03-10
Patrick left me a list of enhancements needed for the default password and autologin enhancement code before it could be merged. I implemented many of these, but had trouble getting open-link-confirmation to work reliably in a sysmaint session. Solved many of the problems here, but there are still some more that need fixed.
=== Review Ben Grande's latest stprint changes ===
Date: 2025-03-10
Ben Grande added some fancy terminal information reading features for customizing the list of allowed SGR codes based on the terminal in use. There were also some new environment variables that can be used to control the program. Most everything is working well, but there was a test failure that I can reproduce but that isn't happening for him. Further research needed to determine why.
=== Refactor user creation code in maintainer scripts to avoid duplication ===
Date: 2025-03-10
Refactored most of the user creation code from the dist-base-files postinst and the user-sysmaint-split preinst into a library shipped as part of helper-scripts. Tested, appears to work.
=== Get regression tests for Qube Manager boot mode support to run in CI ===
Date: 2025-03-10
Got a test commit pushed that ran the regression tests for Qubes Manager for my PR in Qubes OS's CI infra. The tests passed, but Marek mentioned an area where coverage could be improved.
== 2025-03-09 ==
=== Change default shell for sysmaint account to zsh ===
Date: 2025-03-09
Added code to the user-sysmaint-split preinst for setting the sysmaint account's shell to zsh. May need to make the package depend on zsh now.
=== Further Qubes boot mode support polish, get initial qubes-core-admin PR merged ===
Date: 2025-03-09
Fixed more problems with Qubes boot mode support (mostly in qubes-manager, but also a bit in qubes-core-admin). The qubes-core-admin PR was merged by Marek, but I filed a second PR to fix an issue that was only discovered in qubes-manager near the tail end of my work. This second PR is almost ready to merge. qubes-manager needs a testing commit pushed to demonstrate that the regression tests pass with it.
=== Fix permissions bug in tb-updater ===
Date: 2025-03-09
tb-updater has a special script that runs only in DispVMs that copies Tor Browser from a persistent directory to the user's home directory. Due to a mix-up when using <code>mkdir --parents</code>, this was resulting in <code>~/.cache</code> being owned by root. Fixed with an extra chown call.
== 2025-03-07 ==
=== Polish remaining password and autologin handling issues ===
Date: 2025-03-07
Adjusted derivative-maker to add autologin configuration to ISOs and VMs for both user and sysmaint modes. Also resolved an issue where the systemcheck GUI did not launch in sysmaint mode.
=== Fix test coverage issues with qubes-core-admin Qubes boot mode support ===
Date: 2025-03-07
Added some extra tests to hit some missed edge cases. Also explained why one edge case was unreachable code.
=== Fix cosmetic issue with privleapd restart failing in the middle of a config file format migration ===
Date: 2025-03-07
Determined why privleapd was sometimes failing to restart in the middle of an upgrade (config files only being partially upgraded at restart time). The issue was purely cosmetic and didn't cause errors, so it was fixable by simply hiding the issue. (In this situation, other packages will have installed configuration files that will cause a second privleapd restart attempt when it will actually work.)
== 2025-03-06 ==
=== Add better autologin and password handling to user-sysmaint-split and related code ===
Date: 2025-03-06
Changed several repos so the user had more control over autologin, added autologin enabling/disabling software, and adjusted systemcheck so it could report on account password and autologin state.
== 2025-03-05 ==
=== Research ways of fixing blank default password problems under Kicksecure ===
Date: 2025-03-05
A blank default password can be a security liability in some scenarios, so we want to get rid of that. We also want to allow the user to control autologin more easily. Got together a checklist of things to do and started implementing it.
=== Change derivative-maker live-build step to use flavor_meta_packages_to_install ===
Date: 2025-03-05
Previously I was re-determining the right metapackage to use for ISO builds based on the flavor of ISO being built. Changed to use the existing <code>flavor_meta_packages_to_install</code> variable for consistency and ease of future changes. Made ISO test builds after this, the new code appears to work.
=== Fix remaining issues with Qubes boot mode support ===
Date: 2025-03-05
Fixed the broken event handler with help from Marek. Regression tests now pass.
=== Make changes to Calamares hybrid installation PR requested by Adriaan ===
Date: 2025-03-05
Adriaan mentioned some things he wanted refactored and tweaked. Implemented all requested changes.
=== Point out a few remaining safe-print issues ===
Date: 2025-03-05
Reviewed the latest iteration of the safe-print code, noticed a few problems left and reported them.
== 2025-03-04 ==
=== Resolve most remaining issues with Qubes boot mode support ===
Date: 2025-03-04
Fixed some pylint issues in qubes-core-admin and a window size problem in qubes-manager. Fixing the pylint issue broke an event handler however, so this isn't quite finished yet. Asked Marek for advice on how to move forward since I wasn't sure how to resolve the issue correctly.
=== Re-work GRUB co-installability MR with feedback from pham ===
Date: 2025-03-04
Pascal Hambourg (pham) informed me that the way I was resolving the conflicts between grub-pc and grub-efi-{amd64,ia32} would cause a conflict between grub-common and grub-cloud-{amd64,arm64}. Also pointed out that the ucf package was being depended on by the wrong packages now. Fixed both issues, verified that the fix still allows co-installability to work as intended.
=== Fix privleap PAM integration issue causing spurious logins ===
Date: 2025-03-04
Determined why sometimes running privleap actions would result in the target user becoming logged in (it turned out to be <code>pam_systemd.so</code>'s fault). This was because Debian's default PAM configuration assumes that things that interact with PAM and don't have special PAM config are going to be starting interactive sessions. Added a PAM configuration file that ensures that privleapd could only start non-interactive sessions. This fixed the bug.
=== Look at bookworm-backports-staging ===
Date: 2025-03-04
Turns out one is supposed to enable a bookworm-backports-staging repo when using the fasttrack repo. This sounds scary, but as it turns out this repo should be safe to enable. Recommended to Patrick that we enable this.
=== Look at apt pinning situation for Qubes linux-firmware package updates ===
Date: 2025-03-04
Looked at code from Marek that pulls a new linux-firmware package from debian-backports into Debian-based VMs. Left a comment regarding the potential safety issues there, ultimately I think what Marek is doing is probably the best way that the situation he's facing can be solved.
== 2025-03-03 ==
=== Create merge request for resolving GRUB package conflicts ===
Date: 2025-03-03
Developed and submitted an MR to Debian that allows grub-pc and grub-efi-{amd64,ia32} to be installed alongside each other. Tested, appears to work in a VM for me.
=== Do another review on Ben Grande's safe-print code ===
Date: 2025-03-03
I had mistakenly failed to look at this for a few weeks due to not noticing that review had been requested from me. Ben pinged me, and I was able to do the review now. Virtually all points of my review were cosmetic in nature, and the few that weren't, weren't that big of a deal. I suspect we will be ready to merge after the next review.
=== Privleap bugfixing and polishing ===
Date: 2025-03-03
Added new features, updated documentation, researched bugs and reported back findings. Virtually everything is fixed, but there's a mystery with users getting incorrectly logged in, and I couldn't reproduce an upgrade issue that caused configuration to fail to load even when it appeared fine.
== 2025-03-02 ==
=== Get proof-of-concept grub-pc + grub-efi-amd64 co-installability working ===
Date: 2025-03-02
Managed to get a build of GRUB that allowed grub-pc and grub-efi-amd64 to install at the same time and be able to update their respective bootloaders properly. Also discovered that the reason the BIOS bootloader doesn't install right out of the box when you do this is because the postinst script expects BIOS GRUB to be installed manually once before the postinst will update it (this is usually done by an installer). Asked on #debian-devel if there were additional issues to check, since it appears to me that the packages don't actually conflict, at least not in an easily visible way.
=== Get Calamares hybrid GRUB support into a reviewable state, discuss with dalto8 ===
Date: 2025-03-02
Fixed the last issue with the hybrid GRUB support PR that was keeping me from asking for review. dalto8 almost immediately reviewed it, and discussed some issues with me (which I got resolved). Currently awaiting further review.
=== Add PAM integration to privleap ===
Date: 2025-03-02
Took the knowledge learned from reading the code of OpenDoas (plus some info derived from sudo's source code) and got PAM integration working, <code>TMP</code> and <code>TMPDIR</code> are now being set properly.
=== Ping HW42 about the root elevation qrexec work, comment on template service blocking ticket ===
Date: 2025-03-02
Gave HW42 a ping to see how things are coming along with the root elevation qrexec ticket (where attempting to gain root in an AppVM pops up a window in dom0 asking if the user wants to allow this). Also added a comment to the Qubes issue about keeping services from running in templates, the solution that was being suggested there doesn't look like it would work, but the solution Kicksecure is using with user-sysmaint-split does work.
=== More Qubes boot mode review, fix data consistency problem ===
Date: 2025-03-02
Got the data consistency issue fixed with Marek's help. Also fixed an issue with the regression tests. This is hopefully close to complete, there's an issue with Qube Manager's window being too tall and some pylint gripes that still need dealt with.
== 2025-03-01 ==
=== Continue to work on Qubes boot mode support ===
Date: 2025-03-01
Implemented Marek's idea for making boot mode updates more seamless. Things mostly work, however there's a data consistency issue in Qube Manager that is resulting in the user being told that the active boot mode's kernel options are set to a value that they aren't set to.
=== Finish polishing kloak documentation ===
Date: 2025-03-01
Added a threat model section and some additional bits of polish to the documentation on kloak.
== 2025-02-28 ==
=== Enhance documentation for keystroke and mouse deanonymization ===
Date: 2025-02-28
Added better documentation for kloak and Qubes event buffering. Mostly done, some minor changes still need to be made for this to be good.
=== More fixes and testing on Qubes OS boot mode support ===
Date: 2025-02-28
Did a self-review of the Qubes OS boot mode support code in qubes-core-admin, fixing some bugs in the process. Also discussed some potential behavior changes in the code with Marek, he has an idea for making boot mode updates more seamless in the future that I'll probably end up implementing.
=== Clean up remaining rough edges on grml-debootstrap UEFI enhancement PR ===
Date: 2025-02-28
Ensured all conversations on the grml-debootstrap UEFI enhancement PR were marked as resolved. Also ran through the last test scenario I felt was necessary and reported the results. Awaiting another iteration of review, this is hopefully close to complete.
== 2025-02-27 ==
=== Run thorough tests on most of the grml-debootstrap UEFI enhancement PR ===
Date: 2025-02-27
Ran a very thorough suite of tests on grml-debootstrap to ensure that image builds succeeded and the resulting images worked properly in 36 different scenarios. The only thing I can think of that probably should still be tested is to see if grml-debootstrap can properly modify the host's UEFI variables when doing a physical hardware install.
=== Study how OpenDoas uses PAM for integrating PAM support into privleap ===
Date: 2025-02-27
Patrick brought up integrating privleap with PAM for the sake of better temp directory handling. I studied how to use PAM, including taking a close look at how OpenDoas uses PAM. Made notes, and shared high-level takeaways from the research which will be used for implementation later on.
=== Iterate with Marek on Qubes boot mode support ===
Date: 2025-02-27
Discussed Qubes boot mode development with Marek on GitHub issues and in comments on a commit to my fork of qubes-manager. Fixed several issues, and added the ability to assign a pretty name to the fallback "no extra parameters" boot mode. Needs a thorough self-review before submitting for re-review.
=== Fixed Kicksecure template build failure, tested template for bugs reported by unman ===
Date: 2025-02-27
Figured out why the Kicksecure template was failing to build (I accidentally introduced the issue when doing a different bugfix). Made a PR to resolve this in qubes-builderv2, which Marek has already merged. Once I got the template to build properly, I installed and tested it on my Qubes R4.3 system. The issues unman reported don't seem to be a problem any longer, thus this should be complete.
== 2025-02-26 ==
=== Start debugging Kicksecure template build failure ===
Date: 2025-02-26
Was trying to figure out how to fix the issues reported by unman with the Kicksecure template, only to discover qubes-builderv2 is unable to build the template properly on Qubes OS R4.3. The template that ends up being built is a very minimal pure Debian template. This appears to be a bug in qubes-builderv2 itself - it can't find the <code>template-kicksecure</code> repository to run the code that makes the template into Kicksecure. It instead is looking for a template repository named <code>+</code>.
== 2025-02-25 ==
=== More polish on Qubes boot mode support ===
Date: 2025-02-25
Wrote more unit tests, fixed bugs, did manual testing. The only thing that hasn't been dealt with yet that should be is figuring out how to name the default (blank) boot mode.
== 2025-02-24 ==
=== Post-review improvements to Qubes boot mode support ===
Date: 2025-02-24
Marek gave a very thorough review, pointing out some shortcoming and issues in the boot mode code. Responded to each point, and did a number of fixes and enhancements locally. These have not yet been pushed, as they need tested and need unit tests written for them.
=== Respond to grml-debootstrap review, test requested changes ===
Date: 2025-02-24
Tested some changes that were requested by zeha and mika, replied to questions. Looks like the PR is close to being merged.
== 2025-02-23 ==
=== Prepare Qubes boot mode support for initial review ===
Date: 2025-02-23
Substantially rearchitectured the boot mode support after a conversation with Marek, did a bunch of testing and fixing, and wrote most of the needed unit tests. Everything works so far, marked as ready for review.
== 2025-02-22 ==
=== Investigate privleap PAM integration, fix documentation ===
Date 2025-02-22
Fixed a documentation issue in privleap. Also researched PAM integration possibility and looked at possible environment sanitization. Left comments from research on the appropriate GitHub issues.
=== Require all privleap rules to have auth data ===
Date: 2025-02-22
Added code to privleap that refuses to use an action definition that lacks authorization data (i.e. AuthorizedUsers and AuthorizedGroups). Also modified Kicksecure's privleap configuration to be compliant with this change and added/fixed regression tests.
== 2025-02-21 ==
=== Fix policy-rc.d script conflicts in live-build and derivative-maker ===
Date: 2025-02-21
Debugged issues with the policy-rc.d script being shipped in user-sysmaint-split, discovered an issue in live-build that broke the file and determined the details of a similar problem in derivative-maker. Fixed both problems, now the policy-rc.d script is remaining in position properly.
== 2025-02-20 ==
=== Change privleap action header format ===
Date: 2025-02-20
Ben recommended I change the format of privleap action headers from <code>[action-name]</code> to something similar to <code>[action:action-name]</code> (where all actions are prefixed with <code>action:</code> to distinguish them from other kinds of headers). Implemented this, and made changes throughout the rest of the Kicksecure and Whonix codebases to match.
=== Add config check to privleap postinst, stop using dh_installsystemd ===
Date: 2025-02-20
Added a configuration check to privleap's postinst script. While doing this, I discovered dh_installsystemd appeared to be interfering with the postinst script in weird ways, debugged how to use it as intended, determined it wasn't suitable for privleap, and forcibly disabled it via an override in <code>debian/rules</code>.
=== Implement tests for privleapd config reload without restart ===
Date: 2025-02-20
Added regression tests for config reload support. Everything passes. Also did quite a bit of test refactoring and minor bugfixing in the middle of this and other privleap-related tasks.
=== Investigate tor-verify-config privleap rule conflict ===
Date: 2025-02-20
Looked at the report and discussed possible solutions with Patrick. We decided to use <code>|| true</code> on systemctl start invocations to avoid a broken apt installation if privleapd is upgraded on a system with invalid configuration.
== 2025-02-19 ==
=== Start implementing privleap configuration reload without restart ===
Date: 2025-02-19
Implemented a feature in leapctl and privleapd that allows instructing privleapd to reload its configuration without restarting the server entirely. The implementation keeps the old configuration in the event the new config is invalid. Needs unit tests written for it.
=== Test and research Qubes boot mode support ===
Date: 2025-02-19
Tested the existing implementation of Qubes boot mode support, discussed implementation details with Marek. Some of the solution will work as-is but some of it needs rearchitectured.
=== Research policyrcd-script-zg2 ===
Date: 2025-02-19
Downloaded and read through the code of policyrcd-script-zg2. It didn't turn out to behave the way we expected, and doesn't look suitable for the use case we had in mind.
=== More privleap polishing again ===
Date: 2025-02-19
Tackled several more issues from Ben's and Marek's reports, fixing many rough edges in the code and resolving several bugs.
=== Improve sdwdate-gui status passing ===
Date: 2025-02-19
Made sdwdate-gui use a tmpfiles.d snippet to create the temp dir for storing status messages passed via qrexec. Also changed the directory the untrusted status file was saved to. This prevents issues when using /run/user/1000 in the qrexec policy, and makes the code less complex.
== 2025-02-18 ==
=== More privleap polishing 2 ===
Date: 2025-02-18
Fixing bugs filed by Ben Grande. Probably will have quite a bit more of this to do.
== 2025-02-17 ==
=== More privleap polishing ===
Date: 2025-02-17
Fixing bugs filed by Ben Grande. Probably will have quite a bit more of this to do.
== 2025-02-16 ==
=== Mostly finish implementing boot mode support in Qubes OS ===
Date: 2025-02-16
Tested and worked out several bugs in Qubes OS boot mode support. Things appear to be working for the most part after debugging, I intend on doing more thorough testing in the near future (probably tomorrow).
=== Fix bad ownership (and likely bad permissions) on /run/user/1000 on Qubes-Whonix ===
Date: 2025-02-16
A change we made to prevent writing temp files to /tmp for security ended up inadvertantly causing /run/user/1000 to be owned by root, and probably set to permissions 755. Fixed this by explicitly creating and setting the owner and permissions of /run/user/1000 in sdwdate-gui.
=== Write policy-rc.d file for keeping services from starting on install in sysmaint mode ===
Date: 2025-02-16
Wrote a script for /usr/sbin/policy-rc.d that prevents deb-systemd-invoke from starting or restarting units that aren't supposed to be started while in sysmaint mode. This transparently avoids interfering with user mode and unrestricted admin mode. This needs more work, as derivative-maker also modifies policy-rc.d, and I have not yet taken that into account.
=== Make privleapd start before basic.target ===
Date: 2025-02-16
Added the needed systemd configuration to make privleapd start before basic.target was reached. This allows privleap to be used basically as soon as early system boot is complete.
=== Fix privleap error due to conflicting rules ===
Date: 2025-02-16
anon-gw-anonymizer-config had a privleap rule that conflicted with a rule in systemcheck. Found the issue and renamed the rule in anon-gw-anonymizer-config. (This wasn't causing privleapd to crash outright because of a bug in privleap that was only resolved yesterday.)
== 2025-02-15 ==
=== Work through all resolvable privleap issues filed by Ben Grande ===
Date: 2025-02-15
Implemented all requested features and fixed all reported bugs that were fixable. Some of the issues need further input from Patrick or more info from Ben to resolve, those are still left open.
== 2025-02-14 ==
=== More privleap test polishing ===
Date: 2025-02-14
Fixed some issues with the <code>run_autopkgtest</code> script, fixed other issues in privleap, and replied to the issues and code comments submitted by Ben Grande.
== 2025-02-13 ==
=== privleap automated test suite polishing, bugfixing ===
Date: 2025-02-13
Worked on fixing several issues reported by Ben Grande and noticed by myself in privleap, polishing autopkgtest support, fixing docs, and preventing installation failure in more edge cases.
=== Work on implementation of Qubes OS boot mode support ===
Date: 2025-02-13
Got the backend implementation for boot modes mostly working. Found a bug that prevents the feature from working correctly and reported it as well. At the moment the backend implementation allows a template to advertise arbitrary boot modes with a single kernel parameter, set default boot modes one time, and can boot VMs in a selected boot mode. Multi-kernel-parameter boot modes will require
https://github.com/QubesOS/qubes-issues/issues/9775 to be solved.
=== Read, make notes on 3mdeb RAM decay research ===
Date: 2025-02-13
Read through both 3mdeb blog posts on RAM data decay and cold boot attacks. Added notes to the wiki as appropriate.
== 2025-02-12 ==
=== Write spec for and begin work on user-sysmaint-split support in Qubes OS ===
Date: 2025-02-12
Wrote several iterations of a spec for user-sysmaint-split in Qubes OS, going back and forth with Marek to figure out the implementation strategy. Started writing some code that actually implements the spec as well. Ultimately the job looks like at least parts of it will be less difficult than expected.
=== Ticket cleanup, comment on Qubes OS-related kloak issues ===
Date: 2025-02-12
Helped get two Qubes OS issues closed by commenting on them and requesting them to be closed as implemented. Also followed up on an issue related to Qubes OS in vmonaco's original kloak repository. Did miscellaneous ticket cleanup as well, tidying up some loose ends left over from the "WAITING ON" section mostly.
=== Further work on Calamares hybrid boot support ===
Date: 2025-02-12
Made it so that BIOS boot partitions are specially labelled in the installer, sorta. The exact implementation isn't great, but it works, and the alternative implementation I tried didn't work. This may be acceptable as-is, but I'm waiting on feedback from upstream.
=== Miscellaneous fixes to user-sysmaint-split and sudoless app ports ===
Date: 2025-02-12
* Fixed a bug where installing privleap along with all the other sudoless apps would result in a failed install due to privleapd starting at the wrong time.
* Made it so the sysmaint account could actually use privleap again (a new whitelisting feature locked it out).
* Fixed a race condition in user-sysmaint-split that could result in a normal boot automatically logging into sysmaint mode
* Corrected a typo'd directory name in usability-misc.
== 2025-02-11 ==
=== Fix some final bugs in the grml-debootstrap hybrid boot PR ===
Date: 2025-02-11
The shim bug noticed earlier was resolved, along with a couple other minor issues (see
https://github.com/grml/grml-debootstrap/pull/299#issuecomment-2652560971)
== 2025-02-10 ==
=== More iteration on grml-debootstrap hybrid boot enhancement PR ===
Date: 2025-02-10
Added hybrid boot support to chroot-script (which allows hybrid boot to work on physical disk installs), and polished the existing code to meet upstream's requirements. The only potential issue left is that shim isn't being installed on arm64 (amd possibly also amd64?) physical disk installs.
=== Remove lightdm dependency from sysmaint-panel ===
Date: 2025-02-10
sysmaint-panel didn't actually need lightdm as a dependency, and the dependency was causing problems with Qubes OS, so I removed it.
=== Fix DispVM support in sudoless tb-updater ===
Date: 2025-02-10
A bug was discovered in the sudoless tb-updater code that resulted in Tor Browser having to be redownloaded on every single VM launch. This turned out to be because the mount script responsible for making things work right on DispVMs was failing to run, due to privleapd not being started by the time the script was run. The script actually ran as root, so it didn't need leaprun (or even sudo, which it originally used) to function, so I replaced the leaprun code with equivalent code that didn't require dropping privileges.
== 2025-02-09 ==
=== Revisit and polish Calamares hybrid boot support ===
Date: 2025-02-09
Went back to an open draft PR against Calamares for adding hybrid BIOS+UEFI boot support, fixing issues and making the feature much more practical and easy to use.
=== Research Qubes selective sudo access implementation steps ===
Date: 2025-02-09
Read through four Qubes OS tickets to get a good grasp on how to implement the qrexec-based selective sudo access feature. Studied and wrote a spec for how a pam_qrexec.so plugin for PAM could work without bypassing password auth improperly. Also reviewed GUI mockups from Marta and discussed some ideas to make the user interface more friendly. I wasn't able to start work on actual code yet as HW42 has requested I hold off until he's finished doing his packaging, for the sake of avoiding work duplication.
=== Add crash recovery, enhanced first-time install setup, and more security hardening to privleap ===
Date: 2025-02-09
Added code to privleap that allows it to recover from a crash or lockup with minimal user interruption. Also added an "allowed users" feature to prevent unauthorized users from being able to communicate with the privleapd server, and enhanced the postinst script so that things would work properly after privleap is first installed without requiring a reboot.
=== Investigate next steps for selective sudo access and sysmaint boot Qubes features ===
Date: 2025-02-09
Looked into implementation details and intended methodology for implementing these two Qubes OS features. Came up with some good plans and tried to coordinate development with Qubes OS devs some. Next step is to create a concrete specification for the intended behavior of the selective sudo access feature (it's going to be a lot more complicated than originally thought). sysmaint boot features should hopefully be substantially simpler and not need a formal specification.
== 2025-02-08 ==
=== Add systemd-notify support to privleap, enhance restart-on-upgrade code ===
Date: 2025-02-08
Changed the service type of privleapd.service from exec to notify, and added code to privleapd that informed systemd when service start was complete. Also fixed up the code that enables and (re)starts privleapd on package installation. Things seem to be working pretty good, however recovery in the event of a server crash has not yet been implemented.
== 2025-02-07 ==
=== Research safety of using live-build debian-installer build from Git ===
Date: 2025-02-07
Looked into whether the MitM vulnerability with previously found in live-build when enabling debian-installer was still present when using the option to build debian-installer from Git source. This does appear to still be an issue, the attacker would just have to replace a udeb rather than replacing the installer initramfs itself. Also, using debian-installer built from Git does not work when building Bookworm images due to too-old udebs in Bookworm.
=== Make user-sysmaint-split uninstall boot option use dummy-dependency ===
Date: 2025-02-07
Previously the uninstall boot option was using apt directly, which will cause a problem once Kicksecure depends on user-sysmaint-split. Switched to dummy-dependency to prevent this from being a problem.
=== Add systemd trigger for privleapd restart on upgrade ===
Date: 2025-02-07
Added a systemd trigger that restart privleapd (and recreates open comm sockets) if configuration changes during an upgrade. Tested and ensured it works. I have not yet tested how this interacts with upgrade-nonroot however, it's possible it could result in an interrupted upgrade, this needs to be researched.
=== Adjust sdwdate-gui-qubes status temp file location ===
Date: 2025-02-07
Changed the location of the status temp file used by sdwdate-gui-qubes to /run/user/100/sdwdate/. Verified that this works. Also adjusted privleap to use a systemd executable prefix rather than a bash shell command for preventing login failure if privleapd fails to start, at the suggestion of marmarek.
== 2025-02-06 ==
=== Enhance privleap tests, discuss relocating temp folder used by NewStatus qrexec policy ===
Date: 2025-02-06
Added tests to privleapd that ensures invalid ASCII is rejected reliably. Also discussed with Patrick where to move the temp file written by the whonix.NewStatus qrexec policy for informing sys-whonix that a new Whonix qube with sdwdate running has been launched. Good location for temp files agreed upon.
=== Ensure Whonix qubes aren't broken when installing privleap and sysmaint-augmented applications without user-sysmaint-split ===
Date: 2025-02-06
Previously if you installed privleap and something that had a privleap rule that mentioned the sysmaint account installed on a Whonix qube without user-sysmaint-split, the qube would break because of login failure. Tested and ensured the fixes below resolved this issue.
=== Prevent login failure if privleapd fails to start ===
Date: 2025-02-06
Previously if privleapd failed to start, the leaprun commands defined in <code>
[email protected]</code> would fail and thus login would be broken. Now the failure is silently ignored. leaprun obviously won't function if this occurs, but at least login will succeed.
=== Allow privleapd to function if nonexistent users and groups are present in configuration ===
Date: 2025-02-06
There are legitimate reasons for users and groups that don't exist to be defined as authorized in privleap's configuration. privleapd now simply skips over these, rather than erroring out when one is encountered.
=== Fix isomd5sum bug in derivative-maker ===
Date: 2025-02-07
Currently there is code that ensures isomd5sum is installed if needed, however this code is unnecessary because it turns out the bug that inspired its creation is actually a configuration issue in derivative-maker. Fixed the config issue and removed the superfluous code.
== 2025-02-05 ==
=== Sync live-build with upstream ===
Date: 2025-02-06
Got upstream's live-build changes synced back into our live-build, ensuring the finished product was still capable of building a working Kicksecure ISO. Filed a couple of MRs to fix upstream bugs (one of which turned out to be a downstream bug, but the other one of which was a legitimate upstream bug).
=== Fix sudoless sdwdate-gui-qubes ===
Date: 2025-02-06
Tested and fixed the bugfix for the sdwdate-gui-qubes bug. All Whonix VMs now appear in the GUI as intended.
=== Add Wayland documentation to the Wiki where appropriate ===
Date: 2025-02-06
Searched for various forms of "X11", "X.org", "X server", etc., looking for any X11-specific documentation and adding Wayland documentation alongside when needed.
=== Create work-in-progress fix for sudoless sdwdate-gui bug under Qubes OS ===
Date: 2025-02-05
Discovered that sdwdate-gui was not functioning as expected under Qubes OS after the sudoless port - only the sys-whonix VM had sdwdate controls available. Determined the likely root cause of the bug and pushed a fix for it, this still needs tested though.
== 2025-02-04 ==
=== Add quick uninstall boot option to user-sysmaint-split ===
Date: 2025-02-04
Added code to user-sysmaint-split and sysmaint-panel that allows quickly uninstalling user-sysmaint-split via a boot option in GRUB. If a password is set on the sysmaint account, this requires authentication.
=== Fix user-sysmaint-split bug with autologin breaking on uninstallation ===
Date: 2025-02-04
Discovered that a supposedly ephemeral config file was being left on the disk when uninstalling user-sysmaint-split from sysmaint mode, resulting in autologin breaking. Refactored the sysmaint-boot script and added functionality for removing these kinds of config files so that the functionality of the system would be properly restored after uninstallation.
=== Try to implement ephemeral unrestricted sudo in Kicksecure templates ===
Date: 2025-02-04
Attempted to implement code to hack around Qubes OS lacking features needed for user-sysmaint-split to work right. Basically the idea was to make it so that templates had an unrestricted sudo while AppVMs had restricted sudo. This was going to be implemented with symlinks and an apt hook, but ultimately this ended up running into a number of worrying edge cases, ultimately ending with Patrick and I deciding to abandon this method and focus further effort in this area on adding features to Qubes OS to make user-sysmaint-split work well.
=== Fix upgrade-nonroot sudoless port ===
Date: 2025-02-04
The upgrade-nonroot port had some bugs and inefficient code, which has now been fixed.
== 2025-02-03 ==
=== Investigate allowing unrestricted admin in Kicksecure, Whonix Qubes templates ===
Date: 2025-02-03
We would like unrestricted admin mode to work properly on Kicksecure and Whonix under Qubes OS, but only when booted into a TemplateVM. Originally we were going to use bind mounts on the sudo and pkexec executables for this, but I discovered this breaks dpkg. Designed a revised plan with help from Patrick.
=== Audit Kicksecure and Whonix packages for sudo, pkexec usage, port to privleap where applicable ===
Date: 2025-02-03
Found many more places in Kicksecure and Whonix where sudo and pkexec were being used, determined which areas should use privleap instead, and ported them. This should allow fully sudoless Kicksecure and Whonix to function mostly normally. Some more parts could be ported if we had identity verification support via passwords in privleap, but what can be done without that should now be done and is ready for review.
== 2025-02-02 ==
=== Implement sudoless support in all needed packages with sudoers config ===
Date: 2025-02-02
Got every package in Whonix and Kicksecure that ships a sudoers config and also needs functionality retained in sudoless mode ported to use privleap where necessary. At this point most of the features in Kicksecure and Whonix should function correctly even if user-sysmaint-split is installed and the user is booted in sysmaint mode. More auditing and a lot more review works needs done before this can be considered fully complete, but this is a decent step in that direction. Ended up implementing more features in privleap to make this work (most notably adding the ability to configure multiple users and groups as being able to execute a specific action).
== 2025-02-01 ==
=== Add persistent user support, UID handling, and full root access to privleap ===
Date: 2025-02-01
Made it so the root account could run any action at any time, also made it so UIDs and GIDs could be used in place of user and group names in several areas, and added support for "persistent users" which have always-available comm sockets that cannot be destroyed easily. This is to make systemcheck work with privleap.
=== Discuss and investigate grub-cloud-amd64 issues for grml-debootstrap ===
Date: 2025-02-01
Filed a bug report against grub-cloud, attempted to ping the maintainer and also discussed issues with slow amd64 boot with the grml-debootstrap developers and with Patrick.
== 2025-01-31 ==
=== Write Qubes OS ticket for user-sysmaint-split support ===
Date: 2025-01-31
Wrote an in-depth explanation of what will allow for ideal user-sysmaint-split support in Qubes OS, summarizing a bunch of things from a conversation I had with Marek and Demi on Matrix.
=== Use privleap in upgrade-nonroot rather than sudo ===
Date: 2025-01-31
Ported upgrade-nonroot to use privleap. Also set <code>DEBIAN_FRONTEND='noninteractive'</code> in <code>apt-get-update-plus</code> to mitigate the risk of the apt process freezing during updates.
=== Find a fix for the missing icons in the Kicksecure template's Thunar ===
Date: 2025-01-31
Figured out that qubes-gui-agent-xfce needed to be installed in the qube for things to work. Added it to kicksecure-qubes-gui in kicksecure-meta-packages.
=== Implement grub-cloud use in grml-debootstrap ===
Date: 2025-01-31
Tweaked the grml-debootstrap PR to use grub-cloud on amd64 VMs when enabling UEFI. Also simplified some code and filed a bug report about a confusing comment in the grub-cloud postinst script.
== 2025-01-30 ==
=== Investigate grub-cloud usability for grml-debootstrap ===
Date: 2025-01-30
Investigated grub-cloud's feature set and how to use it. Looks like it will probably do what we want.
=== More hardening and polish on privleap ===
Date: 2025-01-30
Made the privleap code more readable, added security hardening to avoid leaking info about available privleap actions to the caller in the event the user wants to keep them secret, added some UID and GID handling logic to mitigate mistakes that could result in actions unintentionally running with some degree of root access, and improved the tests. Also made it clear that autopkgtest was the only supported way of running the regression tests.
== 2025-01-29 ==
=== Safe-print code review, second pass ===
Date: 2025-01-29
Reviewed Ben's safe-print program again. Made some suggestions, overall the code looks very good.
=== Finish privleap tests, polish code ===
Date: 2025-01-29
privleap's tests now pass reliably, code is essentially feature-complete except for a footgun with <code>TargetUser</code>. Going to fix that.
== 2025-01-28 ==
=== Mostly finish tests for privleap ===
Date: 2025-01-28
All tests are now written and mostly working, however some of them are race condition prone and are not functioning as intended for unknown reasons. Once this is resolved and the tests pass reliably when using autopkgtest, this job will be complete.
== 2025-01-27 ==
=== Further work on privleap tests ===
Date: 2025-01-27
Added more tests for privleapd, refactored and debugged the existing tests for maintainability.
== 2025-01-26 ==
=== Review safe-print code from Ben Grande ===
Date: 2025-01-26
Reviewed the safe-print program Ben wrote. Needs more thorough review due to the complexity of some of the regexes, but for the most part it looks good.
=== Write testing framework for most of privleap ===
Date: 2025-01-26
Wrote tests for most of privleap. The server still needs significant testing, but both leaprun and leapctl are now able to be quickly tested reasonably thoroughly.
== 2025-01-25 ==
=== Additional privleap hardening and refactoring ===
Date: 2025-01-25
Shortened functions, fixed bugs, and changed how some parts of the code worked so that mypy passes entirely clean and pylint almost passes (with the exception of griping about some "TODO" comments). Still need to port to using real logging rather than just print, and need to write detailed tests.
=== Follow up on grml-debootstrap PR ===
Date: 2025-01-25
Answered some questions and suggestions with the grml-debootstrap PR, also fixed a typo at zeha's request.
== 2025-01-23 ==
=== Harden privleap code ===
Date: 2025-01-23
Added extensive type annotations to get the code to pass mypy. Also fixed the majority of all pylint gripes (there's still a few more to tackle which I'll finish up soon).
=== Test helper-scripts PR extensively ===
Date: 2025-01-23
Ran a large battery of tests against Ben's helper-scripts PR. Found one bug in the code, which I reported. Once this is fixed the new user management library should be ready to merge.
== 2025-01-22 ==
=== More sudoless porting, using privleap where applicable ===
Date: 2025-01-22
Ported more things to be sudoless and use privleap, including the very complex <code>systemcheck</code> application. Made very significant progress, added several needed features to privleap in the process.
=== Make input validation in privleap better ===
Date: 2025-01-22
Added many more input validation checks to privleap to catch several possible errors, mostly around invalid usernames.
=== Give the helper-scripts PR another review ===
Date: 2025-01-22
Reviewed the latest iteration of Ben's helper-scripts PR. Mostly ready to go.
=== Respond to power management feature request on forums ===
Date: 2025-01-22
Pointed out problems with use of AI for generating bug reports and feature requests, argued against the suggestions in the post since they could have negative security and usability consequences.
== 2025-01-21 ==
=== Sudoless development, privleap integration ===
Date: 2025-01-21
Started integrating privleap into Kicksecure code in place of passwordless sudo calls. Ended up adding two substantial features to privleap (stdout/stderr streaming and running processes as non-root users) in order to make it suitable for our use case.
=== Fix permission-hardener behavior with symlinks and hardlinks ===
Date: 2025-01-21
Made permission-hardener fully and properly resolve symlinks rather than treating them as separate files. Also made it reject hardlinks entirely because those have the same problems as symlinks for our use case, but are difficult and resource-intensive to trace the way we can trace hardlinks.
=== Document reasoning behind polkit fix (and fix Wayland too) ===
Date: 2025-01-21
Documented why launching the polkit agent manually is required. Also added the needed code to do so to the Wayland session launcher as well.
== 2025-01-20 ==
=== Enable user-sysmaint-split on Kicksecure ISO ===
Date: 2025-01-20
Enabled user-sysmaint-split in the Kicksecure ISO package list file and in live-build. Built the ISO, tested it, works.
=== Add diagnostics to permission-hardener ===
Date: 2025-01-20
Added a feature to permission-hardener so that running <code>permission-hardener print-diagnostics</code> will collect info useful for a bug report.
=== Review updates to helper-scripts PRs by Ben Grande ===
Date: 2025-01-20
Did another review, left comments with suggestions and requests for fixing some things.
=== Enable SSH in user-sysmaint-split's sysmaint-boot.target ===
Date: 2025-01-20
Just had to add ssh.service to a couple of spots in the systemd unit.
=== Test Kicksecure Qubes OS template in preparation for release ===
Date: 2025-01-20
Rebuilt and tested the Kicksecure Qubes template. Worked, though required a tweak to the template to get it to build.
== 2025-01-19 ==
=== Review helper-scripts and user-sysmaint-split PRs from Ben Grande ===
Date: 2025-01-19
Did code review on two PRs. +1 on the changes, with some minor changes requested to the user manipulation library.
=== Add Qubes OS config for passwordless-root ===
Date: 2025-01-19
Added Qubes OS config to helper-scripts for passwordless-root. That's the only place the config looked like would fit without requiring changes that we don't want to make with adding a qubes-kicksecure package.
Had to untangle some repo issues with derivative-maker, so this took longer than expected.
=== Research possible vuln with access to /dev/xen devices ===
Date: 2025-01-19
Did research and discussed issues with the Qubes OS developers to figure out the potential impact of user-level /dev/xen device access, and potential ways to mitigate them.
=== Get privleap to beta-quality status ===
Date: 2025-01-19
Extensively tested privleap, fixed tons of bugs, improved code quality, improved documentation, and did stress testing to see how it would hold up against a DoS attack. Performs decently even when under attack, appears to function well in all tested situations. Should be considered beta-quality still since only I've tested it, and it hasn't been tested in real-world scenarios.
== 2025-01-18 ==
=== More privleap development ===
Date: 2025-01-18
Got privleap to actually work! All the basic concepts are laid down, and while it's still fragile, it is functional. Most of the development work is done at this point.
=== Write comment about upgrade-nonroot concerns ===
Date: 2025-01-18
Wrote a long comment on the Kicksecure forums refuting an overly dramatic report of a low-impact security issue in upgrade-nonroot.
== 2025-01-17 ==
=== Begin writing privleap ===
Date: 2025-01-17
Spent a bunch of time writing the privleap escalation framework, including refining the spec, creating a library for clients and servers to use, and writing the beginnings of the privleapd server. Attempting to design it in such a way as to be resistant to DoS attacks and crafted data attacks. Published current state of the code on GitHub at
https://github.com/ArrayBolt3/privleap.
== 2025-01-16 ==
=== Sudoless development, write spec for privleap ===
Date: 2025-01-16
Worked more on getting tools in Kicksecure to not require root. Also wrote a specification for a new privilege escalation tool, privleap, which will be available even in user mode (not sysmaint) to avoid losing too much functionality. Did initial design with Patrick.
== 2025-01-15 ==
=== Fix Polkit in sysmaint mode for Kicksecure ===
Date: 2025-01-15
Figured out why polkit (and thus pkexec, gparted, and zuluCrypt) were all broken under sysmaint mode, and resolved the issue. We weren't starting a necessary authentication agent.
=== Discuss security improvements with Qubes OS devs, refactor kicksecure-meta-packages and qubes-whonix ===
Date: 2025-01-15
Converted two metapackages under qubes-whonix into transitional packages, merging them with kicksecure-qubes-cli and kicksecure-qubes-gui as appropriate. Also ended up starting a conversation over security and usability improvements for Kicksecure and Whonix under Qubes OS with the Qubes developers. Fully realizing the advantages of user-sysmaint-split under Qubes OS may require a substantial amount of additional work, including kernel- and bootloader-level development.
=== Rebuild, test, and debug the Kicksecure template again ===
Date: 2025-01-15
Built a fresh Kicksecure template and tested it. Discovered it still had some substantial issues that prevent it from being made official, most notably the lack of proper icons in Thunar and other XFCE applications. It's better than it was previously though.
=== Review and improve Patrick's modifications to permission-hardener migration code ===
Date: 2025-01-15
Reviewed, discussed, and made some more improvements to security-misc, to help avoid possible bugs and improve the code's robustness with string splitting.
== 2025-01-14 ==
=== Fix issues in Kicksecure Qubes template ===
Date: 2025-01-14
Found several packages that would be useful in the kicksecure-qubes-cli and kicksecure-qubes-gui metapackages, and added them. Also tried to get qubes-builder-v2 to let me build a template image with this, but ran into serious issues in so doing and gave up after a few failed attempts. May require custom code to get that to work.
=== Investigate CI failure on grml-debootstrap pull request ===
Date: 2025-01-14
Looked into why my PR was failing CI. Turns out the test CI run Patrick did ran more tests than upstream runs, and the one test that flunked on upstream's tests was because of a network issue while downloading deb packages (so most likely transient). Was able to get a working Bullseye build with grml-debootstrap without problems (Bullseye was the version that failed upstream).
=== Research safety of permission-hardening polkit-agent-helper-1 ===
Date: 2025-01-14
Did a bunch of tests on a baremetal Kicksecure install for seeing if polkit-agent-helper-1 was safe to disable or not. Ultimately it appeared to have no functional effect when disabled.
=== Publish security vulnerability details for live-build ===
Date: 2025-01-14
Published the full PoC for the live-build MitM vulnerability, along with recommendations about how to mitigate it. Reported it on the appropriate Debian bug report.
=== Fix new_mode database corruption from old permission-hardener ===
Date: 2025-01-14
Discovered that the new_mode database suffered from very similar problems to the existing_mode database, and added logic for repairing that as well.
=== Speed up permission-hardener migration code ===
Date: 2025-01-14
Added some extra logic to the permission-hardener migration code to allow it to only scan specific packages for modified files, rather than scanning every package on the system. permission-hardener migration is now nearly instant.
== 2025-01-13 ==
=== Add a shutdown systemctl unit to user-sysmaint-split ===
Date: 2025-01-13
Make user-sysmaint-split automatically lock the sysmaint account password on shutdown. This is done with a systemd unit that runs at shutdown.
=== Polish permission-hardener v1 to v2 migration code ===
Date: 2025-01-13
Made several changes to the migration code at Patrick's request, fixing various minor issues and improving code quality.
== 2025-01-12 ==
=== Experiment with allowing grub-pc and grub-efi to be co-installed ===
Date: 2025-01-12
Did a test build of the GRUB bootloader that allowed grub-pc and grub-efi to be co-installed. Initial results seem promising, although work will be needed to make it function properly. Reported results on a related bug in Debian.
=== Test IPv6 PRs again, report results to DanWin ===
Date: 2025-01-12
Managed to get the IPv6 PRs to allow a whonix-gateway and whonix-workstation VM to communicate to each other over IPv6. The gateway is still using IPv4 to talk to the Tor network however. Reported to DanWin.
=== Remove leaked resolv.conf from VM and ISO builds ===
Date: 2025-01-12
Added code to initializer-dist that removes a leaked resolv.conf file from VM and ISO builds. Mostly tested, I didn't test the final iteration due to the amount of time it was taking, but I would be pretty surprised if it didn't work.
=== Develop permission-hardener migration code for v1 to v2 upgrade ===
Date: 2025-01-12
Made it so that permission-hardener can automatically fix its state on upgrade by installing a static state file via the postinst. Tested and appears to work.
=== Further improvements to grml-debootstrap PR ===
Date: 2025-01-12
Made several improvements to the grml-debootstrap PR, including cutting out the ARM_EFI_TARGET variable, fixing EFI bootloader installation on i386 and arm64, and making cross-building arm64 on amd64 actually work.
== 2025-01-11 ==
=== Polish EFI handling in grml-debootstrap PR ===
Date: 2025-01-11
Added a <code>--efi-id</code> option to the grml-debootstrap PR, and got the EFI bootloader to be installed by the Debian package rather than requiring an explicit grub-install command.
=== Fixed rads integration in user-sysmaint-split ===
Date: 2025-01-11
Made sysmaint-boot.target launch the rads service rather than doing it in the sysmaint-boot script. Tested on both a KVM-accelerated VM and a QEMU-emulated one to attempt to shake out race conditions.
=== Further polish on dist-installer-cli ===
Date: 2025-01-11
Improved the security of many sudo calls, removed the need for a bunch of shellcheck overrides, and did a lot of testing and debuging on my work from yesterday.
== 2025-01-10 ==
=== Fix issues with dist-installer-cli updates (untested) ===
Date: 2025-01-10
Refactored my earlier work on dist-installer-cli to remove Shellcheck errors and improve the security of sudo calls. Also changed helper-script's root_cmd.sh to accept environment variables for customizing the sudo command. This is currently untested, as I didn't have the time to do testing today.
=== Study and discuss DNS-related security hardening ===
Date: 2025-01-10
Read a bunch of material on DNS security shared with me by Patrick, and attempted to come up with a solution to the problems that were encountered when attempting to enable DNSSEC by default last time. Also argued against using DoH or a third-party DNS server.
=== Document networking-related changes ===
Date: 2025-01-10
Documented the new privacy- and security-enhancing PRs that were merged, enabling ARP filtering, selective ignoring of ARP requests, ignoring gratuitous ARP packets, and disabling shared media redirects. Documentation includes rationale for setting each option each one and instructions for undoing them.
== 2025-01-09 ==
=== Fix UEFI bootloader updates in grml-debootstrap-built VMs ===
Date: 2025-01-09
Debugged issues related to UEFI bootloader installation in a VM built with grml-debootstrap, and implemented a fix for them. This will require some additional code in derivative-maker for everything to work completely, but at least things will work right upstream now.
=== Add Wayland and SDDM support to user-sysmaint-split ===
Date: 2025-01-09
Added a Wayland session and SDDM support to user-sysmaint-split. The wayland session isn't actually usable as it relies on labwc, which is only available in Debian Trixie and higher, but it should theoretically work. SDDM support is working and tested.
== 2025-01-08 ==
=== Study and document Wayland behaviors wrt. virtual terminals and IPC ===
Date: 2025-01-08
Did research and read through some SwayWM and wlroots source code to learn how Wayland compositors handle TTY switching and inter-process communication, for the purpose of adding documentation to the Strong User Account Isolation wiki page.
=== Fix repository-dist run failure in Kicksecure and Whonix Qubes templates ===
Date: 2025-01-08
Determined why repository-dist wasn't being run during or after Kicksecure and Whonix Qubes template builds, after much debugging. Fixed issues in qubes-builderv2 and in both templates.
== 2025-01-07 ==
=== Study more SUID executables in Kicksecure ===
Date: 2025-01-07
Studied a list of SUID executables Patrick built. Determined which ones were important and needed to remain SUID, which ones may be worth further review, and which ones we can safely disable.
=== Polish dist-installer-cli cross-user installation support ===
Date: 2025-01-07
Fixed many bugs in the previous work on dist-installer-cli, which work was intended to allow the installer to run in Kicksecure's sysmaint mode. Got VirtualBox-based VM installation working well on Debian and Kicksecure. Installation on Fedora seems to be broken for reasons unrelated to the modified code, as does support for downloading KVM virtual machines.
=== Report research results to Purism ===
Date: 2025-01-07
As discussed.
=== Research and describe reason for pam_wheel fix working ===
Date: 2025-01-07
Wrote a detailed description of why a bug with sudo automatically failing authentication was solved by making pam_wheel only run when <code>su</code> is being called.
=== Adjust permission-hardener to assume a merged /usr directory ===
Date: 2025-01-07
Researched and found out Bookworm always uses a merged /usr directory (/bin, /sbin, /lib, etc. are no longer used and are now symlinks to the corresponding directories under /usr). Adjusted permission-hardener to assume /usr is always merged, for simplicity's sake.
=== Attempt to reproduce permission revert bug with refactored permission-hardener ===
Date: 2025-01-07
Patrick was running into a bug I had noticed in an earlier version of the refactored permission-hardener code which resulted in SUID permissions being incorrectly restored to files that were supposed to have those permissions stripped. I attempted to reproduce this with the newest code (which was supposed to have this issue fixed) and was unable to reproduce.
== 2025-01-05 ==
=== Start porting dist-installer-cli to work in sysmaint mode ===
Date: 2025-01-05
Added functionality to dist-installer-cli that should allow it to install Kicksecure or Whonix on a different user account than the one it is running as. This should allow it to continue to function normally on non-Kicksecure systems, but also allow it to function within the sysmaint mode of Kicksecure. This is untested but looks like it should work.
=== Debug usability-misc failure to execute during Kicksecure template build on Qubes OS ===
Date: 2025-01-05
Determined that the most likely reason the derivative.list file isn't being created is because an environment variable is either being ignored or not being properly passed through. Have not yet determined how to get that environment variable to pass through. Debugging is taking long due to the long build times.
=== Attempt to fix sysmaint-panel support on Qubes OS ===
Date: 2025-01-05
Used diversion to reconfigure <code>su</code>'s PAM configuration so that pam_wheel could be used only for su calls rather than for all system authorization calls. Ultimately this solution didn't end up being considered sufficient, but it did work.
=== Test permission-hardener PR on Qubes Whonix ===
Date: 2025-01-05
Tested the new permission-hardener on a whonix-workstation-17-dvm qube. Could not reproduce the issue Ben Grande noticed with <code>write</code> and <code>wall</code>.
== 2025-01-04 ==
=== Test and fix documentation for building the Kicksecure template ===
Date: 2025-01-04
Replaced my Qubes R4.3 installation with a Qubes R4.2 installation, then worked through the instructions for building the Kicksecure template from scratch. Fixed some problems, added some more known issues, and verified that the instructions worked.
=== Create prototype implementation of BIOS+UEFI boot support for Calamares ===
Date: 2025-01-04
Got Calamares to install both BIOS and UEFI bootloaders during OS installatino. Submitted the prototype implementation as a draft PR.
=== Upload Calamares 3.3.12 backport to Debian Mentors ===
Date: 2025-01-04
Created and tested a simple backport of Calamares 3.3.12 to Bookworm. Notified the maintainer of this backport's existence once done.
== 2025-01-02 ==
=== Find root cause of ARM64 ISO build failure on Qubes OS ===
Date: 2025-01-02
Traced the build failure to a bug in QEMU when running under Qubes, resulting in an intermittent python3 segfault. Bug doesn't exist in the version of QEMU in bookworm-backports, using that version of QEMU on the build host VM allows the build to succeed.
=== Debug sudo failures when using sysmaint-panel on Qubes OS ===
Date: 2025-01-02
Determined why privileged sysmaint-panel operations were failing with a threefold authentication failure with no password prompts. Documented the reason for the problem and started discussing with Patrick how to resolve the issue.
== 2025-01-01 ==
=== Reproduce ARM64 ISO build failure on Qubes OS ===
Date: 2025-01-01
Found three bugs when doing ARM64 builds of Kicksecure in a Kicksecure qube under Qubes OS. All of them are very strange, one of them might be the result of umask changes but I'm not entirely sure.
=== Test permission-hardener refactored code on Whonix ===
Date: 2025-01-01
Attempted to reproduce a bug noted by Ben Grande by testing the new permission-hardener on Whonix. Could not reproduce bug. Also fixed a merge conflict.
== 2024-12-31 ==
=== Polish Kicksecure Qubes template build ===
Date: 2024-12-31
Fixed up the Kicksecure Qubes template configuration, tested it, and submitted a PR to Qubes.
== 2024-12-30 ==
=== Get qubes-builderv2 to build the Kicksecure template ===
Date: 2024-12-30
Fought with qubes-builderv2, creating a patch that allowed building the Kicksecure template. This patch isn't suitable for upstreaming, I need to work on it more first.
=== More fixes for sysmaint mode ===
Date: 2024-12-30
Fixed more issues with sysmaint mode and sysmaint-related code, tested and pushed. This included fixing issues with "classic" builds that don't have sysmaint mode present.
== 2024-12-29 ==
=== Fix GRUB boot menu organization ===
Date: 2024-12-29
Spent a long time figuring out how to get the advanced boot options in the GRUB menu to either go away entirely or move somewhere less obtrusive (they were appearing interleaved throughout the boot menu previously). After much discussion and experimentation, I finally got a solution both me and Patrick were happy with. Pushed to Git and ready for review.
=== Attempt to reproduce German keyboard layout issue with Calamares ===
Date: 2024-12-29
Did a German installation of Kicksecure in a VM, could not reproduce installation failure. Asked for more info from the user experiencing the problem.
=== Finish initial draft of verified boot firmware and device requirements ===
Date: 2024-12-29
Finished putting together the requirements needed to allow Kicksecure to implement a hopefully robust verified boot system. Did lots of research and brainstorming with Patrick. Needs some more review, but it should be close to done.
== 2024-12-28 ==
=== More firmware authentication relay attack research ===
Date: 2024-12-28
Fleshed out potential problems with the original threat model in the relay attack writeup, changed some of the hardware design concepts to allow specifying a different and easier-to-defend-against threat model, and laid out how firmware authentication with such a threat model would work. Also researched existing solutions in this area.
== 2024-12-27 ==
=== Investigate firmware authentication relay attack avoidance ===
Date: 2024-12-27
Made a detailed writeup about firmware authentication techniques and relay attacks. Didn't quite finish it, there's still some loose ends to tie up and more things to figure out.
== 2024-12-26 ==
=== Brainstorm firmware requirements for verified boot ===
Date: 2024-12-26
Discussed with Patrick what a firmware implementation needed to provide to allow us to provide a robust verified boot implementation without creating hardware that was incompatible with other major Linux distributions. Came up with a good set of ideas that are mostly complete. Needs a bit more polish.
=== ISO sysmaint mode fixes and improvements ===
Date: 2024-12-26
Made more patches for making sysmaint mode work properly both on the ISO and on installed systems.
=== Review shadow and ssh wiki content ===
Date: 2024-12-26
Reviewed, tested, and augmented the new shadow and ssh documentation on the User and SSH pages.
== 2024-12-25 ==
=== More polishing of ISO sysmaint mode ===
Date: 2024-12-25
Fixed a bunch of bugs in ISO sysmaint mode. After discussion with Patrick, it turns out some (thankfully not most) of these bugfixes ended up being problematic themselves, so I'm going to be fixing those very soon.
=== Finish permission-hardener refactor ===
Date: 2024-12-25
Finished refactoring the permission-hardener code. Tested it, created test code for it, and opened a PR so it can be reviewed.
== 2024-12-24 ==
=== Continue refactoring permission-hardener ===
Date: 2024-12-24
Got most of the code for the permission-hardener refactor written. Still need to write the code for applying a calculated state to the filesystem, and then I need to test the code.
=== Redo PBKDF merge request for kpmcore ===
Date: 2024-12-24
Took the code from an earlier merge request to kpmcore, and polished it up so it was ready to merge. This will allow applications like Calamares to configure the PBKDF to use in the future at some point.
=== Polish ISO sysmaint mode ===
Date: 2024-12-24
Fixed several issues in the ISO sysmaint mode, changing six repos in the process. Also made it so that if a password is set on the sysmaint account, it doesn't autologin when booting in <code>PERSISTENT mode SYSMAINT</code>.
== 2024-12-23 ==
=== Start refactoring permission-hardener ===
Date: 2024-12-23
Read through permission-hardener, identified some weaknesses in it, created an algorithm that should hopefully make a refactor perform better, and started initial refactoring work.
=== Preliminary ISO sysmaint support ===
Date: 2024-12-23
Develop and augment needed componenets to make sysmaint mode work on the ISO. Needs further polish.
== 2024-12-22 ==
=== Fix Secure Boot issues, file bug reports, discuss sysmaint and other development with Patrick ===
Date: 2024-12-22
Filed bug reports against Calamares and grml-debootstrap related to their handling of the fallback bootloader. To avoid needing to wait to fix the bug until we get responses, I created a quick fix for the Secure Boot issues that got the ISO working correctly. Also discussed further development of user-sysmaint-split and other possible new features with Patrick.
=== More drk development ===
Date: 2024-12-22
Fixed several bugs in the Debian Rolling Kit project, and implemented the <code>remove-package</code> command for managing the rolling archive.
=== Debug and fix chsh failure during build ===
Date: 2024-12-22
Somehow changing the user's shell to zsh was requesting authentication during build, resulting in the shell change failing. After debugging, it turned out that the <code>/etc/shells</code> file wasn't updated to include zsh in the list of valid login shells by the time dist-base-files' postinst script was trying to set the user shell. To fix this, I configured live-build to explicitly install zsh before installing a package that pulled in dist-base-files.
=== Make Kicksecure ISO builds use user-configured initramfs ===
Date: 2024-12-22
Previously derivative-maker was hardcoded to always use dracut-live as the initramfs. Now the correct initramfs to use is autodetected based on the user's choice. I did not actually test an initramfs-tools build of Kicksecure, I did ensure that dracut builds continued to work though.
=== Reviewed boot modes wiki page ===
Date: 2024-12-22
Read through the wiki page, added some ideas to it.
=== Debug Secure Boot fallback bootloader problems ===
Date: 2024-12-22
Finally figured out why Secure Boot and the fallback bootloader were interacting with each other poorly - GRUB was not being installed to the removable media path correctly. This was not the result of removing debian-installer, Debian Trixie behaves the same way. This also explains why the last Secure Boot fix worked on my VMs but not for some other people.
=== Verify dracut-config-generic is getting installed onto the Kicksecure ISO ===
Date: 2024-12-22
Mounted a Kicksecure ISO squashfs, chrooted in and verified dracut-config-generic was installed.
== 2024-12-21 ==
=== Review new documentation on Verified Boot page ===
Date: 2024-12-21
Reviewed three new documentation segments on the Verified Boot page, fixing issues and noting down a thing I was confused about.
=== Review USBGuard PR ===
Date: 2024-12-21
Reviewed USBGuard pull request on security-misc for maliciousness, functionality, and correctness. Also did basic testing. Requested that some changes be made.
== 2024-12-20 ==
=== Review ARP-related PRs ===
Date: 2024-12-20
Reviewed and commented on all ARP-related PRs. We should probably document how to disable most if not all of these settings.
=== Attempt to test IPv6 pull requests on Qubes OS ===
Date: 2024-12-20
Tried (and failed) to get a cloned Whonix-Gateway / Whonix-Workstation VM pair running on Qubes with the IPv6 PRs installed. Could not get Qubes OS to behave properly when configuring a VM to provide networking to other VMs.
=== Improve sysmaint documentation ===
Date: 2024-12-20
Added documentation on using sysmaint mode, including documenting the warning it displays when logging into a console session, and documenting the restrictions it has on when certain accounts can be logged into.
=== Bug fixes and improvements to user-sysmaint-split and sysmaint-panel ===
Date: 2024-12-20
Made a bunch of fixes to various aspects of the user-sysmaint-split system, making all changes Patrick requested and also fixing things such as multi-monitor support. The system is potentially pretty close to ready for beta-testing at this point.
== 2024-12-19 ==
=== Test IPv6 pull requests on libvirt ===
Date: 2024-12-19
Attempted to make DanWin's IPv6 PRs work on libvirt. Could not get it working despite configuring IPv6 NAT as best as I could. Reported issues on one of the PRs.
== 2024-12-18 ==
=== More development on sysmaint mode ===
Date: 2024-12-18
Made changes to user-sysmaint-split, sysmaint-panel, security-misc, and helper-scripts to prepare sysmaint mode for release and general use. Needs more testing before it's ready for release, but it's very close to ready.
=== Test IPv6 support for Whonix ===
Date: 2024-12-18
Reviewed new changes in DanWin's IPv6 support code, built and tested it. Could not get it to work, I think DanWin explained why but I'm not sure what's needed to make it work.
=== Prepare NMU for Calamares 3.3.12 fix ===
Date: 2024-12-18
Created a simple NMU to fix the bug keeping Calamares 3.3.12 from migrating. Asked for help with sponsorship, but no one in #debian-devel volunteered so I'll probably have to ask someone I know for help there (thankfully that's easy).
== 2024-12-17 ==
=== Further improvements to sysmaint mode graphical session ===
Date: 2024-12-17
Determined how to make a boot mode that would boot into a graphical system maintenance mode session, and in general improved the sysmaint panel app so it would be nice to use. Also did a lot of discussion with Patrick about how to best implement the user-sysmaint split.
== 2024-12-16 ==
=== Work on admin mode graphical session ===
Date: 2024-12-16
Attempted to determine what is needed to create a simple, auto-login graphical session for Kicksecure's admin mode. Ran into trouble with display manager and login-related issues, but made good progress on overcoming those. Also wrote a simple admin control panel app.
== 2024-12-15 ==
=== Study Verified Boot ===
Date: 2024-12-15
Did a very large amount of study on Verified Boot and technologies that could be used to implement it, discussing concepts and design ideas with Patrick and documenting a potential design idea. The design needs more polishing and might not be practical yet, but it looks potentially hopeful.
=== Prevent VirtualBox from attempting to auto-install Kicksecure ===
Date: 2024-12-15
VirtualBox's automatic installation feature is incompatible with Kicksecure, but because Kicksecure's ISO was identifying itself as a Debian ISO in <code>/.disk/info</code>, VirtualBox was treating it as Debian and attempting to autoinstall it. This would result in failure to boot. To resolve this, I changed our fork of live-build to identify the ISO as being a Kicksecure ISO instead, which resolved the issue - VirtualBox no longer attempts to autoinstall from Kicksecure ISOs.
== 2024-12-14 ==
=== Add config file purge feature to dummy-dependency ===
Date: 2024-12-14
Added <code>--remove</code> and <code>--purge</code> switches to dummy-dependency, which can be used to explicitly choose whether or not to remove conffiles when replacing a package with a dummy package. By default, <code>--remove</code> is used, which keeps the conffiles.
=== Implement ISO integrity self-check ===
Date: 2024-12-14
Added easy ISO self-verification support to live-build, submitted it as an upstream MR, and merged it into our custom fork of live-build, enabling it in derivative-maker.
== 2024-12-12 ==
=== Investigate dracut-config-rescue ===
Date: 2024-12-12
Investigated whether it would harm anything to remove dracut-config-rescue, or if it would improve things if it were removed. The package is supposed to include various useful utilities that users might want in the event they get dropped to a Dracut rescue shell. Based on my research (done by rebuilding and unpacking initramfs files on a live ISO), it seems to not be being used at all, so it should be fine to remove. (We don't even want the rescue shell to be enabled by default anyway, so any harm that could be caused by removing this is likely to be minimal.)
=== Investigate memtest86+ signing ===
Date: 2024-12-12
Memtest86+ is not signed, so it doesn't work on systems with Secure Boot enabled. Sent an email asking what can be done to help move things forward so Memtest86+ can be signed.
=== Integrity check and DRK development ===
Date: 2024-12-12
After debugging an issue that Patrick and I originally thought was the result of a corrupted ISO, Patrick had the idea of adding integrity checking to the ISO. This can be done with Dracut using the isomd5sum package. Got support for it working in live-build, however it currently only works on Trixie for reasons unknown to me (it always fails on Bookworm). Needs more development before it's ready for merge and release.
While waiting for very long builds (partially caused by accidentally building for arm64 rather than amd64 a couple of times), I worked on the Debian Rolling Kit some more. So far I have a working dependency resolver that can take a source package name as input, and spit out all binary packages in its dependency tree that have newer versions in Unstable than in Testing.
== 2024-12-11 ==
=== Start writing Debian Rolling Kit (drk) ===
Date: 2024-12-11
Finally managed to get the Debian Archive Kit (dak) working. There's quite a bit of tooling that appears to be missing before maintaining a rolling archive will be practical, so I started writing it in Python. Since it complements the Debian Archive Kit, I called it the Debian Rolling Kit.
=== Test PR for optional squashfses in Calamares ===
Date: 2024-12-11
One of the Lubuntu devs heard that I wanted to add support for optional squashfses to Calamares, and decided to implement it and make a PR for it. Tested it, it appears to work well. (Thanks to Simon Quigley for writing the code for this!)
=== Fix Secure Boot and multiarch support ===
Date: 2024-12-11
Polished bootloader installation code to ensure that Secure Boot and non-amd64 systems were properly supported.
== 2024-12-10 ==
=== Experiment with creating Debian Rolling ===
Date: 2024-12-10
Set up a Debian Bookworm server VM, installed the Debian Archive Kit (dak), and began investigating how to set up a rolling archive on my local machine. This was tricky since dak's installer was broken, and the documentation was bad, so I haven't made a whole lot of progress, but I have a good foundation laid out.
=== Test Secure Access Key with LXQt Wayland, report bug ===
Date: 2024-12-10
Discovered that Alt+SysRq+R + Alt+SysRq+K did not work as expected under QEMU with virtio graphics and no 3d acceleration. This might be specific to my setup, but parts of it might not be, so I reported it upstream.
=== More Kicksecure live-build ISO enhancements ===
Date: 2024-12-10
* Reverted to old GRUB config for graphics handling, since it worked better
* Changed the data reported on the ISO boot menu so that full version information was included and superfluous data was removed
* Added memtest86+
* Added a 30-second timeout before automatically booting the live session
== 2024-12-09 ==
=== Send bug reports for the ISO changed files issues ===
Date: 2024-12-09
Thoroughly studied each of the changed files, writing bug reports as appropriate and testing things as needed.
=== Review boot modes wiki page ===
Date: 2024-12-09
Looked at the boot modes page, made notes about things that may need to change.
=== Brainstorm and experiment with sudoless implementations ===
Date: 2024-12-09
Experimented with ways to implement sudoless support in Kicksecure, and brainstormed ideas with Patrick. Ultimately sudo and pkexec will retain their SUID bits but not be executable by anyone but the admin user. We may also want to allow switching between the admin and primary users without requiring a reboot. The admin account ''may'' be ephemeral (although we haven't entirely decided on whether this is a good idea or not yet), and Wayland will be used to improve security by avoiding potential vulnerabilities in X that could be exploited via the world-accessible UNIX sockets X make available under /tmp/.X11-unix.
== 2024-12-08 ==
=== Research and start developing sudoless support ===
Date: 2024-12-08
Did a lot of research to determine what needed to change in Kicksecure and Whonix to make it sudoless (i.e., sudo or similar tools cannot be used when booted in 'user mode', and can only be used if booted into 'admin mode'). Also reimplemented livecheck's functionality in a sudoless manner, it was one of the few spots where it was practical to just remove the need for sudo entirely.
=== Document comparing git tags in derivative-maker ===
Date: 2024-12-08
Did a lot of study and experimentation on how to compare git tags to each other in derivative-maker, without ignoring changes in submodules. Found a solution involving using <code>git diff --submodule=diff</code> and a PatchViewer web application. Attempts to make a difftool-like utility for this were unsuccessful.
=== Determine if run0 is suitable for Kicksecure ===
Date: 2024-12-08
Studied run0 (a sudo alternative), determined it was not suitable for use in Kicksecure and Whonix, and wrote a reply to Patrick about why.
=== Propose a solution to shipping machine-ids ===
Date: 2024-12-08
Currently we're shipping hardcoded machine ID files for Kicksecure and Whonix, intentionally. The problem with this is that Debian does not expect these files to be package-controlled, but expects them to be dynamically generated. Thus there is some code in tools like live-build that wipe ephemeral machine IDs, and other code elsewhere in Debian that generates new ones It would therefore be a good idea to switch to dynamically generating machine IDs, even if it's just to put a static ID on the disk. The machine ID files should NOT be shipped by a package. We can leverage Calamares for this, it's designed for it.
=== Disable both recovery modes ===
Date: 2024-12-08
Added code to disable both the single-user mode boot options, and the ability to drop to Dracut's recovery shell. Both of these will be easily bypassable until such a time as a bootloader password is implemented, but they may provide a minor amount of protection for now, and potentially a substantial amount in the future.
=== Added fwupd to Kicksecure ISO, experiment with live-build dm-verify ===
Date: 2024-12-08
Added fwupd and fwupd-signed to Kicksecure's live-build ISO, taking into account architecture-specific concerns with fwupd-signed. Tested amd64 builds and ensured they still worked. While waiting for this build, I also experimented with the <code>--dm-verity</code> option in live-build, which proved to be not supported at all when Dracut is used as an initramfs. Development work will be needed to get that working.
== 2024-12-07 ==
=== Research derivative-maker git tag comparison ===
Date: 2024-12-07
Tested Patrick's script for reviewing code changes between git tags in derivative-maker, including changes in submodules. This script had some issues, many of which were caused by the behavior of <code>git diff</code>, so I wrote a script that mimicked <code>git difftool --tool=meld --dir-diff</code>'s behavior but including submodules in the picture. Also sent a feature request / offer to contribute a feature to Git to see if we can solve the problem upstream.
== 2024-12-05 ==
=== Researched implementing safe_echo with formatting support ===
Date: 2024-12-05
Looked at issues that were being experienced with safe_echo and formatting, and came up with a potential solution for resolving them after researching ANSI escape codes.
=== Researched previous Debian rolling release attempts ===
Date: 2024-12-05
Looked into DEP-10 (
https://dep-team.pages.debian.net/deps/dep10/) and a practical proposal for implementing a Debian rolling release (
https://lists.debian.org/debian-devel/2011/05/msg00275.html). There appears to be a potential way forward here, there's just some serious hurdles and no one's had the time or motivation to implement the proposals.
=== Enhance live-build ===
Date: 2024-12-05
Fixed several bugs and added enhancements to live-build.
== 2024-12-04 ==
=== Investigate live-build downloads ===
Date: 2024-12-04
Reviewed live-build file download code.
=== Investigate strange vm-config-dist reinstallation bug ===
Date: 2024-12-04
Determined that vm-config-dist's Installed-Size somehow differed between the local build of Kicksecure and the remote repo. This is not a change in the deb file, but rather a difference in the metadata provided as part of an apt repo.
== 2024-12-03 ==
=== Improve swap-file-creator heuristics ===
Date: 2024-12-03
Added logic to swap-file-creator and helper-scripts' calculate-swap-size script to cap the swap file size at 10% of the total size of the disk. Tested, the new code appears to work right and passes Shellcheck. calculate-swap-size's regression tests pass and also now include a test for small disks.
=== Review potential package additions for the ISO ===
Date: 2024-12-03
Looked at three packages Patrick suggested potentially adding to the ISO, to see if they needed to be added or not. (The packages were specifically <code>mokutil</code>, <code>keyutils</code>, and <code>efibootmgr</code>.) All three are being installed on our ISOs by default, and I don't think it's a good idea to explicitly add any of them. Documented this in dev/todo.
=== Investigate debsums warnings ===
Date: 2024-12-03
Discovered that all warnings about changed files shown by debsums were the result of live-build. Documented why each file is changed, and what might be able to be done to avoid needing to change those files, or mitigate undesirable effects of having to change them.
=== Finish debugging SDDM lockup issues ===
Date: 2024-12-03
Found the root cause of the SDDM lockup issues, created a patch that resolves them, and sent a bug report to Debian with the results. (Two different bugs were at work, one being an incomplete socket read issue, and another being a regex match issue.)
== 2024-12-02 ==
=== Add generic multi-arch support to derivative-maker's live-build code ===
Date: 2024-12-02
Added the ability to (in theory) build Kicksecure for any officially supported Debian architecture. amd64 builds and arm64 cross-builds on an amd64 system are both tested, other architectures have not been tested.
=== Work on debugging SDDM lockup issues ===
Date: 2024-12-02
Debian systems that use SDDM can be rendered difficult to log into after distro-morphing to Kicksecure. Typing a wrong password at the SDDM screen results in all further login attempts causing SDDM to hang, until the user logs in successfully some other way. Logging in some other way (for instance, at a TTY) results in being able to log in via SDDM again. I attempted to determine what was going wrong, but failed to find the root cause. More debugging is needed.
=== Research Calamares' use of Argon2id for LUKS2 ===
Date: 2024-12-02
Determined that Calamares was using Argon2id for LUKS2 on Kicksecure, but only because of cryptsetup defaults. Followed up on an MR for libkpmcore that could be used to fix this.
== 2024-12-01 ==
=== Debug and fix arm64 build failure ===
Date: 2024-12-01
Figured out why tirdad was failing to build on arm64 (turns out it doesn't support Livepatch). Resolved with changes to derivative-maker to install dummy-dependency-tirdad instead on arm64.
Also did review work and wrote an (as of yet untested) script for building doas config snippets into a config file while waiting for builds to complete.
== 2024-11-29 ==
=== Polish Calamares filesystem restriction PR ===
Date: 2024-11-29
Ran a bunch of tests on the Calamares filesystem restrictions PR, fixing several bugs in the process. There's one stubborn bug remaining that I'll need to work out before this is mergeable, but it's very close, and the Calamares devs appear to be ready to merge when it's ready for merging.
=== doas feature requests ===
Date: 2024-11-29
Discussed doas feature requests on the OpenBSD tech mailing list. All feature requests appear to have been rejected, so we'll have to use wrapper scripts to implement the needed functionality. I originally thought wrapper scripts was a bad idea, but the lead OpenBSD dev seems to be in favor of that solution, so it should be OK.
== 2024-11-28 ==
=== arm64 builds, umask, doas, immutable root testing ===
Date: 2024-11-28
Ended up lumping all of these topics into one because most of the things I worked on were done while waiting for very slow arm64 cross builds of Kicksecure to finish or fail.
Got arm64 builds of Kicksecure's ISO working with live-build. Ended up finding a bug in one of our live-build patches and a bug in live-build upstream in the process, also found several spots in the configuration and ISO build script that needed fixed in order for the ISO to build. I managed to get a working ISO that was bootable using a UEFI-enabled arm64 emulator. amd64 builds still work and appear to be good. So far only cross-building arm64 on amd64 has been tested, I have not yet tested native arm64 builds.
Finished researching umask hardening, and made a pull request that enables it. Turns out a mixture of PAM and sudoers settings should work for this.
Sent an email to the OpenBSD development mailing list to see if they're willing to accept doas patches for adding the functionality we want.
Tested both Debian and Kicksecure installations with a fully read-only root partition. Sadly this did not end up working, making the root partition read-only makes it impossible to get a graphical user environment, and with Kicksecure it makes it impossible to even get a console login.
=== Finalized and pushed pkexec fixes ===
Date: 2024-11-28
Worked out the remaining issues with the pkexec fixes and pushed them.
== 2024-11-27 ==
=== Investigate how OpenSSH handles umask ===
Date: 2024-11-27
Researched how OpenSSH launches programs and shells, and how it handles umask. Much of this involved reading through part of the (thankfully very well-commented) source code of OpenSSH itself. Documented how umask is handled and relevant info about how shells are launched in dev/todo.
=== Polish physical attack protection docs ===
Date: 2024-11-27
Fixed some minor issues with the original docs, and filled out the section about hardware tampering detection with more detailed info. In the future we may also want to document writing one's own grub.cfg files for fine-grained control over bootloader password settings.
=== Fix pkexec policykit config ===
Date: 2024-11-27
Mostly fixed issues found previously, need input from Patrick on how to finish fixing this.
=== Fix network configuration settings for live-build ISO builds ===
Date: 2024-11-27
grml-debootstrap was previously being used to write <code>/etc/hosts</code> and <code>/etc/hostname</code> for ISO builds. The new live-build method of building ISOs didn't do this, resulting in these files not being properly configured. Code has now been added to properly configure them.
=== Try to reproduce lightdm and sleep issues on physical hardware ===
Date: 2024-11-27
After I failed to reproduce the bug mentioned by sam on the Kicksecure Forums in a virtual machine, I installed Debian 12 Cinnamon onto a USB drive using my primary laptop, booted from it, and distro-morphed to Kicksecure, using the <code>kicksecure-xfce-host</code> package to see if that would cause the problem. I still could not reproduce either the SDDM freezes or the sleep issues. Left a comment on the forums with some ideas about why this might be happening.
== 2024-11-26 ==
=== Review pkexec policies and privileged scripts connected to them ===
Date: 2024-11-26
Did a security review on the two pkexec action policies we ship, along with the privileged scripts they point to. Shared results of the review with Patrick.
=== Research using capabilities in place of root access ===
Date: 2024-11-26
Did more research on how capabilities work under Linux, and whether they can be used to replace root access in Kicksecure. Unfortunately I do not believe this to be practical, due to the fact that the capabilities system would likely require extensive permissions modifications and changes to systemd units in order to make it work. Debian is not designed to work this way. The security benefits of mixing traditional privilege control with capabilities aren't all that powerful, and even a total port to the capabilities system wouldn't confer good security advantages without careful planning.
== 2024-11-25 ==
=== Review rads code ===
Date: 2024-11-25
Reviewed the source code of RAM Adjusted Desktop Starter to see if it looked like the source of the distro morphing glitch bug. Found a couple of minor issues, but it did not appear to be the source of the issue.
=== Determine difficulty of replacing sudo with doas in Kicksecure and Whonix codebases ===
Date: 2024-11-25
Used grep to scan through all of our code and determine how difficult it will likely be to port from sudo to doas. Some areas look potentially tricky, but it appears doable. Posted the results of the audit as a Github Gist and saved a link to it it in dev/todo.
=== Do initial research on replacing root access with capabilities ===
Date: 2024-11-25
Researched Linux capabilities, how to use them, and if they could potentially be used to restrict privileges on all set-UID root applications (and potentially even remove the need for an accessible root account). Noted down some of the more useful things found during the research, going to work on this more tomorrow by doing hands-on testing.
=== Attempt to reproduce distro morphing glitches ===
Date: 2024-11-25
Did a distro morphing install on Debian KDE to see if I could get the login manager or sleep to break. Failed to reproduce the bug. Need to try again with a slightly different method of distro morphing.
== 2024-11-24 ==
=== Rewrite str_replace and str_match in Python ===
Date: 2024-11-24
After Qualsys found the needrestarts vulnerabilities, we decided to double-check those parts of our codebase that used Perl and harden them if necessary. Most of our uses of Perl only process trusted input, or only process input in a way that is likely to be safe. However, <code>str_replace</code> and <code>str_match</code> seem like they could reasonably be used to handle untrusted data and might not be called in a definitely safe fashion, and so just in case, I rewrote them in simple, straightforward Python, linting it with PyCharm and testing <code>str_replace</code> with dm-packaging-helper-script's <code>pkg_descr_creator</code> and <code>pkg_descr_merge_all</code> functions, ensuring that the new versions generated identical output to the old versions.
=== Overhaul Calamares filesystem restrictions pull request ===
Date: 2024-11-24:
Made all changes requested by the Calamares devs. This ended up being a large job, as one of the requested changes was an additional validation layer that proved to be very difficult to implement well. It was able to be implemented however, and it seems to be working properly.
== 2024-11-23 ==
=== Test, bugfix, and discuss the Calamares filesystem restrictions pull request ===
Date: 2024-11-23
Tested the code currently used to implement the Calamares filesystem restrictions feature. It passed a thorough test plan, but ultimately was not usable as-is - a Calamares developer discussed it with me, pointed out several flaws that needed resolved, and helped me figure out how to best resolve them.
=== Research Python and Perl security pitfalls ===
Date: 2024-11-23
Carefully read the Qualsys needrestart vulnerability report, along with the link to the Phrack article by rain.forest.puppy and two documentation pages from the SEI CERT Perl Coding Standard. Did further research to understand better the risks of the vulnerabilities and weaknesses listed. Also found a link to a number of common Python pitfalls and how to avoid them.
=== Push fixes for sudoers.d issues ===
Date: 2024-11-23
Pushed all fixes for the sudoers.d to GitHub, they are now ready for merging.
== 2024-11-21 ==
=== File Qubes doas support ticket ===
Date: 2024-11-21
Filed an enhancement request in qubes-issues for adding support for Qubes that use doas rather than sudo, explaining how this would potentially benefit Whonix and Qubes OS users.
=== Test permission hardening on home directories ===
Date: 2024-11-21
Discovered that home directory permission hardening does not behave as expected on Kicksecure, regardless of whether I use pre-live-build installation media or post-live-build installation media.
=== Work on sudoers.d related issues ===
Date: 2024-11-21
As discussed.
=== Research default umask settings ===
Date: 2024-11-21
Researched what would be necessary to set a restrictive umask for user accounts, while setting a more relaxed umask for root so as to avoid bugs. Ended up being more complex than expected, it's unclear whether the additional complexity is worth it or not. I documented both my findings and some implementation ideas.
=== Polish restricted filesystems implementation for Calamares ===
Date: 2024-11-21
Debugged issues in my draft implementation from yesterday, implemented changes suggested by a Calamares dev, and did some basic testing on the code to ensure it wasn't badly broken.
== 2024-11-20 ==
=== Create draft implementation of restricted filesystems for Calamares ===
Date: 2024-11-20
Created a work-in-progress implementation of the "let me restrict what filesystems the user can use" feature request for Calamares. This hasn't been tested yet, and it may need substantial changes before it can be merged, but an initial attempt at implementing it is now public and available for discussion.
=== Debug why Calamares 3.3.11 isn't migrating to Trixie ===
Date: 2024-11-20
Found out why Calamares 3.3.11 has been stuck in Sid. Turns out there's a project, calamares-extensions, which the Calamares devs also control, and that they had taken a module from and put it into Calamares itself. This resulted in a file conflict between an old version of calamares-extensions and the newer version of Calamares. Asked the Calamares devs to finalize the release of calamares-extensions so this can be resolved.
=== Attempt to create MRE for live-build apt-cacher-ng conflict ===
Date: 2024-11-20
Wrote and tested a detailed minimal reproducible example for the live-build apt-cacher-ng conflict we ran into with repository-dist. Sadly, while the example I built seems like it ''should'' reproduce the issue, I somehow misconfigured apt-cacher-ng on my test VM and wasn't able to reproduce the issue as a result. Need to come back to this.
=== Remove GRUB boot menu distro icons ===
Date: 2024-11-20
Removed the weird-looking distro icons for Kicksecure and Whonix from the corresponding GRUB menus. These looked out-of-place, and would have probably continued to look out of place even if they weren't static.
== 2024-11-19 ==
=== Audit sudoers configuration files ===
Date: 2024-11-19
Audited Kicksecure and Whonix's sudoers configuration files. Shared results of the audit with Patrick.
=== live-build, use security.debian.org when bootstrapping ===
Date: 2024-11-19
Added the ability for live-build to use a security mirror of the user's choice when bootstrapping an ISO build with mmdebstrap. Added changes to the mmdebstrap upstream merge request, merged them into my main live-build fork branch, and added code to derivative-maker that uses the new feature.
== 2024-11-18 ==
=== Research ArchiveBox ===
Date: 2024-11-18
Found answers for each of the questions we had about ArchiveBox's functionality and installation sources, and recorded them under the ArchiveBox task in dev/todo.
=== More live-build work ===
Date: 2024-11-18
Fixed an issue where the kernel packages were hardcoded to the amd64 architecture in derivative-maker's live-build configuration.
Also attempted to add security mirror support to our version of live-build's mmdebstrap mode. This ended up failing because of multiple hurdles that were hit - one has to pass entire source lines to mmdebstrap in order for it to work in this kind of multi-mirror setup, but at the same time passing entire source lines to live-build as bootstrap mirrors causes it to misbehave badly when writing the chroot's sources.list file. This will require further development to make work right.
=== Debug and fix ISO build failure on Qubes OS ===
Date: 2024-11-18
Reproduced, debugged, fixed, and tested the fix for an issue that would result in ISO build failures on Qubes OS. (<code>/home</code> was being mounted with <code>nodev</code>, causing live-build to break.)
== 2024-11-17 ==
=== Review and clean up sdwdate's url_to_unixtime component ===
Date: 2024-11-17
Did a security review on <code>url_to_unixtime</code>. Found a few minor issues, documented them, also documented things that looked good. Forked sdwdate and pushed fixes for all fixable issues to my fork for review.
=== Test hardened JSON parsing in Tor Browser version detection ===
Date: 2024-11-17
Created and executed a full test plan for the Tor Browser version detection code. It is now ready for review.
<pre>
Test plan:
* [x] Install updated packages
* [x] Ensure Tor Browser is not installed
* [x] Run AnonDist. Finds correct version of Tor Browser and offers to install it?
* [x] Installation succeeds?
* [x] Update derivative-maker
* [x] Sync tb-updater and developer-meta-files with updated versions
* [x] Run `dm-packaging-helper-script pkg_tor_browser_version_update`. Correctly updated normal, alpha, and arm64 browser versions?
* [x] Run tb-updater unit test with `bash -x unit_test`. Passes?
</pre>
=== Harden JSON parsing in Tor Browser version detection (wip) ===
Date: 2024-11-17
Wrote code that made parsing JSON for Tor Browser version detection significantly safer. This still needs to be thoroughly tested and peer-reviewed, but it's working pretty decently so far. Implementation is documented on the dev/todo page.
=== Polish archiver script, begin mass link archival ===
Date: 2024-11-17
Added the last bit of needed polish to the archiver script (skipping archive.org Wayback Machine links), then started the script running. It may take a very long time to finish archiving everything, but it runs unattended and rate-limits itself, so it should work.
== 2024-11-16 ==
=== Write mass link archiver script ===
Date: 2024-11-16
Mostly finished a script that extracts all links from the Kicksecure and Whonix wikis, and archives them using archive.today if necessary. Uses mediawiki-shell's existing features to do link extraction. The script still needs to omit archive.org links and onion links, but that's about the only feature it's missing. The script intentionally operates very slowly, in order to avoid overloading the archive.today service.
=== Enhance mediawiki-link-to-archive with archive.today support ===
Date: 2024-11-16
Wrote the code needed for adding archive.today links to the Wiki, documented the intended behavior of the code, and documented followup steps that need to be done in order to deploy it.
=== Review kloak makefile enhancements ===
Date: 2024-11-16
Reviewed contributed enhancements to kloak's makefile, suggesting several changes and commenting on follow-up changes that would be required.
== 2024-11-15 ==
=== Research archive.today link protection operation ===
Date: 2024-11-15
Researched what steps would be needed to archive all pages linked to on the Kicksecure and Whonix wikis, and studied how to best add those links to the wikis. Added all researched info to dev/todo page, including adding a task for making the archive.today frontend capable of extracting the date and time of the last snapshot.
=== Redo Tor Browser version detection logic in dm-packaging-helper-script ===
Date: 2024-11-15
The logic for detecting Tor Browser versions that I originally wrote worked, but used a non-ideal method of version detection that was different than code already present in tb-updater. To resolve this, <code>pkg_tor_browser_version_update</code> now actually uses tb-updater's Tor Browser version detection code, giving us a single source of truth for both tools. Also fixed an easy-to-resolve Shellcheck issue while I was there.
=== Polish archive.today frontend, add to helper-scripts ===
Date: 2024-11-15
Finished the Python-based archive.today frontend. Both Tor and clearnet access work. Added to helper-scripts, deleted the now-obsolete repo used to share the WIP version with Patrick
