[Whonix-devel] revisiting decision of using stable as a Whonix base

Fri May 13 22:41:25 CEST 2016

bancfc at openmailbox.org:
> On 2016-05-10 18:09, Patrick Schleizer wrote:
>>> I wanted to revisit the decision of using stable as a Whonix base. The
>>> biggest (and only) advantage of using stable is to avoid unexpected
>>> dependency breakages that increase maintenance burden.
>>>
>>> From a security POV stable is a disaster that's guaranteed to have
>>> security bugs that are not patched for years at a time. Not every
>>> potentially exploitable bug that is discovered and fixed in upstream
>>> software versions is marked as a cve for backporting. What appears as a
>>> crash or DoS bug have security implications with enough effort. Linus is
>>> infamous for doing "silent" fixes where he marks scores of bugs as DoS
>>> when they have security implications and so they never make it into
>>> stable distro kernels. The situation is similar for userspace software
>>> in Debian stable to that suffer from publically discovered security
>>> problems but don't get upgraded because of policy.
>>>
>>> See:
>>>
>>> https://mjg59.dreamwidth.org/41085.html
>>> https://cxsecurity.com/issue/WLB-2008070032
>>>
>>>
>>> Are testing snapshots a workable compromise between security and
>>> stability?
>>>
>>> (Its up to you to post this conversation for public record)
>>>
>>
>> I not mind about public vs private.
>>
>> Debian testing:
>>
>> - build keeps breaking (ok, never mind and testing snapshots would do)
>>
>> - flood of constant upgrades (maybe also say never mind)
>>
>> - users will keep running into issues which creates a user support hell
>> (this is serious)
>>
>> - it's impossible to keep up and to see how it interacts with Whonix.
>> Just using testing in sources.list could quickly end in obscure stuff
>> (like apparmor changes) resulting in Tor not longer starting and whatnot.
>>
>> Or do you suggest somehow slowing down testing by having Whonix decide
>> which snapshot of users are going to use?
> 
> Exactly so. This would resolve the most pressing problems like the
> breakage and support hell scenarios you describe while giving users a
> fresher/patched base for better security.

I don't think this is possible with the resources we have.

We cannot manage /etc/apt/sources.list.d/debian.list though a Debian
package / apt-get.

Let's say we had a a snapshot.debian.org in
/etc/apt/sources.list.d/debian.list as anon-apt-sources-list.

At first run of apt-get would install a newer package of
anon-apt-sources-list would ship a newer
/etc/apt/sources.list.d/debian.list with a fresher snapshot and new
Whonix debian packages. Only then, on next run of apt-get update and
apt-get dist-upgrade, newer Debian packages would be installed. So the
Whonix packages would have to be tested and compatible with the older
and newer Debian packages.

Or use some other mechanism to guide upgrades, something outside of
apt-get which is not great, reinventing such a system.

What would work in theory would be not using the official Debian
repository, but a mirror of all Debian packages under Whonix control. So
packages are only made available to everyone once they have been tested
for Whonix compatibility. Ubuntu does something similar. They freeze
Debian testing, stabilize and support.

I don't think we have enough reliable working hours per week or even per
month to get this done. And I can't do it alone, because then this would
be kinda my only task.

As a half baked solution there could be a maintainer who provides a
Whonix version based on Debian testing who provides patches to make
Whonix compatible with both stable and testing.

Cheers,
Patrick