GnuPG key transition – Update 1

I’ve got a new gnupg key. The full announcement can be read here: https://www.whonix.org/wiki/Adrelanos

Update 1:
As a commenter pointed out, the old link could not be verified due to a bad signature. This is because mailing list archives replace @ with _at_ and therefore disrupt the message integrity.

The full announcement can be read here: https://www.whonix.org/pipermail/whonix-devel/2014-January/000120.html

giving up pseudonymity after collecting experiences with pseudonymous project development

You may have noticed that I, previously known only known under the pseudonym adrelanos, decided to give up my pseudonymity. It was an interesting experience to pseudonymously maintain a Linux distribution (Whonix). I’ve learned a lot during these ~ 2 years.

I didn’t have too bad luck in the lottery of life and are won a citizenship, which is at low risk compared to less lucky ones. Living in a country, where pseudonymity for this kind of activity isn’t crucial. Fortunately, according to latest press, neither the US nor Germany are killing their own citizen for criticizing “the system”. That is, the mass surveillance police state, the military industrial complex, the system of economy, that needs exponential growth to prevent imploding. And so it doesn’t become even worse, and better for the less lucky ones, it is important to speak out in public and to take action.

Staying pseudonymous for such a long time became more and more a burden. For me, it is not healthy for psychology. When pseudonymously working a a project, you cannot tell anyone about it and they’re wondering with what you never tell much. You need to constantly second guess every tiny action. Concentrate on not messing up. Also you’ll never know if you already messed up and if “they” already know who you are. You only need to mess up once, and you’re always linked to that project. Lucky me, I wasn’t forced to stay pseudonymous for ever.

I am looking forward to continue contributing to the awesome Free (as in freedom) Software community. Being no longer pseudonymous allows me to speak at conferences, to attend key singing parties, to meet up with other developers, to voice chat with other developers, to chat on IRC without fear of leaking too much information, to be less paranoid, sometimes even running searches in clearnet if that is more convenient, and so forth.

New Whonix Forum

We have a new forum. Can be reached under https://www.whonix.org/forum or http://kkkkkkkkkk63ava6.onion/forum.

The new link can also be found on the Support page:

https://www.whonix.org/wiki/Support

This was necessary, because this forum has a bugs we’re unable to fix in reasonable time:

https://www.whonix.org/wiki/Special:AWCforum/st/id35/New_forum,_new_bugs….html

Old topics may still be discussed in the old forum. Please do not create new topics the old forum. Use the new forum for that.

(End of testing.) Testers-Only version Whonix 7.7.2 Debian Packages

No more testing of this version required.

testers-only, which means apt-get could hang in half-broken state which
can likely be manually fixed. (Advanced Linux users, those comfortable
with Debian sid or so can even fix them themselves.) There is never 100%
security. Having snapshots/backups around is recommended. No
anonymity/privacy/security issues expected. By switching to the
testers-only repository you’ll help a lot improving Whonix and speeding
up development (more eyeballs catching bugs). Stable releases will then
work better for everyone.

If you want to build images from source code:

Currently not possible (or at least very difficult), due to two bugs which have been recently introduced in Debian testing.

It might take a while until these get fixed. I plan to base next Whonix version on Debian stable instead of Debian testing to avoid that kind of build bugs and to avoid

If you want to upgrade from Whonix’s repository:

Switch to Whonix’s ”’testers-only”’ apt repository.

First do these steps on Whonix-Gateway, then repeat on
Whonix-Workstation. There might be small bugs related to
whonixcheck/timesync, and you may need to reboot.

export WHONIX_APT_REPOSITORY_DISTRIBUTION_ENV=testers

Apply changes to which Whonix apt repository will be used.

sudo -E whonix_repository

The usage of the whonix_repository tool will be greatly simplified after
this upgrade, because a graphical user interface has been added so it
becomes easier to switch around.

Update and upgrade.

sudo apt-get update
sudo apt-get dist-upgrade

If you want to upgrade from source code:

The tag for this ”’testers-only”’ version is ”’7.7.2”’ (don’t use 7.3.7). Please refer to https://www.whonix.org/wiki/Dev/Build_Documentation and see “Build Documentation for upgrading Whonix debian packages from source code”.

Bonus: this is the first upload of Whonix’s Debian Packages that is
verifiable [1]. If one would care to check if they can get the same
checksums as uploaded to Whonix’s repository, that’ll be awesome.

[1] https://www.whonix.org/wiki/Verifiable_Builds#Verifiable_Whonix_Debian_Packages

Changelog between Whonix 7 and Whonix 7.7.2 (testers-only version):

  • In new installations, automatic updates of Whonix’s debian packages are disabled by default. During first start, users can decide if they want to enable Whonix’s APT repository or want to leave it disabled.
  •  Fixed Whonix’s Tor Browser download and start script for TBB 3.5.
  • Fixed physical isolation build script.
  • Verifiable Builds. Whonix now has a feature which allows the community to check that Whonix .ova releases are verifiably created from project’s own source code. Also made ade Whonix’s APT repository verifiable (even deterministic!). Please see https://www.whonix.org/wiki/Verifiable_Builds for details.
  • Made Whonix build script configurable (can now build terminal-only Whonix-Gateway’s and/or Whonix-Workstations; 64 bit builds and more)
  • Improved Whonix News’s security. All Whonix News Files are now inside one tarball, which is signed. This stops leaking how many users are using a particular version.
  • whonixcheck’s Whonix News download now checks if Whonix News are still valid (currently up to 4 weeks) and therefore detects indefinite freeze and replay attacks.
  • whonix_repository tool now has a graphical user interface; added more command line switches.
  • Set default locale to en_US.UTF-8.
  • Simplified custom user installation of TorChat, thanks to dummytor.(Protecting from Tor over Tor.)
  • Removed apper and synaptic from default installation, because they are too confusing / have too many bugs, do not always work in all cases for all users, #104, can still be manually installed if wanted, see also https://www.whonix.org/wiki/Dev/Automatic_Updates
  • whonixcheck: more configuration options, any function can now be disabled, this is useful for users who wish to disable control port filter proxy, they can disable the check_tor_bootstrap function
  • whonixcheck: added protection against possibly malicious strings from check.torproject.org (in case of a bug, compromise of check.tpo server or CA compromise), IP strings are now max 50 characters long. User will be warned in case the limit is exceeded.
  • Whonix-Workstation: no longer installing Tor Browser by default, this simplified implementing verifiable builds (#113), installing iceweasel by default, which can be used to download Tor Browser, added local iceweasel browser homepage saying that iceweasel should not be used for anything other than downloading Tor Browser, unless one knows what one is doing.
  • Removed galternatives from whonix-workstation-default-applications because galternatives has been (temporarily) removed from Debian testing
  • Building Whonix from frozen repository, from snapshot.debian.org to make the build script more resistant from upstream changes and also to
    make Whonix verifiable.
  • The Whonix Team can now use separate keys for Whonix’s APT Repository and Whonix News.
  • Added technical documentation about keys in Whonix whonix_shared/usr/share/whonix/keys/readme.
  • new man page: man/whonix_shared/sdwdate.8.ronn
  • Deactivated Maximizing Windows by dragging them to the top of the screen to prevent users from accidentally maximizing their browser window when they are using resolutions higher than 1024×768. See https://www.whonix.org/wiki/Higher_Screen_Resolution ;
    https://github.com/Whonix/Whonix/issues/110 and
    https://trac.torproject.org/projects/tor/ticket/7255 for more information. #108
  • added udisks to whonix-shared-packages-recommended for mounting removable drives
  • KDE settings changes, set to oxygen as suggested by scarp in “[Whonix-devel] Plastique kwin style & Widget Style”
  • whonixcheck: increased timeout for the tor bootstrap.py utility from 5 to 10 seconds to make it compatible with slow systems as per bug report https://www.whonix.org/wiki/Special:AWCforum/st/id248/whonixcheck%3A_tor_bootstrap_statu….html
  • added secure-delete, because it contains sfill, which can be used to zero out free space, which is required for disk shrinking
  • Deactivated running update-command-not-found during build, since not deterministic (verifiable). Manually running is of course still possible.
  • whonix_shared/etc/apt/sources.list.d/torproject.list: removed the “deb http://deb.torproject.org/torproject.org tor-0.2.4.x-jessie main” repository, since that repository has been removed by The Tor Project (Tor is now in their Debian testing repository, which is already added)
  • fixed a bug reported by scarp, whonix_shared/usr/share/whonix/postinst.d/70_disable_kdm_autostart: was not disabling other display managers other than kdm. Now using the more generic
    /usr/lib/whonix/display-manager-dpkg-post-invoke.
  • msgcollector: fix race condition not always closing progress bar when it reached 100%
  • Whonix-Gateway: Workaround for http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=732578 https://www.whonix.org/wiki/Download#Connection_Issues_-
    _Tor_stops_working_after_an_Upgrade_and_needs_a_Workaround https://www.whonix.org/wiki/Special:AWCforum/st/id287/
    new_tor_and_debian_updates_today….html Set in /etc/default/tor: USE_AA_EXEC=”no” Can be commented out when that bug gets fixed.
  • optionally (opt-in) building qcow2 images, first rudimentary implementation, build target (VirtualBox or qcow2 or both) should probably be configurable in whonix_build script (#122)
  • Whonix News Blog Download / Whonix News: Whonix News Blogs (Whonix Feature Blog and Whonix Important Blog) are now deployed over the same mechanism as Whonix News.
  • Improved messages.
  • Lots of smaller fixes.
  • Code refactoring.
  • For more details, see the git log.

Hosting a Whonix Mirror (New Wiki Entry)

We are making some DNS changes, so the site may be a little broken for a few days. The .onion address should continue to work 100%.

Running a mirror for Whonix can be immensely helpful, but takes some knowledge, proper configuration and adequate resources to be truly useful.

https://www.whonix.org/wiki/Hosting_a_Whonix_Mirror

Other Desktop Environments (New Wiki Entry)

Downloadable Whonix versions come with KDE installed by default. It is possible to uninstall KDE, although doing so is a bit difficult, especially if you want to uninstall all of it and/or to to use a CLI version and/or to install their own desktop environment such as Gnome, LXDE, etc.

Users who build Whonix from source code using Dev/Build Documentation can use optional Terminal-Only build configuration option. And then decide from there.

Read more:

https://www.whonix.org/wiki/Other_Desktop_Environments

Air Gapped OpenPGP Key (New Wiki Entry)

It is recommended to first quickly read this article from top to bottom without taking actions. After you roughly understood how it’s supposed to work, re-read this page and do it step-by-step. Exercise this with test keys first. If that works, consider doing this with your primary keys.

Make backups of your existing GnuPG files ($HOME/.gnupg). Keep them safe. If something goes wrong during the following steps, you may need this to return to a known good place.

You should know how to boot other operating systems than your primary every day operating system from Live DVD and/or other external media such as USB.

Read more:

https://www.whonix.org/wiki/Air_Gapped_OpenPGP_Key

Follow

Get every new post delivered to your Inbox.