-------- Original Message -------- Subject: [tor-talk] Whonix Anonymous Operating System Version 8 Released! Date: Thu, 27 Feb 2014 22:06:23 +0000 From: Patrick Schleizer <adrelanos@riseup.net> Reply-To: tor-talk@lists.torproject.org To: tor-talk@lists.torproject.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Whonix is an operating system focused on anonymity, privacy and security. It's based on the Tor anonymity network, Debian GNU/Linux and security by isolation. DNS leaks are impossible, and not even malware with root privileges can find out the user's real IP. Whonix consists of two parts: One solely runs Tor and acts as a gateway, which we call Whonix-Gateway. The other, which we call Whonix-Workstation, is on a completely isolated network. Only connections through Tor are possible. Download Whonix for VirtualBox ############################## https://www.whonix.org/wiki/Download Download Whonxi for KVM / Qemu ############################## Experimental. See below. Users of Whonix 7 and below ########################### There is no upgrade path from Whonix 7 to Whonix 8, sorry. You have to manually download new Whonix images. Call for Help ############# - - If you know shell scripting (/bin/bash) and linux sysadmin, please join us! There are plenty of ways to make Whonix safer. - - We are also looking for a download mirros. - - For https://www.whonix.org we need some help with css, html, mediawiki, wordpress, webdesign. Download Whonix for KVM / Qemu ############################## Entirely untested! This is only useful if you have a developers mindset! This is the first time .qcow2 images are available (as .tar.gz, qcow2 image must be unpacked): http://sourceforge.net/projects/whonix/files/current/8/ We have unfinished(!) instructions for KVM: https://www.whonix.org/wiki/KVM There are still a few blockers before using Whonix with KVM can be considered sane: https://www.whonix.org/wiki/Dev/KVM Please help out solving them. Whonix also needs a maintainer to support using Whonix with KVM. If you want to upgrade existing Whonix version using Whonix's APT repository ################################################################ Sorry, upgrading from existing Whonix version (0.5.6, 7, etc.) to Whonix 8 is not be possible. Updating from the previous testers-only version 7.7.8.6 or 7.7.9.8 should be possible when you have Whonix's (stable) APT repository enabled. See: https://www.whonix.org/wiki/Whonix-APT-Repository (Whonix 7.7.9.8 is the same version as Whonix 8, just a different version number.) If you want to upgrade existing Whonix version from source code ############################################################### Sorry, upgrading from existing Whonix version (0.5.6, 7, etc.) to Whonix 8 is not be possible. Updating from the previous testers-only version 7.7.8.6 or 7.7.9.8 should be possible, see: https://www.whonix.org/wiki/Dev/BuildDocumentation_8_deb (Whonix 7.7.9.8 is the same version as Whonix 8, just a different version number.) If you want to build images from source code ############################################ See https://www.whonix.org/wiki/Dev/BuildDocumentation. Physical Isolation users ######################## See https://www.whonix.org/wiki/Physical_Isolation. Changelog between Whonix 7 and Whonix 8 ####################################### * Whonix is now based on Debian stable instead of Debian testing. * In new installations, automatic updates of Whonix's debian packages are disabled by default. During first start, users can decide if they want to enable Whonix's APT repository or want to leave it disabled. * Fixed Whonix's Tor Browser download and start script for TBB 3.5. * Fixed physical isolation build script. * Verifiable Builds. Whonix now has a feature which allows the community to check that Whonix .ova releases are verifiably created from project's own source code. Also made ade Whonix's APT repository verifiable (even deterministic!). Please see https://www.whonix.org/wiki/Verifiable_Builds for details. * Made Whonix build script configurable (can now build terminal-only Whonix-Gateway's and/or Whonix-Workstations; 64 bit builds and more) * Improved Whonix News's security. All Whonix News Files are now inside one tarball, which is signed. This stops leaking how many users are using a particular version. * whonixcheck's Whonix News download now checks if Whonix News are still valid (currently up to 4 weeks) and therefore detects indefinite freeze and replay attacks. * whonix_repository tool now has a graphical user interface; added more command line switches. * Set default locale to en_US.UTF-8. * Simplified custom user installation of TorChat, thanks to dummytor. (Protecting from Tor over Tor.) * Removed apper and synaptic from default installation, because they are too confusing / have too many bugs, do not always work in all cases for all users, #104, can still be manually installed if wanted, see also https://www.whonix.org/wiki/Dev/Automatic_Updates * whonixcheck: more configuration options, any function can now be disabled, this is useful for users who wish to disable control port filter proxy, they can disable the check_tor_bootstrap function * whonixcheck: added protection against possibly malicious strings from check.torproject.org (in case of a bug, compromise of check.tpo server or CA compromise), IP strings are now max 50 characters long. User will be warned in case the limit is exceeded. * Whonix-Workstation: no longer installing Tor Browser by default, this simplified implementing verifiable builds (#113), installing iceweasel by default, which can be used to download Tor Browser, added local iceweasel browser homepage saying that iceweasel should not be used for anything other than downloading Tor Browser, unless one knows what one is doing. * Removed galternatives from whonix-workstation-default-applications because galternatives has been (temporarily) removed from Debian testing * Building Whonix from frozen repository, from snapshot.debian.org to make the build script more resistant from upstream changes and also to make Whonix verifiable. * The Whonix Team can now use separate keys for Whonix's APT Repository and Whonix News. * Added technical documentation about keys in Whonix whonix_shared/usr/share/whonix/keys/readme. * new man page: man/whonix_shared/sdwdate.8.ronn * Deactivated Maximizing Windows by dragging them to the top of the screen to prevent users from accidentally maximizing their browser window when they are using resolutions higher than 1024x768. See https://www.whonix.org/wiki/Higher_Screen_Resolution ; https://github.com/Whonix/Whonix/issues/110 and https://trac.torproject.org/projects/tor/ticket/7255 for more information. #108 * added udisks to whonix-shared-packages-recommended for mounting removable drives * KDE settings changes, set to oxygen as suggested by scarp in "[Whonix-devel] Plastique kwin style & Widget Style" * whonixcheck: increased timeout for the tor bootstrap.py utility from 5 to 10 seconds to make it compatible with slow systems as per bug reporthttps://www.whonix.org/wiki/Special:AWCforum/st/id248/whonixcheck%3A_tor_boo... * whonixcheck: Whonix News File is now deterministic * whonixcheck: Whonix News added timeout for gpg and tar * added secure-delete, because it contains sfill, which can be used to zero out free space, which is required for disk shrinking * Deactivated running update-command-not-found during build, since not deterministic (verifiable). Manually running is of course still possible. * whonix_shared/etc/apt/sources.list.d/torproject.list: removed the "deb http://deb.torproject.org/torproject.org tor-0.2.4.x-jessie main" repository, since that repository has been removed by The Tor Project (Tor is now in their Debian testing repository, which is already added) * fixed a bug reported by scarp, whonix_shared/usr/share/whonix/postinst.d/70_disable_kdm_autostart: was not disabling other display managers other than kdm. Now using the more generic /usr/lib/whonix/display-manager-dpkg-post-invoke. * msgcollector: fix race condition not always closing progress bar when it reached 100% * Whonix-Gateway: Workaround for http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=732578 https://www.whonix.org/wiki/Download#Connection_Issues_-_Tor_stops_working_a... https://www.whonix.org/wiki/Special:AWCforum/st/id287/new_tor_and_debian_upd... Set in /etc/default/tor: USE_AA_EXEC="no" Can be commented out when that bug gets fixed. * optionally (opt-in) building qcow2 images, first rudimentary implementation, build target (VirtualBox or qcow2 or both) should probably be configurable in whonix_build script (#122) * Whonix News Blog Download / Whonix News: Whonix News Blogs (Whonix Feature Blog and Whonix Important Blog) are now deployed over the same mechanism as Whonix News. * Whonix-Workstation: better implementation of dummytor using config-package-dev (might break compatibility with Whonix 7) * removed adrelanos' old key; removed whonix_shared/usr/share/whonix/postinst.d/70_legacy (breaks compatiblity with Whonix 7) * Re-implemented uwt and dummytor using config-package-dev instead of custom dpkg-diversions. Breaks compatibly with Whonix 7. * Removed rawdog and pandoc since no longer required. * moved misc scripts (Scripts for managing Whonix's offical repository and Whonix News; debug scripts; developer documentation and deprecated code) to https://github.com/Whonix/whonix-developer-meta-files * whonixcheck: do not show output of gpg for Whonix News verification * whonixcheck: do not start whonixcheck, if whonixsetup hasn't finished yet * whonixcheck: new --verbose / --debug options * whonixcheck: Check that /proc/sys/net/ipv4/ip_forward and /proc/sys/net/ipv6/ip_forward aren't set to 1 to prevent users from shooting their own feet. * whonixcheck: Whonix News can now optionally be signed with two keys, as long as either one is still valid, will be accepted * whonixcheck: whonix_shared/etc/init.d/whonixcheckd: on stop, give whonixcheck time to gracefully shut down so it can close any still eventually open progress bars * whonixcheck: fix, exit cleanly (close progress bar) when killed by other instance of whonixcheck * whonixsetup: start whonixcheck at the end of whonixsetup on Whonix-Workstation * torbrowser: hide output of gpg import; ask "Start Tor Browser yes/no" after upgrading" * torbrowser: added timeout to gpg to prevent endless data attacks * torbrowser/whonixcheck: alternative method detecting locally installed Tor Browser version. When $tbb_folder/Docs/version does not exist, i.e. when the user manually downloaded Tor Browser, try to detect version number from ~/tor-browser_en-US/Docs/sources/versions.; comment * desktop: higher resolution icons for whonix_repository, whonixcheck, contribute and donate, whonix gateway firewall, tb recommend, important blog and torbrowser * ram adjusted desktop starter: fixed lightdm (/usr/sbin/...) auto detection * qcow2 images: added metadata preallocation * qcow2 images: added "-o cluster_size=2M" to "qemu-img" for better performance * build script: fix "sudo: unable to resolve host debian" * build script: added --no-options to gpg to avoid conflict with user's gpg config files * build script: added benchmarking * build script: whonix_build_both: support extra parameter * build script: got rid of grml_config by using grml-debootstrap's new environment variables feature * build script: skip backup-img-after-grml-debootstrap and backup-img-after-meta-package-install build steps by default, can be re-enabled by builder * build script: allow running build-steps.d/2400_convert-img-to-qcow2 without root * build script: improved error handling, when error is detected, wait until builder presses enter before cleanup and exit to make it simpler to read error messages when building in cli * build script: fixed update-locale bug build script: Avoiding "perl: warning: Setting locale failed." as suggested on https://wiki.ubuntu.com/DebootstrapChroot and https://lists.debian.org/debian-amd64/2005/08/msg00249.html by setting export LANG="C" * verifiable builds: new build step build-steps.d/2350_cleanup; Get rid of /dev folder inside the vm image. This is only required for verifiable builds. Otherwise this could be skipped. For example, "sudo sha512sum /dev/xconsole" or "sudo sha512sum /dev/initctl" would run forever. The /dev folder gets recreated by the kernel upon first boot. * Improved messages. * Lots of smaller fixes. * Code refactoring. * For more details, see the git log. -----BEGIN PGP SIGNATURE----- iQJ8BAEBCgBmBQJTD7beXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2RTk3OUIyOEE2RjM3QzQzQkUzMEFGQTFD QjhENTBCQjc3QkIzQzQ4AAoJEMuNULt3uzxIU9oP/22e7sqG07qwTywxpfA0UVX/ QLtJ5i4KBJIoJUk7VWgt63r6dFlFkWIWD5EGn/CC4OywS/9DPNHA+lgrzJQdSZe2 NduB2cSihcewkxI2Mjb1X+VFcw3okzAokDrZ9EMblWHKjhlunBeoQmfGj9oCKc4p LCebZChFF0vAebk71hBMVcafgQEciHKx4KJKUsJQ+Dmhcbfa3Elba5QM5wKw6Whh DlqRUJ0UM+x/SQ/3dwIE5vMWdf1tj11q6P7BeJN7XUWf68FX0f1Zy/r8JtWwEt8q 5ZN9JXcGO/SAZdzFUvrhMCj93l/uBzTeC595mqLOkP8d700ofg1dVOnDdy1eiwh9 /uGJ+H7983te90WnkHnu8NTBfqwfi/ZmNNR+LBnNVxBUywXQaaUWCTgdHCx59CI9 hs9Wl5wxNLmeRbBvRCCbjNSir+1wbtKCeSb8NTBrsWOqyN/tIioN4vnoA33ls5tq HYxFNdMkaLAsSb6pO/b9oIs2EeXUL8t/E1mc9Jr3H7nkm5FbE+9sClugod+PPXL8 RiGU0o/XiVU/aaT+7iVAaTF7z8wlXFTTsQ1V6/FgsRAAVy9dKJQriPTY+bPcJhLZ 1z+VaTRcxXA+rCSM9VeBBYg1lzFevJP7ExH5y6cFgE8DBLPUtXG5cCISGZFS0A0x NzmZy2053AFzuPNAu5WC =JQiF -----END PGP SIGNATURE----- -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
participants (1)
-
Griffin Boyce