Building Kicksecure with different Desktop Environment

Apologies, I accidentally posted on Whonix Forums.

Hi everyone,

I’m trying to get Wayland working with Kicksecure/KVM.

Installing a Wayland compositor like sway or labwc in XFCE Kicksecure is not an option, due to the qemu bug which rotates the cursor by 180 degress. This happens with any DE that doesn’t fully integrate Wayland. (sway issue #6581 on git)

Using Kicksecure with LXQT or KDE which have native Wayland support fixes that issue. (already tested with CLI Version)

Can I simply replace or add a few packages in Derivative-Maker to achieve this?

Looks like derivative-maker/packages/kicksecure/kicksecure-meta-packages/debian/control, lists the following meta-packages and their dependencies (containing all xfce packages) which could be changed to install LXQT instead of XFCE:

kicksecure-xfce
kicksecure-desktop-applications-xfce
kicksecure-desktop-environment-essential-xfce
kicksecure-shared-host-xfce
.......etc

For example:

xfce4 > lxqt
mousepad > featherpad
xfce4-terminal > qterminal
....etc

After some more digging the variable dist_build_script_build_dependency in build-steps.d/1200_prepare-build-machine contains all the packages listed in kicksecure-meta-packages/debian/control.

I keep seeing "$@" in 3500_install-packages later on, so I’m assuming some of the packages are passed as an argument to the install functions.

My plan would be to either switch the xfce packages to lxqt in /kicksecure/kicksecure-meta-packages/debian/control or if that’s no good then sed replace them in the variable that holds all install dependencies.

Finally, config stuff seems to be handled by derivative-maker/packages/kicksecure/desktop-config-dist. There I’d just replace /etc/skel/.config xmls with lxqt ones.

Is that pretty much it or am I missing something?

Kind regards

related:
port to Wayland - Development - Whonix Forum

Are you looking for a hacky custom solution or implementing this properly and upstreaming to Kicksecure?

For a proper solution, new meta packages need to be invented and contributed to kicksecure-meta-packages.

Depends on how you intent on upgrading?

  • upgrading from source code: OK
  • upgrade from remote repository: changed packaging will get reverted on upgrades

Probably the easiest for hacky custom solutions… Written just now:
Custom Packages

That’s build host dependencies. That’s not installed packages inside images.

Ignore that. "$@" isn’t used and should probably be removed to avoid confusion.

I would suggest additional configuration files instead of changing exiting ones which don’t do harm.

1 Like

Hello, thanks for the reply.

I read the entire code again and things are getting clearer now. :face_with_peeking_eye:

Probably the easiest for hacky custom solutions… Written just now:
Custom Packages

Thanks, so flavor_meta_packages_to_install is defined in help-steps/variables and (among other variables) called with source, which is used in every build step. (That took me a while to see)

Are you looking for a hacky custom solution or implementing this properly and upstreaming to Kicksecure?

For the hacky solution I’d just follow your suggestion with flavor_meta_packages_to_install="kicksecure-cli-vm" (or exclude specific xfce packages via dist_build_script_skip_package_install) and install the new lxqt packages with pkg_install_list=lxqt-pkg1 lxqt-pkg2.....

I’d be happy to help if you guys are interested in kicksecure-lxqt meta-packages.
I already started replacing all the dependencies in the control file before.

Those should be the new ones (if I didn’t miss anything):

kicksecure-lxqt, kicksecure-desktop-applications-lxqt, kicksecure-desktop-environment-essential-lxqt, kicksecure-lxqt-host, kicksecure-lxqt-vm, kicksecure-shared-host-xfce`

Minimal LXQT is probably superior to XFCE in terms of resource requirements anyway and Wayland support is a nice bonus.

I read build-steps.d/3500_install-packages a bunch of times but couldn’t find a function that “installs” all the stuff from derivative-maker/packages/kicksecure/*. Where does this actually happen?

For example, 3500_install-packages install_packages() function copies the apt binary directly from that directory, but 4300_run-chroot-scripts-post-d already expects /usr/libexec/initializer-dist/chroot-scripts-post.d to be there from the initializer-dist package.

How does the whisker menu compare to the menu that LXQT uses?
I like xfce due to its lightweightness but I do not like the whisker menu compaired to other DE application menus.

The menu is pretty similar I believe, but lxqt is lighter both in terms of resources and dependencies. Using live-build you can generate a working bookworm iso <450MB with a minimal lxqt DE.

It requires more pre-configuration though. The defaults don’t look great and can be a bit unintuitive.

A pull request introducing a LXQt meta package(s) would be welcome.

It does not happen at all. It’s possible to add packages to the packages folder, which are built, but never installed, which is quite useful to maintain opt-in packages and during development.

  • VM builds: “Mostly” install-packages build-step decides what packages are installed. Ideally, it would be the meta package only, but that isn’t possible. (Image creation is complicated. [1]) So that script is the primary reference only.
  • ISO builds: Unfortunately work different. See create-lb-iso build-step.

Right. So if no meta package would Depends: initializer-dist and if that package was not hardcoded in above script, then that would break.

There’s no “auto install all packages built from the packages folder” and there’s no need for that either.


[1] Development of System Image Creation and Bootstrapping Tools

A pull request introducing a LXQt meta package(s) would be welcome.

I wanna be sure everything is perfect before making a pull, but I think something like that could be nice.

kicksecure-desktop-environment-essential-lxqt only pulls in lxqt-core openbox which is the absolute bare minimum.

This package depends on kicksecure-desktop-environment-essential-gui, so that’s regular x11 + openbox.

Then there is the new kicksecure-desktop-environment-essential-gui-wayland which skips all the xorg/x11 packages, installs drivers and a basic Wayland environment.

Finally, kicksecure-desktop-environment-essential-lxqt-wayland again installs lxqt-core but instead depends on kicksecure-desktop-environment-essential-lxqt-wayland

The new lxqt-wayland-session code only comes in lxqt-core 32 which is currently available under trixie, but not bookworm (lxqt-core 31). I’m sure derivative-maker can use apt pinning to give those lxqt packages a higher priority under trixie. (Gonna add that too if needed)

It does not happen at all. It’s possible to add packages to the packages folder, which are built, but never installed, which is quite useful to maintain opt-in packages and during development.

I carefully looked into 2100_create-debian-package and have a question. Particularly, create_derivative_distribution_debian_packages()

The first for loop iterates over $derivative_name_list which is either kicksecure, whonix or both, depending on what is set in help-steps.d/variables.

The second for loop runs through $pkg_list, which should hold all the local package names in packages/kicksecure/* but is not defined anywhere. I double checked, it’s not in help-steps.d/variables, help-steps.d/pre or the script itself.

Thus, the second loop should only run once, $item remains .../derivative-maker/packages/kicksecure and pushd doesn’t actually save any useful paths.

So why does genmkfile not fail later on when the packages are built?

 for derivative_name_item in $derivative_name_list ; do
      for item in $pkg_list ; do
         item="$source_code_folder_dist/packages/$derivative_name_item/$item"
         if [ ! -d "$item" ]; then
            true "INFO: Not a folder: $item"
            continue
         fi
         pushd "$item" >/dev/null
         number_folder_current="$(( number_folder_current + 1 ))"
         local base_name
         base_name="${item##*/}"
         if [ "$base_name" = "developer-meta-files" ]; then
            true "${cyan}INFO: Skipping $base_name as expected.${reset}"
            popd
            continue
         fi

Edit: My bad the loop works, I just wasn’t looking carefully, enough.

pkg_list is defined in derivative-maker/buildconfig.d/30_pkg_list.conf. Not sure if that answers your exact question or not since I’m moving a bit too fast, but it might help.

1 Like

Hi, yes I missed a bunch of stuff there. :face_with_peeking_eye:

Hi friend. I also think kicksecure should move to wayland. I use kicksecure-cli-host on kde plasma and it works great. except for sleep mode, I have not seen any bugs in a long time. LXQT would be a perfect environment for default kicksecure. XFCE is too far behind in implementing wayland

There’s a ticket for Wayland (port to Wayland - Development - Whonix Forum) and it’s planned when porting Kicksecure to the next major stable version of Debian (trixie), once available.

A pull request could be constructed as if Kicksecure was already based on trixie, because then once trixie is available, this would be implemented sooner.

LXQT would be a perfect environment for default kicksecure. XFCE is too far behind in implementing wayland.

Yeah, development efforts there have been on steroids lately. I too set it up with kicksecure-cli. You can already produce working Wayland builds with derivative-maker this way.

In the other post Patrick suggested Wayfire which works well, too. I personally went with labwc because it’s closest to openbox and recommended on the lxqt wiki, but they list a bunch of compatible compositors.

A pull request could be constructed as if Kicksecure was already based on trixie, because then once trixie is available, this would be implemented sooner.

I just submitted one in kicksecure-meta-packages.

A post was split to a new topic: Trixie repository

Actually, lxqt-core 32 is not even necessary. Scripts for lxqt-wayland-session are available for pretty much all the prominent Wayland compositors out there.

With this lxqt wayland meta-packages on bookworm could be possible if time permits.