Hi
is kicksecure-qubes-server required after the installation is done?
I used sudo apt install --no-install-recommends kicksecure-qubes-server and after completion - sudo apt purge tor -y and it deleted the kicksecure-qubes-server
please clarify. I don’t recall the same behavior with clipackage on prev version
It is. In Kicksecure 18, that is the primary metapackage for CLI installations of Kicksecure on Qubes OS. If it isn’t installed, future software updates may be incomplete.
You probably shouldn’t do this. Tor is preinstalled so that sdwdate-gui will work. This is necessary to get a securely synced system clock, which is useful to ensure things like SSL work correctly.
Yes, this is intended behavior. If you remove a package Kicksecure depends on, the metapackage will go away. If there is a package that is truly superfluous, you can use dummy-dependency to remove it, but in many instances packages that are depended upon (either directly or indirectly) by a metapackage like kicksecure-qubes-server are there for a reason and shouldn’t be removed.
Even after the-serverpackage is removed, the -cli is still present though.
The thing is, I want to use kicksecure without tor. And previously there was no issue with that. Why is this all of a sudden the case? Why the heck is -server package removed if it’s indeed necessary just because I don’t wanna use tor?
And yes, sdwdate isn’t necessary for me(AFAIK) because I use clear net, so it removed this too.
I need a certain clarification on this matter please.
This has unfortunately always been the case. Full user documentation and technical background:
For information on the removal of the tor package on Kicksecure specifically, see:
How do I use kicksecure without Tor then? I remember some time ago(maybe a year or a two, not sure) you said it was ok to purge tor and I used it like that. Was that wrong then???
Yes. Tor has always been an essential part of Kicksecure, and removing it, even if it seems to work, will reduce the security of the system.
The -cli metapackages are part of Kicksecure’s metapackage system but are not primary metapackages. They depend on bits of Kicksecure that are shared between both “server” and GUI installations. Having them installed is not enough to ensure updates always work. More details on how the metapackages in Kicksecure 18 work is at:
I really don’t get it. Why the heck then in the docs it gives a clear impression that kicksecure can be used with clearnet then???
There’s a slight misunderstanding here I think.
Yes. Elaborated here:
See link in my previous post.
It is possible. Because Kicksecure is based on Debian and there No Intentional User Freedom Restrictions. Hence, Kicksecure can be reconfigured.
Yes, I actually recall something like that from previous discussions/questions.
So if I don’t wanna use sdwdate and I use updates without the tor+, then I do may use purge tor and still benefit from the rest of the kicksecure security/privacy features - please confirm this if this is correct.
So, then when -server package is being deleted I still keep all of the rest security/privacy benefits that kicksecure provides - correct?
If you really want to get rid of Tor, you should not apt purge it. Use dummy-dependency to remove it instead:
sudo dummy-dependency --purge --yes tor
That will remove Tor without removing kicksecure-qubes-server. Once that command is run, you should run sudo apt install kicksecure-qubes-server to ensure that software updates continue working in the future.
Unfortunately no, since sometimes new security enhancements require the installation of new packages, and without kicksecure-qubes-server, those might not get installed automatically. The workaround above will let you keep the metapackage without keeping Tor.
But it’s not simply just tor, it’s also the sdwdate and many other little things that in combine bring lots of issues. I mean, if it’s a main system there would be no issue, but I’m running multiple qubes and the the resources are limited.
There are many situations where tor simply not needed at all for me, not its related things. Obviously I have kicksecure template with tor as well.
So if I do wanna remove it - there’s simply no way to do it(with keeping up with updates etc)???
You can use dummy-dependency to remove those too.
Not a simple way, but as explained above there is a way. dummy-dependency can be used to remove anything even if other packages depend on it. Anything you consider unnecessary, you can remove, including tor, sdwdate, etc. It might cause other things that depend on a remove component to malfunction, but if that occurs, you can reinstall the component in question (or uninstall the malfunctioning components). For instance, removing sdwdate will cause issues with sdwdate-gui, but you can remove sdwdate-gui too.
There have been requests to create a minimal variant of Kicksecure, but the demand isn’t high enough for us to commit to maintaining it (it would likely entail at least another seven images to support, maybe more).
I appreciate you help and effort, thank you so much!
By the way, is there a way to check the integrity of kicksecure implementation after the installation process? I couldn’t find it before and now tried to search for it with no good results either. (The cat /etc/*_version shows versions anyways. even without -server package.) Not a simple package check list, but things that were implemented, if they currently done or undone for whatever reason(malfunction of some kind etc).
Nice. Thank you both for helping