Download Kicksecure for VirtualBox:

This is a point release.

Upgrade

Alternatively, in-place release upgrade is possible upgrade using Kicksecure repository.

This release would not have been possible without the numerous supporters of Kicksecure!

Please Donate!

Please Contribute!

Major Changes

• usrmerge
• anon-apt-sources-list:
  • allows only installation of Flatpak applications that are both, verified publishers and floss (Freedom Software) this is equivalent to the flatpak --subset=verified_floss option
  • enable Flathub repository by default /etc/flatpak/remotes.d/flathub.flatpakrepo source: https://flathub.org/repo/flathub.flatpakrepo FlatPak as a Software Source / flathub as a source of software - Development - Whonix Forum
• apparmor-profile-torbrowser:
  • Cannot Upload Files with Tor Browser - AppArmor Issue - Support - Whonix Forum fix uploads
  • fontconfig fix
• grub-live:
  • check if a supported initrd generator is installed before adding a live mode boot menu entry
  • fix detection if initramfs-tools is installed Updating Kicksecure to 17.1.1.5 breaks grub-live Thanks to kivk for the bug report!
• helper-scripts:
  • improved vanguards integration
  • improved str_replace
• kicksecure-meta-packages:
  • add usrmerge to kicksecure-dependencies-cli
• legacy-dist:
  • set no longer required packages for auto removal apt-mark manual: pulseaudio-qubes, pulseaudio-utils, pulseaudio
• libvirt-dist:
  • use template files for utm configs with ARCH and TARGET (Thanks to GavinPacini!)
  • Merge branch ‘master’ into feat/utm-intel-amd64 (Thanks to GavinPacini!)
  • fix GPU usage and Kicksecure UTM configs (Thanks to GavinPacini!)
  • upgrade UTM configs and add configs for Intel_AMD64 (Thanks to GavinPacini!)
• ram-wipe:
  • run inside VMs by default for simplified testing
• security-misc:
  • Create proc group on install Fixes `proc-hidepid.service` fails if proc user does not exist · Issue #210 · Kicksecure/security-misc · GitHub (Thanks to wryMitts!)
  • proc-hidepid.service add gid=proc This allows users that are a member of the proc group to be excluded from hidepid protections. `proc-hidepid.service`: Fixing Systemd related issues · Issue #208 · Kicksecure/security-misc · GitHub
  • fix panic-on-oops started every 10s in Qubes-Whonix by changing from a /etc/profile.d etc. related mechanism to start to a systemd unit file based approach Thanks to @marmarek for the bug report! panic-on-oops started every 10s - Qubes-Whonix - Whonix Forum
  • hide-hardware-information.service
    • Add option to disable /sys hardening (Thanks to Daniel Winzen!)
    • Allow access to /sys/fs for polkit (Thanks to Daniel Winzen!)
  • Remove hardcoded spec_rstack_overflow setting (Thanks to raja-grewal!)
  • Control RAS overflow mitigation on AMD Zen CPUs (Thanks to raja-grewal!)
  • Enable mitigations for RETBleed vulnerability and disable SMT (Thanks to raja-grewal!)
  • Enable known mitigations for CPU vulnerabilities and disable SMT (Thanks to raja-grewal!)
  • Add reference for kernel parameters (Thanks to raja-grewal!)
  • use interest-noawait instead of interest-await fixes automatic trigger of permission-hardener after APT package installation broken · Issue #196 · Kicksecure/security-misc · GitHub
  • use wildcards instead of outdated, incomplete list RPM packaging · Issue #160 · Kicksecure/security-misc · GitHub
  • run permission hardener when new packages are install files to /usr or /opt (basically anywhere) fixes run permission-hardener after APT package installation · Issue #189 · Kicksecure/security-misc · GitHub
  • README
  • update permission-hardener.service Which is now only an additional opt-in systemd unit, because permission-hardener is run by default at security-misc package installation time. Clean permission-hardener by ben-grande · Pull Request #181 · Kicksecure/security-misc · GitHub
  • delete legacy folder /etc/permission-hardening.d if empty Clean permission-hardener by ben-grande · Pull Request #181 · Kicksecure/security-misc · GitHub
  • undo IPv6 privacy due to potential server issues MAC randomization breaks root server and VirtualBox DHCP / IPv6PrivacyExtensions might be problematic · Issue #184 · Kicksecure/security-misc · GitHub
  • revert umask 027 by default because broken because this also happens for root while it should not Restrict umask to 027 except for sudo/root broken · Issue #185 · Kicksecure/security-misc · GitHub
  • disable MAC randomization in Network Manager (NM) because it breaks VirtualBox DHCP MAC randomization breaks root server and VirtualBox DHCP / IPv6PrivacyExtensions might be problematic · Issue #184 · Kicksecure/security-misc · GitHub
  • Clarify validity of disabling io_uring (Thanks to Raja Grewal!)
  • SUID Disabler and Permission Hardener improvements (Thanks to Ben Grande!)
  • Disable asynchronous I/O io_uring creation is disabled for all processes. io_uring_setup always fails with -EPERM. Existing io_uring instances can still be used. (Thanks to Raja Grewal!)
• swap-file-creator:
  • skip on ISO
  • fix VM detection to disable hibernation swap file size calculation considerations inside VMs
• tb-starter:
  • add support for mullvad browser (Thanks to fyqwbdzsfjh!)
• tb-updater:
  • fix: no longer hardcode user “user” in Qubes
  • use qubesdb-read /default-user to get Qubes default user name
  • run /usr/libexec/tb-updater/tb-permission-fix in Qubes Template and App Qube to fix potential race condition
  • improve arm64 support (Thanks to GavinPacini!)
  • fail open by default inside chroot when Tor Browser cannot be installed
• usability-misc:
  • Linux VirtualBox Installer:
    • find out local usability-misc package version
    • Partial fix for locale support (Thanks to grass!)
    • fix detection of how many packages require upgrading ["SOLVED" i suppose] Debian 12 whonix-xfce-installer-cli reports packages can be upgraded although already upgraded - non-English language bug - Support - Whonix Forum
    • Replace --destroy-all for --import-only=both (Thanks to grass!)
    • Remove inconsistent .vbox state when asked (Thanks to grass!)
    • avoid starting duplicate VirtualBox GUI if already running
    • replace --reimport with --destroy-existing-guest
    • If package upgrades are available allow proceeding anyhow if using --noupdate.
• vm-config-dist:
  • fix /etc/profile.d scripts be silent, do not output stderr in case systemd-detect-virt writes to stderr as this can break Qubes UpdatesProxy hide-hardware-information.service running in sys-whonix breaks APT and update-torbrowser - Qubes-Whonix - Whonix Forum
• derivative-maker:
  • improve git submodule fetching
  • sanity test: error out when attempting to build --target virtualbox on an architecture unsupported by VirtualBox
  • improve multiple architecture support
  • lower debugging
  • disable Qubes notify hook on build machine
  • start using safe-rm
  • implement deletion for --target utm
  • utm: add tar options towards reproducible builds
  • consistently set /etc/hostname to localhost during base image creation
  • fix: ISO: set Kicksecure /etc/hostname consistently to localhost Kicksecure /etc/hostname /etc/hosts - Development - Whonix Forum
  • add /etc/hostname sanity test
  • allow creation and use of cached raw image to speed up the build
• CI:
  • Replace deprecated DigitalOcean api key for automated builder (Thanks to Rob Stringer!)
  • work towards trim support use VBoxManage storageattach with --nonrotational=on --discard=on Auto-trimming Workstation to shrink disk usage - Support - Whonix Forum

Full difference of all changes

https://github.com/Kicksecure/derivative-maker/compare/17.1.1.5-developers-only…17.1.3.1-developers-only