Download

(What is a point release?)

Upgrade

Alternatively, in-place release upgrade is possible upgrade using Kicksecure repository.

This release would not have been possible without the numerous supporters of Kicksecure!

Please Donate!

Please Contribute!

Major Changes

• Kicksecure Live ISO and Installer available for testers.
• grub-live:
  • fix detection of initramfs-tools versus dracut
• vm-config-dist:
  • /etc/profile.d/20_power_savings_disable_in_vms.sh: hide output in SSH login shell by no longer using subshell
• desktop-config-dist:
  • improve livecheck symbols and output
    • Keep showing info symbol when using persistent mode.
    • Show green filled circle symbol and text “live” in grub-live mode but without read-only. No longer showing a scary warning symbol.
    • Show CD symbol and text “ISO” when using ISO but without read-only mode.
    • Show green checkmark symbol and text “read-only” if using read-only mode.
    • Fix icon resolution. (Thanks to Ben Grande!)
• helper-scripts:
  • added new script append-once:

    • Usage: /usr/bin/append-once 'line to append' /path/to/file

• kicksecure-meta-packages:
  • add to kicksecure-recommended-cli: pcmciautils, usbutils, eject
  • add to kicksecure-shared-host-xfce: laptop-detect, discover
  • Revert “install auditd by default” because it adds too many messages to systemd journal
  • add msgcollector-gui, icon-pack-dist to kicksecure-shared-host-xfce
• kicksecure-network-conf:
  • install wireless-tools by default
• KVM
  • /dev/urandom → /dev/random (as per Entropy, Randomness, /dev/random vs /dev/urandom, Entropy Sources, Entropy Gathering Daemons, RDRAND)
  • Upgraded XML Files machine to q35 chipset (Thanks to @HulaHoop!)
  • KVM image building and signing is now done by Patrick. (signed message by HulaHoop)
• live-config-dist:
  • change grub boot menu text “ISO” → “Live ISO”
  • remove sources-media module because this runs apt-get update which times out after 500 seconds if there is no network connection during the installer This is to speed up installation when no network has been set up.
  • added a configuration file comparison helper (diff-helper)
  • fix, no longer set efiBootloaderId: “debian” to avoid conflict with Debian installations on internal hard drive when installing Kicksecure to an external hard drive
  • add firmware menu entry to grub ISO boot menu on EFI systems
  • change Live ISO background image
  • Fix icon path not being recognized (Thanks to grass!)
  • Use lock icon for Calamares installer (Thanks to grass!)
  • Add ISO and version number to boot menu of ISO
  • allow running the Calamares Installer without password
• ram-wipe:
  • fixed additional kexec based ram-wipe when Secure Boot is enabled
• repository-dist:
  • improve error message in case of missing dependencies
• sdwdate:
  • Update onion sources (Thanks to TNT BOM BOM!)
• security-misc:
  • fix(etc): delete typo in /etc/apparmor.d tunables /etc/pam.d was present twice in a row (“/etc/pam.d//etc/pam.d”) in this file: /etc/apparmor.d/tunables/home.d/security-misc. (Thanks to Ashlen!)
  • add `/etc/gitconfig` for better git security · Issue #225 · Kicksecure/security-misc · GitHub
  • Update README.md (Thanks to raja-grewal!)
  • Update Copyright (C) to 2024 (Thanks to Raja Grewal!)
  • Disable firewire-net module (Thanks to raja-grewal!)
  • Disable GPS modules like GNSS (Thanks to raja-grewal!)
  • Revert logging of martians (Thanks to raja-grewal!)
  • RFDS mitigation on Intel Atom CPUs (including E-cores) (Thanks to raja-grewal!)
  • GDS mitigation for CPUs (Thanks to raja-grewal!)
  • Clarify use of mitigations=auto (Thanks to raja-grewal!)
  • Add reference for RETBleed (Thanks to raja-grewal!)
  • Add reference for SSB (Thanks to raja-grewal!)
  • Merge spectre mitigations (Thanks to raja-grewal!)
  • Update BHI mitigation reference (Thanks to raja-grewal!)
  • BHI mitigation on Intel CPUs (Thanks to raja-grewal!)
  • no longer disable MSR by default fixes allow MSR kernel module being load / move from security-misc to vm-config-dist · Issue #215 · Kicksecure/security-misc · GitHub
• setup-wizard-dist:
  • change label from “Finish” got “OK”
  • do not run systemcheck if cancel button has been pressed
  • improve finish page to add default credentials
• swap-file-creator:
  • skip output if live mode is detected and not creating a swap file
• usability-misc:
  • Kicksecure VirtualBox Installer for Linux
    • fixed Debian sid support (Thanks to grass!)
    • fixed Kali support (Thanks to nyxnor!)
    • script improvements (Thanks to grass!)
    • add support for non-US system languages (Thanks to grass!)
    • improve Secure Boot enabled test
    • check if VMs exist before and after condition based VM deletion decision
    • Run CI with non-English locale (Thanks to grass!)
• derivative-maker:
  • separate deletion step no longer needed by making derivative-maker build process idempotent
  • started use of safe-rm
  • build VirtualBox VMs under dedicated dm-vbox-temp user to avoid the user needing to delete VirtualBox VMs before building for simplification
  • introduce dist_build_redistributable=true (set by help-steps/dm-build-official)
    • Enable binary derivative repository by default for official builds. Same as: ‘–repo true’
  • add --target source to support creation of a xz source archive
  • --target windows: download VirtualBox Windows installer exe from virtualbox.org
  • create local /etc/hostname on build host if it does not exist because mmdebstrap file /etc/hostname to exist
  • remove version number from libvirt xml files for code simplification
  • remove no longer needed options --flavor kicksecure-xfce-host and --flavor kicksecure-cli-host selecting --flavor kicksecure-xfce and --flavor kicksecure-cli will suffice to choose the correct flavor_meta_packages_to_install based on the --target option
  • fix --target raw --flavor kicksecure-xfce-host
  • CI improvements (Thanks to Rob Stringer!)
  • install the firmware-nonfree (from kicksecure-meta-packages) by default
    • for host builds assume --freedom false by default
    • by using --freedom true the user can opt-out from installing firmware-nonfree
    • see also:
      • Non-Freedom Firmware and Drivers
      • Whonix host - nonfree blobs - firmware-linux-nonfree - Development - Whonix Forum
  • automate installation dependencies required for derivative-maker
  • add content files for apt-file

Full difference of all changes

https://github.com/Kicksecure/derivative-maker/compare/17.1.3.1-developers-only…17.2.0.1-developers-only