Kicksecure 17.2.3.7 - Point Release!

News
1

Download

(What is a point release?)

Upgrade

Alternatively, in-place release upgrade is possible upgrade using Kicksecure repository.

This release would not have been possible without the numerous supporters of Kicksecure!

Please Donate!

Please Contribute!

Major Changes

  • ISO (live-config-dist) improvements (Thanks to @ArrayBolt3!):

  • VirtualBox:

  • KVM (libvirt-dist):

  • desktop-config-dist:

    • Improved the livecheck systray (converted tooltips to dialog) (Thanks to Ben Grande!).

  • dist-base-files:

    • Only perform the following actions when run by derivative-maker:
      • Creation of user user.
      • Set empty password (passwordless) for user user.
      • Adding default groups to user user.
      • Enable console-lockdown.
      • Locking of root account fix.
      • Skip creation of user user.
        • These actions are skipped when using distribution morphing.

  • grub-live:

    • Researched, commented on port to overlayfs in time for Debian Trixie (Thanks to @ArrayBolt3).

  • kicksecure-meta-packages:

    • Add xdg-desktop-portal(-gtk) (Thanks to @ArrayBolt3!).
    • No longer install alsa-utils by default.
    • Add accountservice to kicksecure-desktop-environment-essential-xfce (package lightdm Suggests: accountservice), which fixes error message:

      • localhost lightdm[911]: Error getting user list from org.freedesktop.Accounts: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.Accounts was not provided by any .service files

    • Allow installation of pipewire-media-session-pulseaudio as an alternative to wireplumber.
    • Fix user’s ability to easily go back to installing pulseaudio.
    • Add dbus-user-session to kicksecure-recommended-cli as required by PipeWire.
    • Add rtkit to non-qubes-audio to prevent rtkit-related errors in PipeWire journal log.
    • Add debian-keyring to kicksecure-recommended-cli, useful to verify a Debian ISO.
    • Add gawk to kicksecure-dependencies-cli (missing dependency by Debian’s dracut-core) https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081005.
    • Add mesa-vulkan-drivers to kicksecure-desktop-environment-essential-gui.
    • Add mesa-utils to kicksecure-recommended-cli.

  • kicksecure-welcome-page:

    • Added documentation search boxes (Thanks to Hans!).
    • Removed metager (at time of writing, login-only) (Thanks to Hans!).
    • Improved style.
    • Point out that the kicksecure-welcome-page is a local homepage.

  • msgcollector:

    • Add command line parser and explanatory comments.
    • Refactoring.
    • Point out if icon does not exist on stderr.
    • Depends: gnome-colors-common.
    • Change icon directories (Thanks to Ben Grande!).

  • ram-wipe:

    • Always run ram-wipe if installed, even inside VMs, to simplify testing inside VMs (deprecate wiperam=force kernel parameter).

  • root check:

    • GUI (graphical user interface) applications developed by the Kicksecure project (setup-dist, setup-wizard-dist, repository-dist, sdwdate-gui, anon-connection-wizard, tor-control-panel) can no longer be started as root, show an error message otherwise.

  • security-misc:

    • Comment on Flatpak requiring unprivileged user namespaces (Thanks to @raja-grewal!)
    • Update mmap ASLR docs (Thanks to @raja-grewal!)
    • Fix VirtualBox audio device ICH AC97. no longer blacklist snd_intel8x0, because this breaks VirtualBox audio device ICH AC97, which is unfortunately still required by some users.
    • add KSPP compliance status to readme based on comment by @raja-grewal document sysctl settings / kernel parameters using KSPP=yes / KSPP=no · Issue #256 · Kicksecure/security-misc · GitHub
    • Enable panic_on_warn=1 (Thanks to @raja-grewal!)
    • no longer set sysctl fs.binfmt_misc.status=0 / no longer disallow registering interpreters for miscellaneous binary formats causing file/folder permissions issue

      • d????????? ? ? ? ? ? .

      • Firefox no longer starting (probably not not a Firefox issue but general issue caused by fs.binfmt_misc.status=0)
    • Add details on BPF hardening and split the sysctls (Thanks to @raja-grewal!)
    • Add KSPP notice definitions (Thanks to @raja-grewal!)
    • Add detail on disabling user namespaces breaking UPower (Thanks to @raja-grewal!)
    • README.md: Organise sysctls and kernel boot parameters (Thanks to @raja-grewal!)
    • Add details on oopses and warnings (Thanks to @raja-grewal!)
    • Add details on kernel panics (Thanks to @raja-grewal!)
    • Refactor modprobe.d to minimise potential future merge conflicts (Thanks to @raja-grewal!)
    • Set sysctl vm.mmap_min_addr=65536 (Thanks to @raja-grewal!)
    • Partial compliance with the KSPP on kernel panics (Thanks to @raja-grewal!)
    • Add details on user namespaces (Thanks to @raja-grewal!)
    • Include KSPP compliance notices (Thanks to @raja-grewal!)
    • Provide option to disable user namespaces (Thanks to @raja-grewal!)
    • Patch bug in existing rp_filter sysctl (Thanks to @raja-grewal!)
    • Consistent formatting (Thanks to @raja-grewal!)
    • Add details on ASLR and move to user space section (Thanks to @raja-grewal!)
    • Update README.md (Thanks to @raja-grewal!)
    • Typos (Thanks to @raja-grewal!)
    • Simplify syntax of some network-related sysctl’s (Thanks to @raja-grewal!)
    • Clarify DMA hardening (Thanks to @raja-grewal!)
    • Add references on fs.binfmt_misc.status (Thanks to @raja-grewal!)
    • Revert “Provide optional sysctl fs.binfmt_misc.status=0” This reverts commit debd7a7b7ae8b03e04d2c8597bcccf2c79000570. (Thanks to @raja-grewal!)
    • Add details on KFENCE (Thanks to @raja-grewal!)
    • Add details on tcp_timestamps (Thanks to @raja-grewal!)
    • Add reference on RDRAND (Thanks to @raja-grewal!)
    • Add reference on rp_filter (Thanks to @raja-grewal!)
    • Add some notices for future Debian 13 rebase (Thanks to @raja-grewal!)
    • Consistent line length formatting (Thanks to @raja-grewal!)
    • Details on disabled fbdev kernel modules (Thanks to @raja-grewal!)
    • Update notifications for disabled kernel modules (Thanks to @raja-grewal!)
    • Update docs regarding Intel module disabling (Thanks to @raja-grewal!)
    • Clarify secure_redirects (Thanks to @raja-grewal!)
    • Provide optional sysctl fs.binfmt_misc.status=0 (Thanks to @raja-grewal!)
    • Enable vdso32=0 (Thanks to @raja-grewal!)
    • Enable kfence.sample_interval=100 (Thanks to @raja-grewal!)
    • Enable dev.tty.legacy_tiocsti=0 (Thanks to @raja-grewal!)
    • Enable slab_debug=FZ (Thanks to @raja-grewal!)
    • Add reference (Thanks to @raja-grewal!)
    • Update legacy name slub_debug → slab_debug (Thanks to @raja-grewal!)
    • Add details about slub_debug (Thanks to @raja-grewal!)
    • Provide the option to disable legacy TIOCSTI operation (Thanks to @raja-grewal!)
    • Provide option to disable 32 bit vDSO mappings (Thanks to @raja-grewal!)
    • Provide option to enable the kernel Electric-Fence (Thanks to @raja-grewal!)
    • Add references to KSPP (Thanks to @raja-grewal!)
    • Add missing GRUB command lines for disabled boot parameters (Thanks to @raja-grewal!)
    • Show details regarding secure_redirects (again) (Thanks to @raja-grewal!)
    • Partial inclusion of GrapheneOS infrastructure blacklist (Thanks to @raja-grewal!)
    • Set sysctl fs.binfmt_misc.status=0 (Thanks to @raja-grewal!)
    • Re-enable (default) secure_redirects for ICMP redirect messages (Thanks to @raja-grewal!)
    • Disable some legacy framebuffer drivers and legacy drivers. These were all previously blacklisted for over 2 years. (Thanks to @raja-grewal!)
    • Restrict unprivileged user namespaces (Thanks to @raja-grewal!)

  • setup-dist (CLI):

    • Add missing dependency.
    • Show error message legal notice instead of poweroff if disclaimer is rejected.

  • setup-wizard-dist:

    • Fix detection of Whonix-Workstation, thus fixing autostart of setup-wizard-dist inside Whonix-Workstation.
    • No longer autostart setup-wizard-dist on Kicksecure.
    • Skip setup-wizard-dist (systemcheck autostart at first boot) in Kicksecure-Qubes by default (this would lead to too many systemcheck runs at Qubes VM first starts).
    • Fix auto starting systemcheck at first boot inside Whonix-Gateway.

  • swap-file-creator:

    • Skip swap-file-creator if xen was detected (likely a Qubes HVM, which has dynamic RAM assignment).

  • systemcheck:

  • timesanitycheck:

    • Updated minimum_unixtime.

  • usability-misc:

  • derivative-maker:

    • Remove superfluous comment: live-config-dist already Depends: on rsync.
    • help-steps/dm-build-official: fix: --target iso is required to download Calamares from backports.
    • VirtualBox 7.1.0.
    • Fix multiple repository creation.
    • Move bind-dirs configuration from qubes-whonix package to individual packages.
    • Add explanatory comment for bookworm-backports entries in debian_stable_current_clearnet.list (Thanks to @ArrayBolt3!).
    • Download Calamares from bookworm-backports (Thanks to @ArrayBolt3!).
    • Fix installation of efi_weak_recommended_packages_list.
    • Create signing keys also if CI detected.
    • Do not create signing key when building redistributable builds. There is no risk of overwriting signing keys because signing-key-create checks if signing keys already exist and never overwrites. However, if signing keys are missing for redistributable builds, then the keys should be manually put in place to avoid signing redistributable builds using auto-generated keys.
    • Install cryptsetup-initramfs by default during ISO build process because /usr/sbin/bootloader-config by Calamares-settings-Debian might install it, which might be slow.

  • debug-misc:

  • genmkfile:

    • reprepro deleteunreferenced.
    • Fix multiple repository usage.
    • Fix: make_reprepro_codename is not a local variable, can be a global variable.
    • Fix: Allow “downgrades” by using --allow-downgrades if installing using genmkfile. This is because if the same version was already installed from the repository, APT will consider it a “downgrade” if re-installing locally.

Full difference of all changes

https://github.com/Kicksecure/derivative-maker/compare/17.2.0.7-developers-only…17.2.3.7-developers-only

1 Like