Download

(What is a point release?)

Upgrade

Alternatively, an in-place release upgrade is possible using the Kicksecure repository.

This release would not have been possible without the numerous supporters of Kicksecure!

Please Donate!

Please Contribute!

Special Notices

• This is probably the last release based on Debian 12 / bookworm.
• We are working towards porting to Debian 13 / trixie.
  • There is no ETA (estimated time of arrival).

Major Changes

• No longer install Firefox by default.
  • Reason: Mozilla terms of service change related to selling user data
• No longer install Thunderbird by default.
  • Reason: Same as above.
• Implemented and installed Browser Choice by default. (Thanks to @ArrayBolt3!)
  • user documentation: Browser Choice - Browser Selection Installer Dialog
  • developer documentation: Browser Choice
• grub-live
  • added live-hardener

    • live-hardener detects writable filesystems and remounts most of them read-only, then adds a live overlay on top. This is similar to what Debian’s dracut’s 90overlay-root does for the root filesystem, but applies to most other writable filesystems on the system, thus reducing persistence even in more complex setups.

    • Therefore, it is now compatible with the btrfs file system.
      • As a result, feature request Use Btrfs as the default journaling file system - #8 by Patrick is now unblocked.
• fix bootloader upgrades (Thanks to @ArrayBolt3!)
  • UEFI bootloader updates seem broken · Issue #297 · grml/grml-debootstrap · GitHub
  • Make bootloader updates on UEFI-based systems work by ArrayBolt3 · Pull Request #299 · grml/grml-debootstrap · GitHub
• new Linux user group privleap:
  • Linux user account members of the group privleap are allowed to use privleap actions by default (Thanks to @ArrayBolt3!)
• improve /etc/profile.d scripts error handling
• created an aggregation of Kicksecure Project Policies, an overview of confirmed, proposed, and rejected policies guiding Kicksecure’s development, philosophy, and legal framework.

Progress Towards

• Unplugging external drive should trigger a shutdown
• Emergency key press shutdown sequence
• Ctrl+Alt+Del (three-finger salute) action

Changelog

• bootclockrandomization:
  • Add hwclock synchronization (Thanks to @ArrayBolt3!)
• desktop-config-dist:
  • Improve zsh configuration usability and security (Change default shell from bash to zsh by default? - #171 by Patrick - Development - Whonix Forum) (Thanks to @ArrayBolt3!)
  • sysmaint session: Show power manager widget and notifications by default (Thanks to @ArrayBolt3!)
  • livecheck improvements (Thanks to @ArrayBolt3!)
    • rewritten in Python
      • therefore should now be compatible with any desktop environment that supports systray
      • deprecated Xfce genmon implementation
    • Add read-only mode detection
      • make sure livecheck-lsblk.service runs early enough
      • add Calamares integration (tone down the message when Calamares mounts a disk as read-write during installation, as this is expected)
    • Add better handling of removable media, NFS, and VM shared folders (Thanks to @ArrayBolt3!)
• dist-base-files:
  • Switch to xz compression for initramfs (Thanks to @ArrayBolt3!)
• genmkfile:
  • Port to approx package caching proxy (Thanks to @ArrayBolt3!)
  • Respect APTGETOPT_SERIALIZED from environment when installing packages (Thanks to @ArrayBolt3!)
• grub-live:
  • Disable systemd-remount-fs and systemd-growfs-root in live mode (Thanks to @ArrayBolt3!)
• helper-scripts:
  • get-password-status-list: Make it more obvious when an account has no password set (Thanks to @ArrayBolt3!)
  • screen locking in sysmaint session: Don’t lock the screen if the user’s password would make this insecure or cause breakage (Thanks to @ArrayBolt3!)
  • Add basic network access checker (taken from updatecheck) (Thanks to @ArrayBolt3!)
  • Add root user to list returned by get-user-list (Thanks to @ArrayBolt3!)
  • Implement sanitize-string (Thanks to @ArrayBolt3!)
  • Port to helper-scripts strip-html (Thanks to @ArrayBolt3!)
  • Add HTML stripping utility (Thanks to @ArrayBolt3!)
  • unicode: avoid warning message:

    • grep: PCRE2 does not support \F, \L, \l, \N{name}, \U, or \u by no longer using --perl-regexp for grep number three

  • Bring back read-only mode detection (Thanks to @ArrayBolt3!)
  • Add unicode-testscript run to run-tests (Thanks to @ArrayBolt3!)
  • Fix stcatn failing to trim whitespace from all but the last line of an input file (Thanks to @ArrayBolt3!)
  • Improve get_writable_fs_lists.sh (Thanks to @ArrayBolt3!)
  • Refactor live_mode.sh to allow reducing logic duplication with livecheck (Thanks to @ArrayBolt3!)
  • Add better handling of removable media, NFS, and VM shared folders (Thanks to @ArrayBolt3!)
  • Rework live-mode.sh to provide more detailed info (Thanks to @ArrayBolt3!)
  • protect against printf, grep --quiet broken pipe
  • /usr/libexec/helper-scripts/root_cmd.sh: fix error message in case no privilege escalation tool can be found
  • test that wc is functional; add /usr/libexec/helper-scripts/wc-test.sh Prevent erroneous "Login blocked after [negative number] attempts" errors by DMHalford · Pull Request #305 · Kicksecure/security-misc · GitHub
  • Add script for finding the device providing a mountpoint, for emergency shutdown feature (Thanks to @ArrayBolt3!)
  • Fix anondate-get so it actually uses anondate’s output (Thanks to @ArrayBolt3!)
  • Fix get-backing-devices-for-mountpoint bug causing it to fail in live mode (Thanks to @ArrayBolt3!)
• kicksecure-base-files:
  • revert to the original DPKG origins file. No longer divert /etc/dpkg/origins/default because it breaks reverse-depends.
• kicksecure-meta-packages:
  • no longer install firmware-b43-installer by default due to upstream bug: firmware-b43-installer: firmware download fails due to a broken upstream URL and checksum mismatch. Debian bug report: firmware-b43-installer: firmware download fails due to broken upstream URL and checksum mismatch
  • Add XScreenSaver to kicksecure-desktop-applications-xfce (Thanks to @ArrayBolt3!)
  • no longer install ZuluCrypt by default (zulucrypt (LUKS container GUI / CLI) - #19 by Patrick - Development - Whonix Forum)
• live-config-dist:
  • Bring back BTRFS support (Thanks to @ArrayBolt3!)
  • Inform livecheck when an install starts and finishes (Thanks to @ArrayBolt3!)
• msgcollector:
  • Port strip-html calls to sanitize-string (Thanks to @ArrayBolt3!)
  • mandatory strip-html
  • Implement chunking for very long messages (Thanks to @ArrayBolt3!)
  • Switch to using helper-scripts strip-html (Thanks to @ArrayBolt3!)
  • improve ARG_MAX check
  • fix: unbreak msgcollector in case the folder /run/user/$(id -u) does not exist (such as in a minimal environment, a chroot, or an SSH session with UsePAM no)
• open-link-confirmation:
  • Improve sysmaint session link rejection message (Thanks to @ArrayBolt3!)
  • Fix browser prioritization, add Brave and Mullvad to the list of candidates in alphabetical order (Thanks to @ArrayBolt3!)
  • Port strip-html calls to sanitize-string (Thanks to @ArrayBolt3!)
• ram-wipe:
  • enable kernel parameters init_on_free and init_on_alloc
• sdwdate:
  • Remove non-working mirrors (Thanks to @Nurmagoz!)
  • fix: TypeError: SdwdateClass.run_sclockadj_and_hwclock() takes 1 positional argument but 2 were given
  • Don’t try to sync hardware clock on Qubes OS (Thanks to @ArrayBolt3!)
  • Add hardware clock syncing (Thanks to @ArrayBolt3!)
  • Port strip_markup calls to sanitize_string (Thanks to @ArrayBolt3!)
  • Switch to using helper-scripts strip_markup (Thanks to @ArrayBolt3!)
  • seccomp fixes
    • Broken sdwdate after latest upgrade - #5 by anonimac - Support - Whonix Forum
    • Thanks to @anonimac for the bug report and solution contribution!
• security-misc:
  • Improve emerg-shutdown usage documentation (Thanks to @ArrayBolt3!)
  • Use Ctrl+Alt+End as the default panic key (Thanks to @ArrayBolt3!)
  • Integrate emerg-shutdown into the initramfs (Thanks to @ArrayBolt3!)
  • Enable indirect_target_selection=force (Thanks to @raja!)
  • remove misleading TemporaryTimeout=0 in Bluetooth config (Thanks to Kevin Agwaze!)
  • Add comment related to approx package caching proxy (Thanks to @ArrayBolt3!)
  • fix(permission-hardener): ssh-agent gets 2755 perms. Change from exactwhitelist to matchwhitelist. Discussion revealed that there’s a good reason to leave setgid in here, which is essentially defense-in-depth (sometimes users may want to revert Kicksecure’s default of kernel.yama.ptrace_scope=2, e.g. to debug a program, and Kicksecure should not be less secure than vanilla Debian in that situation). (Thanks to Ashlen!)
  • protect against grep pipefail
  • further validation of output of faillock
  • test that wc is functional Prevent erroneous "Login blocked after [negative number] attempts" errors by DMHalford · Pull Request #305 · Kicksecure/security-misc · GitHub
  • pam-info: improve error handling Prevent erroneous "Login blocked after [negative number] attempts" errors by DMHalford · Pull Request #305 · Kicksecure/security-misc · GitHub
  • pam-info: fix, consistently write errors and warnings to stderr
  • pam-info: fix: consistently write errors and warnings to stderr
  • perf(permission-hardener): optimize string match. Replace subprocess grep calls with bash substring matching in check_nosuid_whitelist function. This eliminates ~10k unneeded subprocess spawns that were causing significant performance degradation. In testing, it improves overall script execution speed by an order of magnitude. (Thanks to Ashlen!)
  • fix(permission-hardener): add exactwhitelist permissions for ssh-agent. (Thanks to Ashlen!)
  • fix(permission-hardener): ssh-agent gets 755 perms. Replace the commented-out matchwhitelist entry for ssh-agent with an explicit permission entry (755) for /usr/bin/ssh-agent. When ssh-agent’s matchwhitelist entry was commented out in commit 7a5f8b87af, permission-hardener began resetting it to restrictive defaults (744), preventing non-root users from executing ssh-agent. This broke split SSH functionality in Qubes OS for me because I was using Kicksecure in the vault qube, and ssh-agent runs under a non-root user in that configuration (see Split SSH - Community Guides - Qubes OS Forum. As noted in the comment, Debian installs with 2755 permissions as a way to mitigate ptrace attacks, but this rationale doesn’t apply due to kernel.yama.ptrace_scope=2 being set in Kicksecure. (Thanks to Ashlen!)
  • handle case of non-existence of /proc/cmdline
  • Set erst_disable (Thanks to @raja!)
  • Prevent erroneous “Login blocked after [negative number] attempts” errors for root. (Thanks to DMHalford!)
• setup-wizard-dist:
  • Add mention of browser-choice for Kicksecure, fix outdated boot mode string (Thanks to @ArrayBolt3!)
• sysmaint-panel:
  • Add “Install a Browser” button (Thanks to @ArrayBolt3!)
  • Add clean mechanism for UI build artifacts, remove autogenerated code from repo (Thanks to @ArrayBolt3!)
  • Remove obsolete live mode indicator (replaced by livecheck applet from desktop-config-dist) (Thanks to @ArrayBolt3!)
• systemcheck:
  • show disabled as per default/expected su access check result only when using --verbose
  • Warn about absent locked or restricted passwords for the sysmaint account (Thanks to @ArrayBolt3!)
  • Add su permissions check (Thanks to @ArrayBolt3!)
  • Enable check_login_security on Qubes OS, fix autologin check (Thanks to @ArrayBolt3!)
  • Silence spurious warnings, fix AppArmor issues (Thanks to @ArrayBolt3!)
  • Split out network access check code into helper-scripts (Thanks to @ArrayBolt3!)
  • Fix color for root login security warnings (Thanks to @ArrayBolt3!)
  • Fix check_login_security regexes, increase warning severity for root password and autologin issues (Thanks to @ArrayBolt3!)
  • Add ‘Locked (Present)’ and ‘Restricted (Present)’ password statuses (Thanks to @ArrayBolt3!)
  • Add additional checks for locked and disabled (restricted) passwords (Thanks to @ArrayBolt3!)
  • Port sanitize_variable calls to sanitize-string (Thanks to @ArrayBolt3!)
  • Port strip-html calls to sanitize-string, make apparmor config handle both /bin and /usr/bin properly (Thanks to @ArrayBolt3!)
  • Port to helper-scripts strip-html (Thanks to @ArrayBolt3!)
  • non-zero exit code if tirdad kernel module is not loaded (Non-Qubes only)
  • non-zero exit code if Debian is LTS or EOL (show Debian still supported message only in verbose mode) (Thanks to @ArrayBolt3!)
  • improve tirdad kernel module loaded test help output
  • output more information about Secure Boot status when not booted into EFI mode and when using Qubes
  • Don’t block the livecheck-lsblk file in the apparmor policy (Thanks to @ArrayBolt3!)
  • Skip user-sysmaint-split check in Whonix-Gateway if package is not installed, add new checks (Thanks to @ArrayBolt3!)
  • ignore more journal messages when using --verbose
  • add support for ignoring journal messages in systemcheck configuration file using grep --fixed-strings
  • sort into literal and non-literal grep for ignored journal messages
  • fix apparmor issue 'systemcheck --gui' fails with `ERROR: ARG_MAX exceeded!` - Support - Whonix Forum (Thanks to @marmarek for the bug report and fix suggestion!)
  • simplified virtualizer check
  • fix: in --verbose mode, in Qubes: exit non-zero when missing the tirdad kernel module
  • new unwanted package: stardict due to [privacy concerns associated with stardict](Dev/Debian Kicksecure Documentation
• tb-updater:
  • check if network interface exists
  • update to new version file web link
  • sanitize-string
  • Port strip-html calls to sanitize-string (Thanks to @ArrayBolt3!)
  • Port to helper-scripts strip-html (Thanks to @ArrayBolt3!)
• timesanitycheck:
  • updated minimum_unixtime
• tor-control-panel:
  • improve robustness of proxy configuration code
  • fix adding custom bridges
• usability-misc:
  • Make mousepad open files in a new window rather than a new tab (Thanks to @ArrayBolt3!)
  • dist-installer-cli (Linux VirtualBox installer:) detect whether the installer is run in live mode
  • protect against grep broken pipe
  • dist-installer-cli: fix bash -x
  • test that wc is functional Prevent erroneous "Login blocked after [negative number] attempts" errors by DMHalford · Pull Request #305 · Kicksecure/security-misc · GitHub
• user-sysmaint-split:
  • Update ensure-shutdown enablement code (Thanks to @ArrayBolt3!)
  • If ensure-shutdown is enabled, enable it for sysmaint mode also (Thanks to @ArrayBolt3!)
  • Indentation fix, silence stderr from accountctl when necessary (Thanks to @ArrayBolt3!)
  • Fix sysmaint mode compatibility with Qubes StandaloneVMs (Thanks to @ArrayBolt3!)
  • non-Qubes: Add xfce4-power-manager to user service list (Thanks to @ArrayBolt3!)
  • Make compatible with new boot menu scripts (Thanks to @ArrayBolt3!)
  • run livecheck systray in sysmaint session (Thanks to @ArrayBolt3!)
  • Add optional systemd unit mechanism, and add ufw and firewalld by default also in sysmaint session if installed (Thanks to @ArrayBolt3!)
  • fix: show /etc/profile.d sysmaint account notification only if tty has been detected. This is to avoid confusing non-login scripts with terminal output.
• vm-config-dist:
  • Add shared folder README, add shared folder shortcut to Thunar (Thanks to @ArrayBolt3!)
  • Refactor/unbreak automatic shared folder mounting, harden permissions on shared folders (Thanks to @ArrayBolt3!)
  • Add XScreenSaver configuration for VMs (Thanks to @ArrayBolt3!)
  • no longer disable KDE screensaver by default in VMs, reasons:
    • KDE only; Missing implementation with the main supported desktop environment (Xfce at the time of writing); Inconsistent versus systemcheck notifying about autologin check and user account password check.
• derivative-maker:
  • Introduced derivative-update (Thanks to major contributions by @ArrayBolt3 and @tabletseeker!)
    • Kicksecure derivative-updater Documentation
    • Verify digital signatures and key fingerprints of signed git commits when derivative-maker is invoked.
      • Trust on First Use (TOFU). Initial source code digital signature verification - as already previously documented - is still recommended.
  • work towards Docker Container that builds Whonix Images (Thanks to major contributions by @ArrayBolt3 and @tabletseeker!)
    • status at time of writing: Docker Container that builds Whonix Images - #163 by Patrick - Development - Whonix Forum
  • Port from apt-cacher-ng to the approx package as a caching proxy (Thanks to @ArrayBolt3!)
  • Remove obsolete image-to-iso references (Thanks to @ArrayBolt3!)
  • unmount stray loop devices in case kpartx fails to remove them (happens inside Docker) (Thanks to @e-coin for the bug report!)
  • always run sanity tests during official builds
  • fix grep --quiet versus pipefail
  • test that wc does not core dump
  • improve prepare-release relative path support

Full difference of all changes

https://github.com/Kicksecure/derivative-maker/compare/17.3.9.9-developers-only…17.4.4.3-developers-only