Kicksecure-baremetal-server not installed after release-upgrade, should I install it?

alberto-765 · February 8, 2026, 10:07pm

After the release upgrade to kicksecure 18, I noticed several packages weren’t installed. I’m beeing using KDE with kicksecure correctly since the release, no problems after months. But I noticed the following packages aren’t installed, I would like to know the severity to don’t have each of these packages installed and if I should try to install them.

> sudo apt list --installed | grep -i kicksecure

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

apparmor-profiles-kicksecure/unknown,now 3:36.0-1 all [installed]
kicksecure-baremetal-cli/unknown,now 3:36.0-1 all [installed]
kicksecure-base-files/unknown,now 3:10.3-1 all [installed]
kicksecure-cli/now 3:32.3-1 all [installed,local]
kicksecure-default-applications-cli/now 3:32.3-1 all [installed,local]
kicksecure-dependencies-cli/now 3:32.3-1 all [installed,local]
kicksecure-dependencies-system/now 3:32.3-1 all [installed,local]
kicksecure-network-conf/unknown,now 3:6.9-1 all [installed]
kicksecure-packages-dependencies-pre/unknown,now 3:36.0-1 all [installed]
kicksecure-recommended-cli/now 3:32.3-1 all [installed,local]
kicksecure-welcome-page/unknown,now 3:7.7-1 all [installed]



❯ sudo apt install kicksecure-baremetal-server

The following packages were automatically installed and are no longer required:
  dracut-config-generic  exim4-config     libluajit-5.1-common  libnsl2             libunibilium4  lua-lpeg  python3-greenlet
  exim4-base             libluajit-5.1-2  libmsgpack-c2         libtree-sitter0.22  libvterm0      lua-luv   python3-pynvim
Use 'sudo apt autoremove' to remove them.

Installing:
  kicksecure-baremetal-server

Installing dependencies:
  dist-baremetal-cli  dist-general-server  dummy-dependency-mta  kicksecure-general-cli   liblinear4  nmap-common     security-misc-server  vm-config-dist
  dist-general-cli    dist-nonqubes-cli    extrepo-offline-data  kicksecure-nonqubes-cli  nmap        python3-pyudev  tor-ctrl

Suggested packages:
  liblinear-tools  liblinear-dev  ncat  ndiff  zenmap  python3-wxgtk4.0

REMOVING:
  exim4-daemon-light  kicksecure-default-applications-cli  kicksecure-dependencies-system  non-qubes-enhancements-cli
  kicksecure-cli      kicksecure-dependencies-cli          kicksecure-recommended-cli      non-qubes-enhancements-gui

Summary:
  Upgrading: 0, Installing: 16, Removing: 8, Not Upgrading: 0

arraybolt3 · February 8, 2026, 10:47pm

You should install the suggested packages. This is necessary to ensure software updates work as intended going forward. See:

The only danger I can see looking at the upgrade is that exim4-daemon-light will be removed. If this server is a mail server and you’re actually using exim4-daemon-light, that may not be what you want. You can run the upgrade, remove dummy-dependency-mta, and then reinstall the mail server using these instructions:

If the machine is not a mail server however, this is expected and you should allow that package to be removed without reinstalling it.

As always, make sure you have backups, and be prepared for the server to be hard to access after an update. Make sure you can gain access to the server without SSH, just in case something goes awry.

Patrick · February 9, 2026, 9:17am

alberto-765 · February 9, 2026, 9:36am

It is my main PC with KDE, not a server such as. But like I don’t want to use lxqt, the other option is kicksecure-baremetal-server, right?

The mail service I suppose is part of proton mail, is the only mail application I have installed right now.

I will try it in a VM before, I don’t want to broke the main system.

Thanks to both.

Patrick · February 9, 2026, 12:27pm

kicksecure-baremetal-cli

Patrick · February 9, 2026, 3:43pm

Correction: Not ideal.

alberto-765 · February 9, 2026, 6:55pm

The ideal is kicksecure-baremetal-server, right?

arraybolt3 · February 10, 2026, 12:26am

At the moment, yes. We will likely make kicksecure-baremetal-cli (and some of the other -cli metapackages) suitable for direct installation in the near future.

alberto-765 · February 10, 2026, 11:54am

Okey, it will be great.
And would be good too to document a little better the differences between the cli and the server version, but not just say that one is for server and the other is for client, that we are seeing the good one is the kicksecure-baremetal-server in both cases. Explain too which functionalities or packages has one and not the others.

18: kicksecure-baremetal-cli for physical hardware
18: kicksecure-baremetal-server for physical hardware

There is a ISO for server without lxqt available, without interface? I couldn’t find it.

arraybolt3 · February 10, 2026, 3:06pm

There isn’t an ISO, no. We don’t have any CLI-mode installer, so an ISO
would make little sense. We do have CLI VM images for VirtualBox and KVM,
but both of those are using the ‘kicksecure-vm-server’ metapackage I
believe.

alberto-765 · February 10, 2026, 3:59pm

Yea, I’m testing the KDE installation in a machine with the KVM Client version. But I can’t reproduce it in a baremetal because de default ISO come with lxqt. I’m testing purging lxqt and replacing with other environment but it’s more job and time

Patrick · February 10, 2026, 7:01pm

Will be included in 18.1.3.9 and above.

alberto-765 · February 19, 2026, 1:09pm

To those ones that want to use kde with kicksecure, by problem was the dependency of greetd and wlgreet in kicksecure. You need to create a dummy-package for be able to remove it and use sddm correctly.

This worked for my in my baremetal pc, use timeshift for recovery if something fail:

1. Update and full-upgrade
  sudo apt update && sudo apt full-upgrade -y

2. Install kde with or without main applications
  sudo apt install kde-plasma-desktop
# OR
  sudo apt install kde-standard

3. Purge kicksecure display manager
  sudo dummy-dependency --purge --yes greetd 
  sudo dummy-dependency --purge --yes wlgreet
  sudo rm -rf /etc/greetd

4. Enable Simple Desktop Display Manager
  sytemctl status sddm.service
  systemtl enable sddm.service
  systemtl start sddm.service

5. Install wayland dependencies
  sudo apt install qt6-wayland qt5-wayland wayland-utils

6. Purge LXQT and all relationated packages
  sudo apt purge --auto-remove lxqt lxqt-*
  sudo apt purge openbox obconf labwc waybar featherpad kicksecure-general-gui-lxqt kicksecure-nonqubes-gui-lxqt
  sudo apt purge *lxqt*
  sudo apt autoremove --purge


  # Verify removed
  dpkg -l | grep lxqt

7. Install possible important packages of kicksecure that could be removed
  sudo apt install kicksecure-baremetal-server

8. Remove non used packages
  sudo apt autoremove --purge

9. Run systemcheck

alberto-765 · February 20, 2026, 2:05pm

But I have some issues with hardware acceleration, I don’t know which could be the cause but after installing the baremetal-server package something is broken. The problem is that some gui don’t load well, I get message in system monitor like: System Monitor has fallen back to software rendering because hardware acceleration is not available, and visual glitches may appear. Please check your graphics drivers.

Could be something of security-misc?

I have tried installing this packages but nothing changed:

sudo apt install libvdpau-va-gl1 mesa-vdpau-drivers vainfo vulkan-tools mesa-va-drivers libva-drm2 libva2


groups $USER
sudo usermod -aG video,render $USER

I have logs of apt

❯ sudo apt install kicksecure-baremetal-server
[sudo] password for user:
Place your finger on the fingerprint reader
The following packages were automatically installed and are no longer required:
  exim4-base  exim4-config  libnsl2
Use 'sudo apt autoremove' to remove them.

Upgrading:
  kicksecure-baremetal-cli

Installing:
  kicksecure-baremetal-server

Installing dependencies:
  dist-baremetal-cli   dummy-dependency-mta     nmap                  tor-ctrl
  dist-general-cli     kicksecure-general-cli   nmap-common           vm-config-dist
  dist-general-server  kicksecure-nonqubes-cli  python3-pyudev
  dist-nonqubes-cli    liblinear4               security-misc-server

Suggested packages:
  liblinear-tools  liblinear-dev  ncat  ndiff  zenmap  python3-wxgtk4.0

REMOVING:
  exim4-daemon-light                   kicksecure-dependencies-system
  kicksecure-cli                       kicksecure-recommended-cli
  kicksecure-default-applications-cli  non-qubes-enhancements-cli
  kicksecure-dependencies-cli          non-qubes-enhancements-gui

Summary:
  Upgrading: 1, Installing: 15, Removing: 8, Not Upgrading: 1
  Download size: 7.433 kB
  Space needed: 26,7 MB / 233 GB available

Continue? [Y/n] y
Get:1 tor+https://deb.kicksecure.com trixie/main amd64 dummy-dependency-mta all 3:36.2-1 [85,3 kB]
Get:2 tor+https://deb.debian.org/debian trixie/main amd64 nmap-common all 7.95+dfsg-3 [4.392 kB]
Get:3 tor+https://deb.kicksecure.com trixie/main amd64 dist-baremetal-cli all 3:36.2-1 [85,2 kB]
Get:4 tor+https://deb.kicksecure.com trixie/main amd64 vm-config-dist all 3:16.0-1 [62,5 kB]
Get:5 tor+https://deb.kicksecure.com trixie/main amd64 tor-ctrl all 3:6.4-1 [30,3 kB]
Get:6 tor+https://deb.kicksecure.com trixie/main amd64 dist-general-cli all 3:36.2-1 [85,8 kB]
Get:7 tor+https://deb.kicksecure.com trixie/main amd64 security-misc-server all 3:51.4-1 [176 kB]
Get:8 tor+https://deb.kicksecure.com trixie/main amd64 dist-general-server all 3:36.2-1 [85,2 kB]
Get:9 tor+https://deb.kicksecure.com trixie/main amd64 dist-nonqubes-cli all 3:36.2-1 [85,3 kB]
Get:10 tor+https://deb.kicksecure.com trixie/main amd64 kicksecure-nonqubes-cli all 3:36.2-1 [85,2 kB]
Get:11 tor+https://deb.kicksecure.com trixie/main amd64 kicksecure-general-cli all 3:36.2-1 [85,2 kB]
Get:12 tor+https://deb.kicksecure.com trixie/main amd64 kicksecure-baremetal-cli all 3:36.2-1 [85,3 kB]
Get:13 tor+https://deb.kicksecure.com trixie/main amd64 kicksecure-baremetal-server all 3:36.2-1 [85,2 kB]
Get:14 tor+https://deb.debian.org/debian trixie/main amd64 liblinear4 amd64 2.3.0+dfsg-5+b2 [41,7 kB]
Get:15 tor+https://deb.debian.org/debian trixie/main amd64 nmap amd64 7.95+dfsg-3 [1.931 kB]
Get:16 tor+https://deb.debian.org/debian trixie/main amd64 python3-pyudev all 0.24.3-1 [32,6 kB]
Fetched 7.433 kB in 24s (313 kB/s)
dpkg: exim4-daemon-light: dependency problems, but removing anyway as you requested:
 gpg-wks-server depends on default-mta | mail-transport-agent; however:
  Package default-mta is not installed.
  Package exim4-daemon-light which provides default-mta is to be removed.
  Package mail-transport-agent is not installed.
  Package exim4-daemon-light which provides mail-transport-agent is to be removed.
 bsd-mailx depends on default-mta | mail-transport-agent; however:
  Package default-mta is not installed.
  Package exim4-daemon-light which provides default-mta is to be removed.
  Package mail-transport-agent is not installed.
  Package exim4-daemon-light which provides mail-transport-agent is to be removed.
 gpg-wks-server depends on default-mta | mail-transport-agent; however:
  Package default-mta is not installed.
  Package exim4-daemon-light which provides default-mta is to be removed.
  Package mail-transport-agent is not installed.
  Package exim4-daemon-light which provides mail-transport-agent is to be removed.
 bsd-mailx depends on default-mta | mail-transport-agent; however:
  Package default-mta is not installed.
  Package exim4-daemon-light which provides default-mta is to be removed.
  Package mail-transport-agent is not installed.
  Package exim4-daemon-light which provides mail-transport-agent is to be removed.

(Reading database ... 288753 files and directories currently installed.)
Removing exim4-daemon-light (4.98.2-1) ...
Selecting previously unselected package dummy-dependency-mta.
(Reading database ... 288730 files and directories currently installed.)
Preparing to unpack .../dummy-dependency-mta_3%3a36.2-1_all.deb ...
Unpacking dummy-dependency-mta (3:36.2-1) ...
(Reading database ... 288728 files and directories currently installed.)
Removing kicksecure-cli (3:32.3-1) ...
Removing kicksecure-default-applications-cli (3:32.3-1) ...
Removing kicksecure-dependencies-cli (3:32.3-1) ...
Removing kicksecure-dependencies-system (3:32.3-1) ...
Removing kicksecure-recommended-cli (3:32.3-1) ...
Removing non-qubes-enhancements-gui (3:32.3-1) ...
Removing non-qubes-enhancements-cli (3:32.3-1) ...
Selecting previously unselected package dist-baremetal-cli.
(Reading database ... 288706 files and directories currently installed.)
Preparing to unpack .../00-dist-baremetal-cli_3%3a36.2-1_all.deb ...
Unpacking dist-baremetal-cli (3:36.2-1) ...
Selecting previously unselected package nmap-common.
Preparing to unpack .../01-nmap-common_7.95+dfsg-3_all.deb ...
Unpacking nmap-common (7.95+dfsg-3) ...
Selecting previously unselected package liblinear4:amd64.
Preparing to unpack .../02-liblinear4_2.3.0+dfsg-5+b2_amd64.deb ...
Unpacking liblinear4:amd64 (2.3.0+dfsg-5+b2) ...
Selecting previously unselected package nmap.
Preparing to unpack .../03-nmap_7.95+dfsg-3_amd64.deb ...
Unpacking nmap (7.95+dfsg-3) ...
Selecting previously unselected package python3-pyudev.
Preparing to unpack .../04-python3-pyudev_0.24.3-1_all.deb ...
Unpacking python3-pyudev (0.24.3-1) ...
Selecting previously unselected package vm-config-dist.
Preparing to unpack .../05-vm-config-dist_3%3a16.0-1_all.deb ...
Unpacking vm-config-dist (3:16.0-1) ...
Selecting previously unselected package tor-ctrl.
Preparing to unpack .../06-tor-ctrl_3%3a6.4-1_all.deb ...
Unpacking tor-ctrl (3:6.4-1) ...
Selecting previously unselected package dist-general-cli.
Preparing to unpack .../07-dist-general-cli_3%3a36.2-1_all.deb ...
Unpacking dist-general-cli (3:36.2-1) ...
Selecting previously unselected package security-misc-server.
Preparing to unpack .../08-security-misc-server_3%3a51.4-1_all.deb ...
Unpacking security-misc-server (3:51.4-1) ...
Selecting previously unselected package dist-general-server.
Preparing to unpack .../09-dist-general-server_3%3a36.2-1_all.deb ...
Unpacking dist-general-server (3:36.2-1) ...
Selecting previously unselected package dist-nonqubes-cli.
Preparing to unpack .../10-dist-nonqubes-cli_3%3a36.2-1_all.deb ...
Unpacking dist-nonqubes-cli (3:36.2-1) ...
Selecting previously unselected package kicksecure-nonqubes-cli.
Preparing to unpack .../11-kicksecure-nonqubes-cli_3%3a36.2-1_all.deb ...
Unpacking kicksecure-nonqubes-cli (3:36.2-1) ...
Selecting previously unselected package kicksecure-general-cli.
Preparing to unpack .../12-kicksecure-general-cli_3%3a36.2-1_all.deb ...
Unpacking kicksecure-general-cli (3:36.2-1) ...
Preparing to unpack .../13-kicksecure-baremetal-cli_3%3a36.2-1_all.deb ...
Unpacking kicksecure-baremetal-cli (3:36.2-1) over (3:36.0-1) ...
Selecting previously unselected package kicksecure-baremetal-server.
Preparing to unpack .../14-kicksecure-baremetal-server_3%3a36.2-1_all.deb ...
Unpacking kicksecure-baremetal-server (3:36.2-1) ...
Setting up dummy-dependency-mta (3:36.2-1) ...
Setting up dist-baremetal-cli (3:36.2-1) ...
Setting up kicksecure-nonqubes-cli (3:36.2-1) ...
Setting up liblinear4:amd64 (2.3.0+dfsg-5+b2) ...
Setting up kicksecure-general-cli (3:36.2-1) ...
Setting up tor-ctrl (3:6.4-1) ...
Setting up dist-nonqubes-cli (3:36.2-1) ...
Setting up nmap-common (7.95+dfsg-3) ...
Setting up security-misc-server (3:51.4-1) ...
Setting up python3-pyudev (0.24.3-1) ...
Setting up nmap (7.95+dfsg-3) ...
Setting up dist-general-server (3:36.2-1) ...
Setting up vm-config-dist (3:16.0-1) ...
Adding 'diversion of /usr/bin/spice-vdagent to /usr/bin/spice-vdagent.dist-orig by vm-config-dist'
Created symlink '/etc/systemd/system/sysinit.target.wants/mnt-shared-kvm.service' → '/usr/lib/systemd/system/mnt-shared-kvm.service'.
Created symlink '/etc/systemd/system/sysinit.target.wants/mnt-shared-vbox.service' → '/usr/lib/systemd/system/mnt-shared-vbox.service'.
Created symlink '/etc/systemd/system/sysinit.target.wants/suppress-power-management-in-vms.service' → '/usr/lib/systemd/system/suppress-power-management-in-vms.service'.
Setting up dist-general-cli (3:36.2-1) ...
Setting up kicksecure-baremetal-cli (3:36.2-1) ...
Setting up kicksecure-baremetal-server (3:36.2-1) ...
Processing triggers for man-db (2.13.1-1) ...
Processing triggers for security-misc-shared (3:51.4-1) ...
INFO: triggered security-misc-shared: 'security-misc-shared' security-misc-shared DPKG_MAINTSCRIPT_NAME: 'postinst' $\*: 'triggered /usr' 2: '/usr'
/usr/libexec/security-misc/mmap-rnd-bits: INFO: Successfully written ASLR map config file:
/etc/sysctl.d/30_security-misc_aslr-mmap.conf
Running SUID Disabler and Permission Hardener... See also:
https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener
/var/lib/dpkg/info/security-misc-shared.postinst: INFO: running: permission-hardener enable
permission-hardener [NOTICE]: To compare the current and previous permission modes, install 'meld' (or preferred diff tool) for comparison of file mode changes:
    sudo apt install --no-install-recommends meld
    meld /var/lib/permission-hardener-v2/existing_mode/statoverride /var/lib/permission-hardener-v2/new_mode/statoverride
/var/lib/dpkg/info/security-misc-shared.postinst: INFO: Permission hardening success.
Processing triggers for dracut (106-6) ...
dracut: Generating /boot/initrd.img-6.12.73+deb13-amd64
Creating group 'tty' with GID 5.
Creating group 'disk' with GID 6.
Creating group 'man' with GID 12.
Creating group 'kmem' with GID 15.
Creating group 'dialout' with GID 20.
Creating group 'fax' with GID 21.
Creating group 'voice' with GID 22.
Creating group 'cdrom' with GID 24.
Creating group 'floppy' with GID 25.
Creating group 'tape' with GID 26.
Creating group 'sudo' with GID 27.
Creating group 'audio' with GID 29.
Creating group 'dip' with GID 30.
Creating group 'operator' with GID 37.
Creating group 'src' with GID 40.
Creating group 'shadow' with GID 42.
Creating group 'video' with GID 44.
Creating group 'sasl' with GID 45.
Creating group 'plugdev' with GID 46.
Creating group 'staff' with GID 50.
Creating group 'games' with GID 60.
Creating group 'users' with GID 100.
Creating group 'nogroup' with GID 65534.
Creating group 'systemd-journal' with GID 999.
Creating user 'root' (n/a) with UID 0 and GID 0.
Creating group 'daemon' with GID 1.
Creating user 'daemon' (n/a) with UID 1 and GID 1.
Creating group 'bin' with GID 2.
Creating user 'bin' (n/a) with UID 2 and GID 2.
Creating group 'sys' with GID 3.
Creating user 'sys' (n/a) with UID 3 and GID 3.
Creating user 'sync' (n/a) with UID 4 and GID 65534.
Creating user 'games' (n/a) with UID 5 and GID 60.
Creating user 'man' (n/a) with UID 6 and GID 12.
Creating group 'lp' with GID 7.
Creating user 'lp' (n/a) with UID 7 and GID 7.
Creating group 'mail' with GID 8.
Creating user 'mail' (n/a) with UID 8 and GID 8.
Creating group 'news' with GID 9.
Creating user 'news' (n/a) with UID 9 and GID 9.
Creating group 'uucp' with GID 10.
Creating user 'uucp' (n/a) with UID 10 and GID 10.
Creating group 'proxy' with GID 13.
Creating user 'proxy' (n/a) with UID 13 and GID 13.
Creating group 'www-data' with GID 33.
Creating user 'www-data' (n/a) with UID 33 and GID 33.
Creating group 'backup' with GID 34.
Creating user 'backup' (n/a) with UID 34 and GID 34.
Creating group 'list' with GID 38.
Creating user 'list' (n/a) with UID 38 and GID 38.
Creating group 'irc' with GID 39.
Creating user 'irc' (n/a) with UID 39 and GID 39.
Creating user '_apt' (n/a) with UID 42 and GID 65534.
Creating user 'nobody' (n/a) with UID 65534 and GID 65534.
Processing triggers for libc-bin (2.41-12+deb13u1) ...

Patrick · February 20, 2026, 5:20pm