Softpedia >Linux >Linux Distributions >Whonix >  Changelog

Whonix Changelog

What's new in Whonix 15.0.0.3.3

Jul 2, 2019
  • port Whonix from Debian stretch to Debian buster
  • kernel hardening
  • Blacklist uncommon network protocols
  • systemd unit sandboxing
  • improve entropy collection through extensive research and installation by default of jitterentropy-rngd
  • research implications of spectre / meltdown / retpoline / L1 Terminal Fault (L1TF) vs Whonix
  • Non-Qubes-Whonix: kloak - Keystroke Anonymization Tool
  • Non-Qubes-Whonix: Whonix Live 1 / Live Mode Indicator / grub-live / grub-default-live
  • Non-Qubes-Whonix: switch desktop environment from KDE to XFCE (poll) (other desktop environments)
  • Non-Qubes-Whonix: reduced image size using zerofree
  • Whonix VirtualBox: CLI version (Whonix ™ with CLI is a version suited for advanced users – those who want Whonix ™ without a GUI.)
  • Whonix VirtualBox: unified ova downloads
  • Qubes-Whonix: change Qubes-Whonix default applications from KDE-ish to XFCE-ish 1
  • Qubes-Whonix: simplify installation of VM kernel by installing the same recommended Qubes packages as Qubes Debian packages (source 1 (source 2)
  • Whonix KVM: serial console support
  • update sdwdate time sources
  • List of processed Whonix 15 tickets
  • arm64 / RPi port
  • install by default zulucrypt, qtox, onionshare, keepassxc, firejail
  • new usability wrappers: scurlget, curlget, pwchange, upgrade-nonroot, apt-get-noninteractive, apt-get-update-plus
  • remove mixmaster, ricochet since dead upstream
  • support for Bisq - The P2P Exchange Network 1
  • port build script to cowbuilder; build packages in chroot and use mmdebstrap for better security
  • add UsrMerge compatibility

New in Whonix 14 (Oct 31, 2018)

  • Rebased Whonix on Debian stretch (Debian 9).
  • Whonix 14 is 64-bit (amd64) only - 32-bit (i386) images will no longer be built and made available for download. [5]
  • The new Anon Connection Wizard [6] feature in Whonix simplifies connections to the Tor network via a Tor bridge and/or a proxy.
  • The Tor pluggable transport meek_lite [7] is now supported, making it much easier to connect to the Tor network in heavily censored areas, like China. [8]
  • Onioncircuits are installed by default in Whonix. [9]
  • Tails’ onion-grater program has been implemented to enable OnionShare, Ricochet and Zeronet compatibility with Whonix. [10]
  • Onion sources are now preferred for Whonix updates/upgrades for greater security.
  • Reduced the size of the default, binary Whonix images by approximately 50 per cent using zerofree. [11] [12]
  • Updated Tor to version 3.3.9 (stable) release to enable full v3 onion functionality for both hosting of onion services and access to v3 onion addresses in Tor Browser.
  • Created the grub-live package [13] which can run Whonix as a live system on non-Qubes-Whonix platforms. [14]
  • Corrected and hardened various AppArmor profiles to ensure the correct functioning of Tor Browser, obfsproxy and other applications.

New in Whonix 8.6.2.8 (Aug 30, 2014)

  • Modding Whonix, extending Whonix, such as installing a different desktop environment is now much simpler, because Whonix has been split into smaller packages https://github.com/Whonix/Whonix/issues/40. Therefore also understanding Whonix internals got simpler.
  • added experimental libvirt (kvm, qemu) support
  • Breaking change: Changed Whonix-Gateway internal IP address to 10.152.152.10 and netmask to 255.255.192.0 to avoid conflicts, such as with real networks when using physical isolation and to aid KVM users.
  • Breaking change: Changed Whonix-Workstation internal IP address to 10.152.152.11, netmask to 255.255.192.0 and gateway to 10.152.152.10 to avoid conflicts, such as with real networks when using physical isolation and to aid KVM users.
  • use logrotate for bootclockrandomization, sdwdate, control-port-filter, timesanitycheck
  • sdwdate now uses the median instead of average
  • fixed timezone question during upgrade for Whonix build version 9 and above
  • added apt-transport-https to anon-shared-packages-dependencies
  • encrypt swapfile on boot with random password, create swap file on boot using init script instead of postinst script
  • added openvpn to anon-shared-packages-recommended
  • sdwdate implemented options –no-move-forward and –no-move-backwards (disabled by default)
  • sdwdate implemented option to update hardware clock –systohc (disabled by default)
  • Whonix-Gateway firewall: reject invalid outgoing packages
  • added spice-vdagent to anon-shared-packages-recommended for better kvm support
  • providing xz archives with sparse .qcow2 images
  • build script: improved error handling, when error is detected, wait until builder presses enter before cleanup and exit to make it simpler to read error messages when building in cli
  • ram adjusted desktop starter: fixed lightdm (/usr/sbin/…) auto detection
  • Physical Isolation: automated ‘Install Basic Packages’ (‘sudo apt-get install $(grep -vE “^\s*#” grml_packages | tr “\n” ” “)’) build step
  • verifiable builds: now using fixed disk identifiers to make verification easier
  • build script: added support for –vram, –vmram, –vmsize switches
  • whonixcheck: increased Tor socks port reachability test timeout from 5 to 10 as per https://www.whonix.org/forum/index.php/topic,129.0.html
  • Changed keyserver (suggested by tempest @ https://www.whonix.org/forum/index.php/topic,140.0.html) from hkp://2eghzlv2wwcq7u7y.onion to hkp://qdigse2yzvuglcix.onion as used by torbirdy and https://raw.github.com/ioerror/torbirdy/master/gpg.conf.
  • Whonix-Gateway: Re-enabled AppArmor for System Tor. Removed workaround for http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=732578 (USE_AA_EXEC=”no”) by removing Whonix’s displaced (config-package-dev) /etc/default/tor since that bug has been fixed upstream.
  • build script: whonix_build now acts differently for –clean option depending on –virtualbox, –qcow2 and –bare-metal
  • removed Whonix’s grml-debootstrap fork, because Whonix’s patches were merged upstream
  • bootclockrandomization: randomizing milliseconds
  • update-torbrowser: break when endless data attack is detected (max file size 100 mb for torbrowser, 1 mb for other files)
  • Whonix-Workstation: added password manager fpm2 as per https://www.whonix.org/forum/index.php/topic,187.15.html
  • removed –onion feature from update-torbrowser and its man page because torproject took its .onion domain permanently offline (https://trac.torproject.org/projects/tor/ticket/11567) thanks got z (https://www.whonix.org/forum/index.php?action=profile;u=94) for the report (https://www.whonix.org/forum/index.php/topic,277.msg1827.html#msg1827)
  • help_check_tor_bootstrap.py: – suggestions by Damian Johnson from — https://lists.torproject.org/pipermail/tor-dev/2014-May/006799.html — https://lists.torproject.org/pipermail/tor-dev/2014-May/006804.html – troubadour advised on implementation https://www.whonix.org/forum/index.php/topic,278.0 – controller.authenticate(“password”) isn’t required, controller.authenticate() works – more robust method to parse Tor bootstrap percent
  • removed obsolete whonix_gateway/usr/bin/armwrapper (user “user” is now member of group “debian-tor”, so no longer required to start arm as user “debian-tor”)
  • removed backgroundd, was replaced by gateway first run notice https://www.whonix.org/forum/index.php?topic=207
  • added machine readable copyright files
  • build script: Renamed “img” to “raw”, because “img” was a poor name for raw images.
  • build script: made variables overrideable by build config
  • build script: set DEBUILD_LINTIAN_OPTS to “–info –display-info –show-overrides –fail-on-warnings”, to show more verbose lintian output and to break the build should lintian find an error such as a syntax error in a bash script
  • build script: Workaround for a bug in kpartx, which fails to delete the loop device when using very long file names as per https://www.redhat.com/archives/dm-devel/2014-July/msg00053.html
  • better output, better formatting, clickable links, thanks to https://github.com/troubadoour for working on msgcollector
  • kde-kgpg-tweaks: added gnupg-agent to dependencies because we’re using it in the config and because otherwise kgpg would complain about using use-agent while having no agent installed
  • Refined whonixlock.png. Thanks to nanohard (https://www.whonix.org/forum/index.php?action=profile;u=248) for the edit!
  • added apt-transport-https to anon-shared-packages-dependencies
  • added openvpn to anon-shared-packages-recommended
  • added network-manager-kde to anon-shared-desktop-kde
  • changed displace extension from .apparmor to .anondist, thanks to http://mailman.mit.edu/pipermail/config-package-dev/2014-May/000018.html
  • control-port-filter: Added “lie feature”, i.e. when getting asked “GETINFO net/listeners/socks” answer ’250-net/listeners/socks=”127.0.0.1:9150″‘; configurable by CONTROL_PORT_FILTER_LIMIT_GETINFO_NET_LISTENERS_SOCKS variable. Enabled by default.
  • control-port-filter: Limit maximum accepted command string length to 128 (configurable) as done by Tails (https://mailman.boum.org/pipermail/tails-dev/2014-February/005041.html). Thanks to HulaHoop (https://www.whonix.org/forum/index.php?action=profile;u=87) for suggesting this (https://www.whonix.org/forum/index.php/topic,342.0.html).
  • control-port-filter: added GETINFO status/circuit-established to whitelist
  • whonixcheck / timesync / update-torbrowser: correct exit codes on signal sigterm and sigint
  • sdwdate: no more clock jumps. Gradually adjust clock as NTP does. Sclockadj has been written by Jason Ayala ([email protected]) (@JasonJAyalaP) – https://github.com/Whonix/Whonix/issues/169 – Sclockadj helps sdwdate gradually adjusting the clock instead of producing clock jumps, which can confuse Tor, i2p, servers, logs and more. – It can add/subtract any amount of nanoseconds. – It supports waiting an interval of min/max nanoseconds between iterations, which will be randomized if min/max differs. – It supports slewing the time for min/max nanoseconds, which will be randomized if min/max differs. – It supports to wait before its first iteration. – It can run either verbose or quite. – It supports either really changing the time or running in debug mode.
  • sdwdate: use median instead of average as suggested in https://www.whonix.org/forum/index.php/topic,267.0.html
  • whonixcheck: don’t check just if Tor is fully bootstrapped, also check if Tor was actually able to create a circuit.
  • added VPN_FIREWALL feature to Whonix-Gateway’s firewall https://www.whonix.org/blog/testers-wanted-vpn-firewall – https://www.whonix.org/wiki/Next#Tunnel_Tor_through_VPN
  • Whonix-Firewall: make variables overwrite able by /etc/whonix_firewall.d config folder
  • Whonix-Firewall: renamed variable NON_TOR_WHONIXG to NON_TOR_GATEWAY

New in Whonix 7 (Nov 4, 2013)

  • This version adds several improvements.

New in Whonix 0.5.6 (Apr 8, 2013)

  • This version fixes a timezone bug which prevented Tor from connecting in some cases.