Whonix Changelog

New in version 8.6.2.8

August 30th, 2014
  • Modding Whonix, extending Whonix, such as installing a different desktop environment is now much simpler, because Whonix has been split into smaller packages https://github.com/Whonix/Whonix/issues/40. Therefore also understanding Whonix internals got simpler.
  • added experimental libvirt (kvm, qemu) support
  • Breaking change: Changed Whonix-Gateway internal IP address to 10.152.152.10 and netmask to 255.255.192.0 to avoid conflicts, such as with real networks when using physical isolation and to aid KVM users.
  • Breaking change: Changed Whonix-Workstation internal IP address to 10.152.152.11, netmask to 255.255.192.0 and gateway to 10.152.152.10 to avoid conflicts, such as with real networks when using physical isolation and to aid KVM users.
  • use logrotate for bootclockrandomization, sdwdate, control-port-filter, timesanitycheck
  • sdwdate now uses the median instead of average
  • fixed timezone question during upgrade for Whonix build version 9 and above
  • added apt-transport-https to anon-shared-packages-dependencies
  • encrypt swapfile on boot with random password, create swap file on boot using init script instead of postinst script
  • added openvpn to anon-shared-packages-recommended
  • sdwdate implemented options –no-move-forward and –no-move-backwards (disabled by default)
  • sdwdate implemented option to update hardware clock –systohc (disabled by default)
  • Whonix-Gateway firewall: reject invalid outgoing packages
  • added spice-vdagent to anon-shared-packages-recommended for better kvm support
  • providing xz archives with sparse .qcow2 images
  • build script: improved error handling, when error is detected, wait until builder presses enter before cleanup and exit to make it simpler to read error messages when building in cli
  • ram adjusted desktop starter: fixed lightdm (/usr/sbin/…) auto detection
  • Physical Isolation: automated ‘Install Basic Packages’ (‘sudo apt-get install $(grep -vE “^\s*#” grml_packages | tr “\n” ” “)’) build step
  • verifiable builds: now using fixed disk identifiers to make verification easier
  • build script: added support for –vram, –vmram, –vmsize switches
  • whonixcheck: increased Tor socks port reachability test timeout from 5 to 10 as per https://www.whonix.org/forum/index.php/topic,129.0.html
  • Changed keyserver (suggested by tempest @ https://www.whonix.org/forum/index.php/topic,140.0.html) from hkp://2eghzlv2wwcq7u7y.onion to hkp://qdigse2yzvuglcix.onion as used by torbirdy and https://raw.github.com/ioerror/torbirdy/master/gpg.conf.
  • Whonix-Gateway: Re-enabled AppArmor for System Tor. Removed workaround for http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=732578 (USE_AA_EXEC=”no”) by removing Whonix’s displaced (config-package-dev) /etc/default/tor since that bug has been fixed upstream.
  • build script: whonix_build now acts differently for –clean option depending on –virtualbox, –qcow2 and –bare-metal
  • removed Whonix’s grml-debootstrap fork, because Whonix’s patches were merged upstream
  • bootclockrandomization: randomizing milliseconds
  • update-torbrowser: break when endless data attack is detected (max file size 100 mb for torbrowser, 1 mb for other files)
  • Whonix-Workstation: added password manager fpm2 as per https://www.whonix.org/forum/index.php/topic,187.15.html
  • removed –onion feature from update-torbrowser and its man page because torproject took its .onion domain permanently offline (https://trac.torproject.org/projects/tor/ticket/11567) thanks got z (https://www.whonix.org/forum/index.php?action=profile;u=94) for the report (https://www.whonix.org/forum/index.php/topic,277.msg1827.html#msg1827)
  • help_check_tor_bootstrap.py: – suggestions by Damian Johnson from — https://lists.torproject.org/pipermail/tor-dev/2014-May/006799.html — https://lists.torproject.org/pipermail/tor-dev/2014-May/006804.html – troubadour advised on implementation https://www.whonix.org/forum/index.php/topic,278.0 – controller.authenticate(“password”) isn’t required, controller.authenticate() works – more robust method to parse Tor bootstrap percent
  • removed obsolete whonix_gateway/usr/bin/armwrapper (user “user” is now member of group “debian-tor”, so no longer required to start arm as user “debian-tor”)
  • removed backgroundd, was replaced by gateway first run notice https://www.whonix.org/forum/index.php?topic=207
  • added machine readable copyright files
  • build script: Renamed “img” to “raw”, because “img” was a poor name for raw images.
  • build script: made variables overrideable by build config
  • build script: set DEBUILD_LINTIAN_OPTS to “–info –display-info –show-overrides –fail-on-warnings”, to show more verbose lintian output and to break the build should lintian find an error such as a syntax error in a bash script
  • build script: Workaround for a bug in kpartx, which fails to delete the loop device when using very long file names as per https://www.redhat.com/archives/dm-devel/2014-July/msg00053.html
  • better output, better formatting, clickable links, thanks to https://github.com/troubadoour for working on msgcollector
  • kde-kgpg-tweaks: added gnupg-agent to dependencies because we’re using it in the config and because otherwise kgpg would complain about using use-agent while having no agent installed
  • Refined whonixlock.png. Thanks to nanohard (https://www.whonix.org/forum/index.php?action=profile;u=248) for the edit!
  • added apt-transport-https to anon-shared-packages-dependencies
  • added openvpn to anon-shared-packages-recommended
  • added network-manager-kde to anon-shared-desktop-kde
  • changed displace extension from .apparmor to .anondist, thanks to http://mailman.mit.edu/pipermail/config-package-dev/2014-May/000018.html
  • control-port-filter: Added “lie feature”, i.e. when getting asked “GETINFO net/listeners/socks” answer ’250-net/listeners/socks=”127.0.0.1:9150″‘; configurable by CONTROL_PORT_FILTER_LIMIT_GETINFO_NET_LISTENERS_SOCKS variable. Enabled by default.
  • control-port-filter: Limit maximum accepted command string length to 128 (configurable) as done by Tails (https://mailman.boum.org/pipermail/tails-dev/2014-February/005041.html). Thanks to HulaHoop (https://www.whonix.org/forum/index.php?action=profile;u=87) for suggesting this (https://www.whonix.org/forum/index.php/topic,342.0.html).
  • control-port-filter: added GETINFO status/circuit-established to whitelist
  • whonixcheck / timesync / update-torbrowser: correct exit codes on signal sigterm and sigint
  • sdwdate: no more clock jumps. Gradually adjust clock as NTP does. Sclockadj has been written by Jason Ayala (Jason@JasonAyala.com) (@JasonJAyalaP) – https://github.com/Whonix/Whonix/issues/169 – Sclockadj helps sdwdate gradually adjusting the clock instead of producing clock jumps, which can confuse Tor, i2p, servers, logs and more. – It can add/subtract any amount of nanoseconds. – It supports waiting an interval of min/max nanoseconds between iterations, which will be randomized if min/max differs. – It supports slewing the time for min/max nanoseconds, which will be randomized if min/max differs. – It supports to wait before its first iteration. – It can run either verbose or quite. – It supports either really changing the time or running in debug mode.
  • sdwdate: use median instead of average as suggested in https://www.whonix.org/forum/index.php/topic,267.0.html
  • whonixcheck: don’t check just if Tor is fully bootstrapped, also check if Tor was actually able to create a circuit.
  • added VPN_FIREWALL feature to Whonix-Gateway’s firewall https://www.whonix.org/blog/testers-wanted-vpn-firewall – https://www.whonix.org/wiki/Next#Tunnel_Tor_through_VPN
  • Whonix-Firewall: make variables overwrite able by /etc/whonix_firewall.d config folder
  • Whonix-Firewall: renamed variable NON_TOR_WHONIXG to NON_TOR_GATEWAY

New in version 7 (November 4th, 2013)

  • This version adds several improvements.

New in version 0.5.6 (April 8th, 2013)

  • This version fixes a timezone bug which prevented Tor from connecting in some cases.