{{Header}}
{{title|title=
ToDo for Developers
}}
{{#seo:
|description=TODO
}}
{{devwiki}}
{{intro|
TODO
}}
= TODO DEV =
== investigate Debian Rolling ==
* investigate why Debian Rolling initiative failed
** From initial research:
*** Lots of disagreement about how exactly to implement it, although https://lists.debian.org/debian-devel/2011/05/msg00275.html had a very large amount of positive feedback compared to other proposals
**** See also DEP-10 (https://dep-team.pages.debian.net/deps/dep10/) which is somewhat orthogonal but related
*** Limited manpower, no one appears to have tried to actually do it
*** Need to cope with the activity occurring in Debian's unstable and testing repositories, which have some turbulence and can cause issues if one isn't careful
*** Likely worth trying to resurrect
* contact people involved previously, if that makes sense
* suggest prospective developers
* Started to write tooling for this: https://github.com/ArrayBolt3/drk Very incomplete, nowhere near usable. Will keep developing this.
== ISO - GRUB - silence cosmetic errors in live ISO GRUB ==
* Earlier attempts to fix cosmetic errors in GRUB failed, since they introduced bugs into the live-build-provided boot screen.
* Investigate how to fix this, potentially make an upstream feature request or patch if needed
* Errors include loadfont issues, Secure Boot loading issues
== calamares - make 3.3.12 available in Bookworm ==
* necessary to fix bugs related to the disk encryption user interface
* Sid and Trixie are still at 3.3.9, does maintainer need help packaging 3.3.12?
** Maintainer uploaded 3.3.12 to Sid, should migrate to Testing relatively soon.
** 3.3.11 was hung up on calamares-extensions 3.3.1, and while calamares-extensions 3.3.11 is technically available, a real release of it hasn't been made. Pinged the Calamares devs to see if they could do that, after than I'll ping the Debian Qt/KDE team to get them to package it and that should release calamares into Trixie.
* Backport 3.3.12 after it is available in Trixie
== boot modes wiki page review ==
* [[Dev/boot_modes]] has been updated
* Please review.
* Ideas for chapter [[Dev/boot_modes#Server_Support|Server Support]], and
* chapter [[Dev/boot_modes#Todo|Todo]]?
* Related to upcoming tasks run0, sudoless, doas.
* I do not believe we should be implementing opt-out by having the user uninstall or delete things. Instead, let's provide a "Classic" option that the user can select at the boot menu, and provide guidance on modifying the default boot option.
** Patrick: The "classic" option would be confusing in the boot menu. Better to make user-admin-split package uninstallable: dummy-dependency user-admin-split
*** Aaron: Sounds good.
* Do we really want a recovery mode admin option? We specifically wanted to get rid of easy recovery mode access elsewhere.
** Patrick: Wiki was outdated on that. Recovery mode can stay disabled. Wiki has been updated to remove recovery mode.
* Server support can be handled by changing the default boot entry using grub-set-default most likely.
** Patrick: This would mean to boot the server always into admin mode? In that case, perhaps better to go back to "classic"?
*** Aaron: Yes, and that's included in the dummy-dependency user-admin-split plan, so that's what we can do. Perhaps kicksecure-host-cli should use "classic" mode by default and kicksecure-host-xfce should use "user-admin-split" by default?
* We need to choose what the default, topmost boot entry will become. Should that be "PERSISTENT mode User"?
** Patrick: Yes.
* We may want to prepend "Kicksecure" to all of these boot menu entries for clarity as to which operating system is which. For Whonix, we can prepend "Whonix" to the boot menu entries.
** Patrick: Yes.
== investigate dracut-config-rescue ==
* https://forums.whonix.org/t/replacing-initramfs-tools-with-dracut/4487/8
* https://packages.debian.org/bookworm/dracut-config-rescue
cat /etc/dracut.conf.d/20-rescue.conf
dracut_rescue_image="yes"
* related to https://forums.kicksecure.com/t/harden-dracut-initramfs-generator-by-disabling-recovery-console/724?
* TODO: good to keep or should be omitted?
== Qubes umask ticket ==
* /etc/sudoers.d/umask
* https://forums.whonix.org/t/replace-sudo-with-doas/17482/22
== investigate sudoless ==
* https://github.com/secureblue/secureblue/releases/tag/v4.2.0
* https://www.kicksecure.com/wiki/Dev/secureblue#sudoless
* Could we go sudoless by default?
* sudo no longer readable/executable by user user should be equally good or better as sudoless? sudo SUID issues would not be a problem if user user cannot execute sudo anymore? Only user admin would be allowed to execute sudo.
* In case going "sudoless" (actually similar to sudoless), it would not even be required to port to either run0 or doas?
* This would require finding solutions for existing sudoers.d exceptions. This is can be drafted on the [[Dev/sudo]] wiki page.
* Sudoless desktop-config-dist: https://github.com/ArrayBolt3/desktop-config-dist/tree/arraybolt3/sudoless Ready for merge whenever desirable.
** Patrick: Was merged.
* '''WIP''' Persistent admin mode:
** Currently missing separate user account support!
** grub-live: https://github.com/ArrayBolt3/grub-live/tree/arraybolt3/sudoless Adds an admin mode boot entry.
*** This may be the wrong package to put this in, do we want a new package for this?
**** Patrick: grub configuration looks good but requires dedicated package.
** security-misc: https://github.com/ArrayBolt3/security-misc/tree/arraybolt3/sudoless Actually implements the permissions changes for user and admin modes.
*** Patrick: Does not really? Does not belong into security-misc. Dedicated package required.
== investigate porting from sudo to doas ==
* https://forums.whonix.org/t/replace-sudo-with-doas/17482
* can our /etc/sudoers.d snippets be ported to doas? is doas powerful enough for our requirements based on our already existing /etc/sudoers.d snippets?
* could we have a system that no longer requires sudo or would we end up with a system that comes with both, sudo and doas? ("double" attack surface)
* use ReplaceText as a wiki search engine to find our current uses of sudo because these would need to be ported to doas
** https://www.kicksecure.com/wiki/Special:ReplaceText
** https://www.whonix.org/wiki/Special:ReplaceText
** search terms:
** sudo
** lxsudo
* Ensure sudoers.d config files used in Kicksecure and Whonix on Qubes OS can be ported to doas
* Did an audit of all uses of sudo in kickseure and whonix codebases, and how difficult they should be to port to doas. Results: https://gist.github.com/ArrayBolt3/6699ec4c631fec28e1f4c0a2e657fcd7
== doas - send pull requests to Qubes ==
* [[Dev/todo#Qubes_doas_ticket|Qubes doas ticket]] might be unlikely to get rejected. But replies could take a while.
* Please send a pull requests. Since it is only 2 packages, 3 files the wasted effort if this gets rejected might be low enough?
qubes-core-agent: /etc/sudoers.d/qt_x11_no_mitshm
qubes-core-agent: /etc/sudoers.d/umask
qubes-input-proxy-sender: /etc/sudoers.d/qubes-input-trigger
== create /usr/local/etc/doas.d /etc/doas.d parser and /etc/doas.conf configuration file creator ==
* parse /usr/local/etc/doas.d
* parse /etc/doas.d
* parse only configuration files ending with .conf
* do not overwrite a file that does not contain our auto generated configuration file (could be user custom file)
** echo a warning in that case
* atomic, create variable then use sponge
* add to security-misc
* add a dpkg trigger
* /etc/doas.conf would require a header pointing out it is auto-generated.
## Do not edit this file!
## Please create and add modifications to the following file instead:
## /usr/local/etc/torrc.d/50_user.conf
## This file was auto generated by '$BASH_SOURCE' at APT package installation time (a dpkg trigger).
== doas - add to security-misc permission hardener whitelist ==
* todo
== doas - create /etc/doas.d configuration snippets ==
* add /etc/doas.d configuration snippets to the various packages needing these
* if possible, pending discussion in https://forums.whonix.org/t/replace-sudo-with-doas/17482/19 for review of sudoers.d snippets by upstream
== audio ==
=== audio generally ===
* https://forums.whonix.org/t/port-from-pulseaudio-to-pipewire-for-audio-support/16879/40
* please read, comment if something useful to share
=== VirtualBox Intel HD Audio and PipeWire Incompatibility / Audio broken after increasing ram to 5 GB / No sound after latest updates - PipeWire Bug? ===
* https://forums.whonix.org/t/virtualbox-intel-hd-audio-and-pipewire-incompatibility-audio-broken-after-increasing-ram-to-5-gb-no-sound-after-latest-updates-pipewire-bug/18211
* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081965
* please investigate if doable with reasonable effort
* Tried switching between Pulseaudio and Pipewire on a booted VM, discovered I could "initialize" the speakers with Pulseaudio and then Pipewire would work thereafter
* Virtually certain this is an upstream bug, was able to reproduce with both Ubuntu 24.04 and Arch Linux.
* Suggest switching to AC97 audio (even Arch Linux defaults to this under Virtualbox).
* Need to investigate upstream code
* Could not get any meaningful hints from pipewire, wireplumber, and pipewire-pulse logs. Pulseaudio shows an "alsa woke us up to write new data to the device but there was actually nothing to write" error in its logs. At this point this is likely to be a bug in VirtualBox or the snd-hda-intel kernel driver.
== live-build - test lb config --dm-verity ==
* Does the ISO still function if build with lb config --dm-verity?
* Does it break apt-get install pkg-name? It might not break it due to overlayfs.
* Lacks live-build support when used with dracut:
** lb config won't even run if you try to enable verity and dracut at the same time, unless you override live-build by commenting that sanity check out
** The ISO won't build initially because the dm-verity building code is trying to find the live filesystem in the wrong location
** dracut isn't configured to include systemd-veritysetup-generator, needed for verifying the root FS in the first place
** No kernel command line options are added to the ISO for verity setup
== user admin split ==
* [[Dev/boot modes]]
== Split the security-misc into security-misc-shared, security-misc-desktop and security-misc-server ==
* https://github.com/Kicksecure/security-misc/issues/187
* This is in preparation for the next task.
* Discussion on how best to do this posted at https://forums.kicksecure.com/t/splitting-security-misc-into-shared-desktop-and-server-packages/674
== Kicksecure Firewall ==
https://forums.kicksecure.com/t/kicksecure-firewall/378/10
== Meta Packages, Kicksecure, Whonix - Desktop versus Server ==
https://forums.kicksecure.com/t/meta-packages-kicksecure-desktop-versus-kicksecure-server/415
== Secure Mount Options for better Security Hardening ==
* review discussions, wiki
* comment
* improve the solutions research
* https://www.kicksecure.com/wiki/Dev/remount-secure
* https://www.kicksecure.com/wiki/Noexec
* https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707
== wipe video RAM ==
* add wipe video RAM support to [[ram-wipe]]
* maybe based on https://wiki.archlinux.org/title/Swap_on_video_RAM
* maybe also based on https://github.com/divestedcg/Brace/blob/master/brace/etc/profile.d/brace-env-overrides.sh
# zero video RAM to prevent leakage
# see (CC BY-SA 4.0): https://www.adlerweb.info/blog/2012/06/20/nvidia-x-org-video-ram-information-leak
export R600_DEBUG=zerovram;
export AMD_DEBUG=zerovram;
export RADV_DEBUG=zerovram;
* if doable with reasonable effort
== Tor 0.4.8.9 broken in combination with vanguards ==
* https://gitlab.torproject.org/tpo/core/tor/-/issues/40892
* write a script to use git bisect to auto test which commit introduced this issue maybe based on https://forums.whonix.org/t/vanguards-additional-protections-for-tor-onion-services/8064/64
* if not done by upstream yet
* if doable with reasonable effort
== VirtualBox serial console ==
* {{CodeSelect|inline=true|code=
sudo apt install serial-console-enable
}}
* [[Recovery#Serial_Console|Serial Console]]
* causes bug (spam of journal)
* https://forums.whonix.org/t/serial-console-in-virtualbox/8021/13
* fixable? upstream bug report?
== KVM related ==
=== KVM - 3D Graphics Acceleration - SPICE - Testing - drm ===
* please test: https://www.whonix.org/wiki/KVM#3D_Graphics_Acceleration_-_Testing_-_drm
* please mention your configuration (still using SPICE), quote Patrick and report here: https://forums.whonix.org/t/how-to-enable-3d-acceleration-in-kvm/16501/22
* test if DRM (direct rendering manager) is enabled as per https://www.whonix.org/wiki/KVM#3D_Graphics_Acceleration_-_Testing_-_drm
* test performance as per https://www.whonix.org/wiki/KVM#3D_Graphics_Acceleration_-_Testing_-_Performance
=== KVM - 3D Graphics Acceleration - Performance Test - Display SDL ===
* https://forums.whonix.org/t/how-to-enable-3d-acceleration-in-kvm/16501/22
* test SDL
* test if DRM (direct rendering manager) is enabled as per https://www.whonix.org/wiki/KVM#3D_Graphics_Acceleration_-_Testing_-_drm
* test performance as per https://www.whonix.org/wiki/KVM#3D_Graphics_Acceleration_-_Testing_-_Performance
=== KVM - 3D Graphics Acceleration - Performance Test - Display GDK ===
* https://forums.whonix.org/t/how-to-enable-3d-acceleration-in-kvm/16501/22
* test GTK
* test if DRM (direct rendering manager) is enabled as per https://www.whonix.org/wiki/KVM#3D_Graphics_Acceleration_-_Testing_-_drm
* test performance as per https://www.whonix.org/wiki/KVM#3D_Graphics_Acceleration_-_Testing_-_Performance
== machine-id research ==
* in preparation for the next task
* please read prior discussions
* https://www.whonix.org/wiki/Protocol-Leak-Protection_and_Fingerprinting-Protection#Identifiers_Design_Goals
* https://forums.whonix.org/t/revisit-handling-of-var-lib-dbus-machine-id/18827
* https://forums.whonix.org/t/anonymize-etc-machine-id/7721
* https://gitlab.tails.boum.org/tails/tails/-/issues/7100
* nowadays implemented in dist-base-files
** ./packages/kicksecure/dist-base-files/var/lib/dbus/machine-id
** ./packages/kicksecure/dist-base-files/etc/machine-id
* but maybe needs to be moved back to anon-base-files when porting to Debian trixie? (hard to migrate within the same release codename)
* The machine-id files should not be shipped by a package. They are intended to be generated, not hardcoded, thus Debian's code is probably not going to cope well when a package ships these files. Case in point, live-build deleting them to avoid machines with duplicate IDs in the wild, when we want machines with duplicate IDs in the wild.
* Calamares is designed to write the machine-id files at instalation time. It has a dedicated module for this purpose. However, it does not permit specifying a hardcoded machine-id other than a literal "uninitialized" value or an empty file. So we will have to resort to using a shellprocess for Whonix-Host that will detect when Whonix is in use, and overwrite the machine-id files with a static machine-id. Calamares is the proper location to do this at IMO, since it's designed for this, systemd's docs suggest using the installer for this, and I fear we could run into problems trying to do this on first boot with a systemd unit.
** Patrick: Please implement.
** Patrick: Note, Whonix VMs are built using grml-debootstrap. While using a package to handle these files might be the wrong way. Whonix VMs still need these.
== check out bubblejail ==
* https://github.com/igo95862/bubblejail
* in preparation for next task
== sandbox-app-launcher ==
* [[sandbox-app-launcher]]
* review
* promising? worth bringing back to life, polishing?
* at odds with apparmor.d?
* better using bubblejail?
== automated test suite - cli version ==
* todo: discuss
== apparmor.d review ==
* https://github.com/roddhjav/apparmor.d
* https://forums.whonix.org/t/apparmor-d-full-set-of-apparmor-profiles-1500-profiles/17389
** review
* https://github.com/roddhjav/apparmor.d/issues?q=is%3Aissue+author%3Aadrelanos
** check ticket status
* lightweight security review
** conceivable or too much effort?
== apt-get - implement --restrict-install-recommends proof of concept ==
* todo
= WAITING ON =
== ISO - memtest86+ ==
error: bad shim signature
* Fixable?
* Apparently requires a security review: https://github.com/rhboot/shim-review/issues/314
* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032375
* Asked about what contributions would allow this to move forward on the debian-efi mailing list
== test SysRq keys under LXQt Wayland ==
* ensure SysRq+unraw, SysRq+k behave as expected in context of [[Login spoofing]]
* Has issues, wlroots bug reported at https://gitlab.freedesktop.org/wlroots/wlroots/-/issues/3930
== ISO - btrfs versus grub-live bug - real fix ==
* todo
* report bug upstream
* systemd bug report: https://github.com/systemd/systemd/issues/35540
* fix in dracut
** Cannot be fixed in dracut, dracut doesn't handle mounting /home. Instead opting to fix in grub-live.
** Might use kernel parameters using systemd features that may be available in trixie?
== ISO - changed files issues ==
(annoted)
+ debsums --silent
debsums: changed file /usr/sbin/sources-media (from calamares-settings-debian package) - issue for future verified boot
debsums: missing file /var/lib/dbus/machine-id (from dist-base-files package) - issue for Whonix-Host, non-ideal for Kicksecure but not a blocker
+ debsums --config --silent
debsums: changed file /etc/calamares/modules/unpackfs.conf (from calamares-settings-debian package) - issue for future verified boot
debsums: changed file /etc/cryptsetup-initramfs/conf-hook (from cryptsetup-initramfs package) - issue for future verified boot
debsums: changed file /etc/machine-id (from dist-base-files package) - issue for Whonix-Host, non-ideal for Kicksecure but not a blocker
* All of these are modified by live-build itself:
** /usr/sbin/sources-media is modified by live-build/share/hooks/normal/5050-dracut.hook.chroot so that it points to the proper location of the on-ISO apt repo when dracut is in use (the location is different when initramfs-tools is used). The need for this could potentially be removed by modifying the sources-media script to autodetect the correct location, though this requires upstream to be receptive to the idea.
*** Please discuss upstream. Since there is already some sort of dm-verity support in upstream live-build (scripts/build/binary_dm-verity), upstream might be receiptive.
**** Feature request filed: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089618
** /var/lib/dbus/machine-id is deleted by live-build/share/hooks/normal/8020-remove-dbus-machine-id.hook.chroot, which has a note in it as follows: "This removes dbus machine id that cache that makes each system unique." This seems important and I can't think of an obvious way to avoid needing to do this. My Kicksecure VMs appear to have machine IDs, but it's unclear how they're being generated originally, so it may be worth enabling the machineid module in our Calamares configuration to ensure that the machine ID is properly generated.
*** See also: https://www.whonix.org/wiki/Protocol-Leak-Protection_and_Fingerprinting-Protection#Identifiers_Design_Goals
*** TODO: Discuss.
**** Proposal for fixing this made.
** /etc/calamares/modules/unpackfs.conf is modified by live-build/share/hooks/normal/5050-dracut.hook.chroot so that it points to the proper location of the on-ISO squashfs containing the operating system. Again, the location is different when initramfs-tools is used. This is a "hardcoded" configuration file, there isn't a way to add autodetection logic here. It might be possible to make a pull request to Calamares that would allow it to skip squashfses that didn't exist?
*** Yes, please discuss upstream.
**** Feature request filed: https://github.com/calamares/calamares/issues/2409
** /etc/cryptsetup-initramfs/conf-hook is modified by live-build/share/hooks/normal/1010-enable-cryptsetup.hook.chroot, where it is used to enable cryptsetup in initramfs-tools. Assuming this isn't legacy configuration, this seems important and I can't think of an obvious way to avoid needing to do this. Might be worth testing to see if this is still necessary though.
*** Yes, please.
**** Bug report made: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089624
** /etc/machine-id is deleted by live-build/share/hooks/normal/8020-remove-dbus-machine-id.hook.chroot. Has a very similar note to the other machine ID deletion hook. Same concerns apply.
*** Proposal for fixing this made.
== ISO - Finish Module Action Follow-Up ==
* https://github.com/calamares/calamares/issues/2321
* please follow-up
* Followed up on Matrix, will follow up again soon on Github if I don't get a response.
* Was informed by Adriaan de Groot that the code is still unfinished, and also on his radar.
== lightdm ssdm ==
* bug report: https://forums.kicksecure.com/t/kicksecure-inside-lmde-5/46/11
* cause of bug could be in rads or security-misc
* Unable to reproduce bug, request for more information at https://forums.kicksecure.com/t/kicksecure-inside-lmde-5/46/13
* More information received, need to retry this one more time
* Tested, finally managed to partially reproduce. Issue appears to be in SDDM.
* Debugging complete, bug report with fix filed. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089004
== iso - calamares - Argon2id ==
* are we using Argon2id because it is a cryptsetup default?
* please follow-up if useful on these tickets
* https://github.com/calamares/calamares/issues/2127
* https://invent.kde.org/system/kpmcore/-/merge_requests/43
* We are currently using Argon2id, but only because it is the default in Debian's cryptsetup.
* Followed up at https://invent.kde.org/system/kpmcore/-/merge_requests/43#note_1084941. No follow up needed on the Calamares ticket, the choice of which version of LUKS to use is already configurable and there's a good reason for Calamares to not default to LUKS2 yet.
* Waiting on a response from the original MR creator. Will make an MR of my own if allowed or if the original author doesn't respond in a week or so.
== Qubes doas ticket ==
* feature request doas support for Qubes
* ask if Qubes would accept doas configuration snippets
* https://forums.whonix.org/t/replace-sudo-with-doas/17482/22
* Ticket filed as an enhancement request: https://github.com/QubesOS/qubes-issues/issues/9599
== calamares - implement - Allow distros to restrict what filesystems can be used in manual partitioning ==
* https://github.com/calamares/calamares/issues/2397
* PR here: https://github.com/calamares/calamares/pull/2400 Awaiting full review from devs.
== live-build - add mmdebstrap support ==
* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031932
* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031929
* Merge request: https://salsa.debian.org/live-team/live-build/-/merge_requests/370
== live-build - use APT with error-on-any ==
* use option apt --error-on=any for all invocations of apt-get (update)
* only needed for apt-get update, otherwise superfluous but non-issue
* this is a security feature
* this is to prevent inconsistent images that succeeded connecting to the "normal" repository but failed to connect to the security repository
* can be implemented using already existing live-build option --apt-options OPTION|"OPTIONS"?
* Requires a patch to live-build. Using --apt-options results in a build failure with E: Command line option --error-on=any is not understood in combination with the other options
* Patch written, submitted upstream as https://salsa.debian.org/live-team/live-build/-/merge_requests/371. New configuration option now used in my branch of live-build.
== security-misc - investigate PAM ==
* there is /etc/pam.d/sudo-i for interactive and /etc/pam.d/sudo
* pam has concepts of common-session-noninteractive vs common-session (non-interactive)
* how could we on the PAM level notice if faillock is used interactively or non-interactively?
* if non-interactive, skip faillock
* if interactive, do not skip faillock
* Bug reports:
** https://github.com/linux-pam/linux-pam/issues/842
** https://github.com/sudo-project/sudo/issues/415
== trixie port - meta packages ==
* implement [[Dev/Metapackages]] when porting to trixie
== review and test IPv6 support pull requests ==
* https://forums.whonix.org/t/add-ipv6-support/19893
* https://www.whonix.org/wiki/Dev/ipv6
* please review for Non-Qubes-Whonix, Qubes-Whonix
* goal: merge as much as doable/possible without breaking networking
* enabling IPv6 support in Qubes-Whonix might only be possible during release upgrade to trixie based and orchestration with Qubes
* Waiting for planned fixes to land in PRs.
== live-build - local repository support ==
* add support to build from local repository
* Merge request: https://salsa.debian.org/live-team/live-build/-/merge_requests/369
== live-build - grub.cfg GRUB configuration - loopback.cfg ==
* add https://www.supergrubdisk.org/wiki/Loopback.cfg compatibility (as as Debian Live ISO)
* Requires fixes in live-build and Dracut to make work:
** live-build is specifying the wrong kernel parameter for loopback booting when using dracut - it's using findiso when it should be using iso-scan/filename. A fix for this has been integrated into my fork of live-build. MR to upstream here: https://salsa.debian.org/live-team/live-build/-/merge_requests/376
** dracut is failing to run udevadm trigger during its device scanning, so even when it finds the ISO and attaches it as a loopback device, it never finds it. Only appears to be a problem on Debian Bookworm, Trixie works just fine.
*** Task is on hold until we migrate to Trixie.
** (Side note: At least on QEMU, loopback mounts in GRUB fail with out-of-memory errors if the system uses UEFI. With BIOS it works fine. Not quite sure why this happens, very well may be an issue with QEMU's implementation of UEFI hardware or my usage thereof.)
== live-build - lb-binary should not run apt-get update ==
* todo
* Bug filed at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1087470
* Note that the use of apt-get in the binary stage appears to be very baked into live-build's logic. It's pretty unlikely this will change.
= REVIEW PLEASE =
== simple integrity check boot option ==
* not hidden under utilities
* simple hash check
* probably an existing dracut feature
* At ISO build time, a utility implantisomd5 (from the package isomd5sum) must be run on the built ISO to embed the md5 sum into it.
* Passing the kernel command line argument rd.live.check will trigger Dracut to run isomd5check to check the ISO's contents against this embedded md5 sum at boot time.
* Could add this to derivative-maker or live-build. Willing to implement wherever is preferred.
= ARCHIVED =
== ISO - GRUB - failing to boot after installation ==
* version 17.2.8.2
* environment VirtualBox, EFI, Secure Boot
* ISO is booting
* after installation, does not boot
* Secure Boot issue: functional after disabling Secure Boot
* Fixed: https://github.com/ArrayBolt3/derivative-maker/tree/master
== ISO - GRUB - cosmetic GRUB error message ==
* environment: VirtualBox + EFI + Secure Boot (might be reproducible elsewhere too)
error: prohibited by secure boot policy
* Turns out you can't load unsigned fonts when Secure Boot is enabled. It's possible that even the default unicode.pf2 font in GRUB is unsigned.
* Can't find an easy way to detect Secure Boot so that we can avoid running commands that will result in errors.
* There probably isn't an easy way to fix this, combining this into the "silence cosmetic errors" task.
== recovery mode disabling ==
* https://forums.kicksecure.com/t/harden-dracut-initramfs-generator-by-disabling-recovery-console/724
* https://forums.kicksecure.com/t/remove-linux-recovery-mode-boot-option-from-default-grub-boot-menu/727
* Done, but bootloader password still needs implemented. https://github.com/ArrayBolt3/security-misc/tree/arraybolt3/no-recovery-mode
== ISO - GRUB boot menu - add timeout to live boot menu ==
* todo
* Done: https://github.com/ArrayBolt3/derivative-maker
* Requires live-build changes from https://salsa.debian.org/ArrayBolt3/live-build/-/tree/arraybolt3/lb-dracut?ref_type=heads for all changes to work.
== ISO - GRUB boot menu - utilities option does nothing ==
* tested where: inside Qubes OS VM
* is memtest missing on the ISO?
** Yes, it is. Adding it should fix this issue.
* Done: https://github.com/ArrayBolt3/derivative-maker
* Requires live-build changes from https://salsa.debian.org/ArrayBolt3/live-build/-/tree/arraybolt3/lb-dracut?ref_type=heads for all changes to work.
* note: increase RAM in Qubes VM to avoid dropping to CLI (no GUI). Full instructions are here: [[Qubes#ISO|Qubes, ISO]]
== ISO - GRUB boot options text - add version number ==
Kicksecure Live ISO 17.2.8.1 GNU/Linux
${dist_build_type_short_pretty} Live ISO ${dist_build_version} GNU/Linux
* remove: built
* remove: linux
* remove: live-build
* remove: live-config
* possible to use live-build-data/grub-config/splash.svg as a template, copy it to temporary folder (as usual? derivative-binary?) and adjust?
* reason: dist_build_version is the most important if user post screenshots with this. everything else adds confusion?
* Done: https://github.com/ArrayBolt3/derivative-maker
* Requires live-build changes from https://salsa.debian.org/ArrayBolt3/live-build/-/tree/arraybolt3/lb-dracut?ref_type=heads for all changes to work.
== ISO - GRUB boot menu cosmetic efi related error messages ==
* tested where: inside Qubes OS VM
* difficult to see unless recorded on video
error: file `/boot/grub/i386-pc/efi_gop.mod' not found.
error: file `/boot/grub/i386-pc/efi_uga.mod' not found.
* Debian bug for the core image? Got some search results:
site:debian.org error: file `/boot/grub/i386-pc/efi_gop.mod' not found.
* Maybe live-build fails to install a grub package?
* Side effect of no longer installing Debian-Installer?
** This is the result of fixing the missing font bug. If the unicode.pf2 font can be loaded, GRUB sets a static display resolution of 800x600 and attempts to load four different video drivers, two of which are the efi_gop.mod and efi_uga.mod drivers, and the other two of which are video_bochs and video_cirrus. If the font load fails, it allows the resolution to be automatically detected, and loads a driver called all_video. We're now ending up with the codepath involving the efi_gop and efi_uga drivers always hit since the font is now always found.
** Coincidentally, I noticed a bug where VMs with virtio graphics would not get a fancy graphical prompt, presumably because virtio is handled by the all_video driver and not the other four drivers.
** I think it would be best to just unconditionally use the all_video driver and autodetect resolution. The existing logic doesn't make sense to me, and because the font didn't even exist in the expected spot previously, we'd just be going back to the codepath we were hitting previously.
** After experimentation, this didn't work well at all. Went back to old GRUB config code from upstream with a note that it does not work. Fixing this will require more study to see how to get GRUB to not show cosmetic errors like this.
== ISO - btrfs versus grub-live bug - hotfix ==
* bug: btrfs is persistent in grub-live mode, while it should not be
* hotfix: please disable btrfs
* Hotfixed and merged into Kicksecure.
== derivative-maker git tag following ==
* to empower reviewers to follow changes from one tag to another
* as discussed
* TODO: a generic script to reviews any (nested) git submodules going from one tag (or commit) to another
** This turned out to be nearly impossible and definitely impractical.
* TODO: document this on [[Dev/git]]
* Discovered git diff --submodule=diff, which is useful
* Created sample script that provides difftool-like features with meld, and shared it with Patrick.
* Sent feature request / offer to contribute for git difftool --submodule=diff support in Git: https://lore.kernel.org/git/20241208030222.60e7ac70@kf-ir16/T/#u
* Found PatchViewer tool and documented use under [[Dev/git]]
== investigate run0 ==
* https://forums.whonix.org/t/replace-sudo-with-doas/17482/28
* https://www.freedesktop.org/software/systemd/man/256/run0.html
* as alternative to doas
* does run0 abolish the need for [[Dev/boot modes]]?
** It does not, in fact its presence may make implementing the user/admin split difficult since it means systemd is providing a "backdoor" for running programs as root even without SUID bits being used.
*** Can be disabled using polkit config, change all auth options to no in the org.freedesktop.systemd1.manage-units section of /usr/share/polkit-1/actions/org.freedesktop.systemd1.policy
* Posted reasons to avoid use at https://forums.whonix.org/t/replace-sudo-with-doas/17482/29
== grub-live debian control best practices ==
* please review, improve
* https://github.com/Kicksecure/grub-live/blob/master/debian/control
* Should grub-live Depends: grub-live-dracut | grub-live-initramfs-tools?
** The existing setup seems fine to me. It is unfortunate that Debian lacks the ability to specify a group of packages in a dependency declaration, as the existing structure seems like an awful lot of work to depend on either dracut, or live-boot + live-tools. But, it works, and it seems to me like the best way to do this given Debian's limitations and structure.
== ISO - fwupd ==
* Add fwupd
* fwupd-signed
* note: architecture specific? (As it turns out, yes.)
* Done: https://github.com/ArrayBolt3/derivative-maker/tree/master
== ISO - GRUB unicode.pf2 error message ==
error: `/grub2/fonts/unicode.pf2' not found
* Please fix.
* Should be fixed in latest derivative-maker improvements.
== ISO - live-build - misc improvements ==
* Any other misc improvements?
* live-config-dist: https://github.com/ArrayBolt3/live-config-dist/tree/arraybolt3/d-i-disable
* derivative-maker: https://github.com/ArrayBolt3/derivative-maker
== advice on safe_echo vs dist-installer-cli ==
* https://github.com/Kicksecure/usability-misc/blob/master/usr/bin/dist-installer-cli
* https://forums.whonix.org/t/whonix-linux-installer-development-discussion/15917/188
* Comment left, can work on implementing suggested fix if desired
== live-build downloads ==
* investigate
* Handled.
== review source code - str_replace file garbage bug - str_match ==
* already fixed in git master
* please review
** str_replace
** str_match
* Determined root cause - failing to truncate file when rewriting.
* Reviewed code, added minor improvements to reliability and performance: https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/str_python_scripts
== swap-file-creator improvements ==
* https://forums.kicksecure.com/t/enhanced-heuristics-for-determining-the-swap-file-size-in-swap-file-creator/749/2
* swap-file-creator changes: https://github.com/ArrayBolt3/swap-file-creator/tree/arraybolt3/heuristics
* helper-scripts changes: https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/heuristics
== ISO - consider installing by default on ISO ==
packages_to_be_installed+=" mokutil "
packages_to_be_installed+=" keyutils "
packages_to_be_installed+=" efibootmgr "
* mokutil is already installed.
* How about the others?
* Note: architecture specific. AMD64 vs PPC etc.
* These packages don't really cause any harm if installed on a BIOS machine, and both amd64 and arm64 UEFI machines may benefit from them. I don't see any reason why not to include them by default.
* All of these are being installed by default on both amd64 and arm64 builds, and appear to be pulled in either by Calamares or by GRUB. I think we should leave these up to live-build to choose whether to automatically install them or not, since if we end up supporting platforms that use firmware other than BIOS or UEFI in the future, these might not be relevant.
== multi architecture support ==
* the following code can be removed from build-steps.d/1200_prepare-build-machine?
* required by grml-debootstrap for arm64 builds?
* please add support for other architectures to build-steps.d/2800_create-lb-iso
* just only mostly generic code. theoretical support only. no actual builds test needed for all architectures at this time.
## The following grub packages are (partially) build dependencies by Debian live-build.
## Certainly required for amd64 ISO images booted with shim and grub.
if [ "${host_architecture}" = "amd64" ]; then
## These packages are all available for the amd64 platform.
## "grub-mkrescue will automatically include every platform it finds." [1]
## [1] https://lists.gnu.org/archive/html/grub-devel/2014-03/msg00009.html
## Install them all for best compatibility and reproducible builds.
## Some might be unnecessary and waste a bit space.
## Maybe this can be optimized later.
packages_to_be_installed+=" grub-efi-amd64-bin grub-pc-bin grub-coreboot-bin grub-efi-ia32-bin grub-xen-bin grub-ieee1275-bin "
packages_to_be_installed+=" grub-efi-amd64-signed "
packages_to_be_installed+=" shim-unsigned shim-signed shim-signed-common "
packages_to_be_installed+=" shim-helpers-amd64-signed "
elif [ "${host_architecture}" = "i386" ]; then
packages_to_be_installed+=" grub-efi-amd64-bin grub-pc-bin grub-coreboot-bin grub-efi-ia32-bin grub-xen-bin grub-ieee1275-bin "
packages_to_be_installed+=" grub-efi-ia32-signed "
packages_to_be_installed+=" shim-unsigned shim-signed shim-signed-common "
packages_to_be_installed+=" shim-helpers-i386-signed "
elif [ "${host_architecture}" = "ppc64el" ]; then
packages_to_be_installed+=" grub-ieee1275-bin "
elif [ "${host_architecture}" = "ppc64" ]; then
packages_to_be_installed+=" grub-ieee1275-bin "
elif [ "${host_architecture}" = "sparc64" ]; then
packages_to_be_installed+=" grub-ieee1275-bin "
elif [ "${host_architecture}" = "arm64" ]; then
packages_to_be_installed+=" grub-efi-arm64-bin "
packages_to_be_installed+=" shim-unsigned shim-signed shim-signed-common "
elif [ "${host_architecture}" = "riscv64" ]; then
packages_to_be_installed+=" grub-efi-riscv64-bin "
else
true "${red}${bold}WARNING:${reset} ${under}The ISO to be build might be unbootable!${eunder}
- This is because bootloader support is not implemented when building on this
systems's host_architecture.
- Either the build script does not know how to install the required grub '-bin'
package for this architecture or the package is simply unavailable.
- Therefore ISO cross builds are unsupported. Patches welcome.
Might be possible to implement this by running image-to-iso using qemu.
- There is also a small chance that host_architecture detection failed. (Using multiarch, wine?)"
fi
* Better multi-arch support now at https://github.com/ArrayBolt3/derivative-maker/tree/master
* I tested amd64 and arm64 builds to reduce the risk of breaking things, but I did not test other architectures
== older ==
[[Dev/todo/archived]]
= backlog - one day =
== bootloader password ==
* https://forums.kicksecure.com/t/harden-grub-bootloader-using-bootloader-password/723
== vm-config-dist re-installs same version ==
* Why a freshly built ova image attempts to upgrade vm-config-dist, even though it is already the latest version?
* https://download.kicksecure.com/ova/17.2.7.8/
* please investigate
[user ~]% dpkg -l | grep vm-config
ii vm-config-dist 3:10.5-1 all usability enhancements inside virtual machines
[user ~]% upgrade-nonroot
Get:1 tor+https://deb.debian.org/debian bookworm InRelease [151 kB]
Get:2 tor+https://fasttrack.debian.net/debian bookworm-fasttrack InRelease [12.9 kB]
Get:3 tor+https://fasttrack.debian.net/debian bookworm-fasttrack/main amd64 Packages [5296 B]
Get:4 tor+https://deb.debian.org/debian bookworm-updates InRelease [55.4 kB]
Get:5 tor+https://fasttrack.debian.net/debian bookworm-fasttrack/non-free amd64 Packages [492 B]
Get:6 tor+https://deb.debian.org/debian-security bookworm-security InRelease [48.0 kB]
Get:7 tor+https://fasttrack.debian.net/debian bookworm-fasttrack/contrib amd64 Packages [7332 B]
Get:8 tor+https://deb.kicksecure.com bookworm InRelease [62.0 kB]
Get:9 tor+https://deb.debian.org/debian bookworm-backports InRelease [59.0 kB]
Get:10 tor+https://deb.kicksecure.com bookworm/non-free amd64 Packages [913 B]
Get:11 tor+https://deb.debian.org/debian bookworm/non-free amd64 Packages [97.3 kB]
Get:12 tor+https://deb.debian.org/debian bookworm/non-free-firmware amd64 Packages [6236 B]
Get:13 tor+https://deb.debian.org/debian bookworm/contrib amd64 Packages [54.1 kB]
Get:14 tor+https://deb.debian.org/debian bookworm/main amd64 Packages [8789 kB]
Get:15 tor+https://deb.kicksecure.com bookworm/main amd64 Packages [33.7 kB]
Get:16 tor+https://deb.kicksecure.com bookworm/contrib amd64 Packages [509 B]
Get:17 tor+https://deb.debian.org/debian bookworm-updates/non-free-firmware amd64 Packages [616 B]
Get:18 tor+https://deb.debian.org/debian bookworm-updates/main amd64 Packages [2712 B]
Get:19 tor+https://deb.debian.org/debian bookworm-updates/non-free amd64 Packages [12.8 kB]
Get:20 tor+https://deb.debian.org/debian bookworm-updates/contrib amd64 Packages [768 B]
Get:21 tor+https://deb.debian.org/debian-security bookworm-security/contrib amd64 Packages [644 B]
Get:22 tor+https://deb.debian.org/debian-security bookworm-security/non-free-firmware amd64 Packages [688 B]
Get:23 tor+https://deb.debian.org/debian-security bookworm-security/main amd64 Packages [206 kB]
Get:24 tor+https://deb.debian.org/debian bookworm-backports/main amd64 Packages [264 kB]
Get:25 tor+https://deb.debian.org/debian bookworm-backports/contrib amd64 Packages [5624 B]
Get:26 tor+https://deb.debian.org/debian bookworm-backports/non-free-firmware amd64 Packages [3852 B]
Get:27 tor+https://deb.debian.org/debian bookworm-backports/non-free amd64 Packages [11.1 kB]
Fetched 9891 kB in 8s (1227 kB/s)
Reading package lists... Done
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
vm-config-dist
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 40.2 kB of archives.
After this operation, 2048 B of additional disk space will be used.
Do you want to continue? [Y/n] ^Czsh: exit 130 upgrade-nonroot
[user ~]% apt-cache show vm-config-dist
Package: vm-config-dist
Version: 3:10.5-1
Architecture: all
Maintainer: Patrick Schleizer
Installed-Size: 135
Depends: sudo, adduser, p7zip-full
Replaces: power-savings-disable-in-vms, shared-folder-help
Homepage: https://github.com/Kicksecure/vm-config-dist
Priority: optional
Section: misc
Filename: pool/main/v/vm-config-dist/vm-config-dist_10.5-1_all.deb
Size: 40244
SHA256: 41fc4cd7e2f97bdcf23ff80b91cbbc339aca3c60445ffaa4725147e4e28d048a
SHA1: d150305c67a4d3949c714c4b16a6a2c1ebe63353
MD5sum: 471286ecd49b36d287b50f807685036b
Description: usability enhancements inside virtual machines
Sets environment variable `QMLSCENE_DEVICE=softwarecontext` as workaround for
"Automatic fallback to softwarecontext renderer".
.
It is not useful to open a screensaver or to power down the desktop for
operating systems that are run inside VMs. There is no real display that could
be saved and no real power that could be saved. From usability perspective it
also is counter intuitive when looking at the VM window and only seeing a
black screen. Therefore it makes sense to disable power savings in VMs.
`/etc/X11/Xsession.d/20_kde_screen_locker_disable_in_vms.sh`
`/etc/profile.d/20_power_savings_disable_in_vms.sh`
`/etc/X11/Xsession.d/20_software_rendering_in_vms.sh`
`/usr/share/kde-power-savings-disable-in-vms/kdedrc`
`/usr/share/kde-screen-locker-disable-in-vms/kscreenlockerrc`
.
Disables screen locker when running in VMs because that is not useful either.
.
Makes setting up a shared folder for virtual machines a bit easier.
.
* Creates a folder `/mnt/shared` with `chmod 777`, adds a group
"vboxsf", adds user "user" to group "vboxsf". Facilitates auto-mounting of
shared folders.
.
* Helps using shared folders with VirtualBox and KVM a bit
easier (as in requiring fewer manual steps from the user).
.
* `/lib/systemd/system/mnt-shared-vbox.service`
* `/lib/systemd/system/mnt-shared-kvm.service`
.
Set screen resolution 1920x1080 by default for VM in VirtualBox and KVM.
Workaround for low screen resolution 1024x768 at first boot. When using lower
screen resolutions, Xfce will automatically scale down.
`/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/displays.xml`
.
Installs VirtualBox guest additions if package
`virtualbox-guest-additions-iso` is installed if environment variable
`dist_build_virtualbox=true` or if running inside VirtualBox.
(`systemd-detect-virt` returning `oracle`)
`/usr/bin/vbox-guest-installer`
Description-md5: 09e095e928a4c962e728f72d712b4c34
Package: vm-config-dist
Status: install ok installed
Priority: optional
Section: misc
Installed-Size: 133
Maintainer: Patrick Schleizer
Architecture: all
Version: 3:10.5-1
Replaces: power-savings-disable-in-vms, shared-folder-help
Depends: sudo, adduser, p7zip-full
Conffiles:
/etc/dracut.conf.d/30-vm-config-dist.conf 4b17a68bed81773993a0c46d79148986
/etc/gdm3/daemon.conf.dist b1f35c9655abcc3171af5c10ce4d8292
/etc/profile.d/20_kde_screen_locker_disable_in_vms.sh e45dd471bc555b906c6c04b208f4066b
/etc/profile.d/20_power_savings_disable_in_vms.sh bfef62e0edc770197204884b9fc3baea
/etc/profile.d/20_software_rendering_in_vms.sh 32d99ab4948878c5c790145bdafa88ea
/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/displays.xml 573a4880ca28e8e094ea78fa76fb875e
Description: usability enhancements inside virtual machines
Sets environment variable `QMLSCENE_DEVICE=softwarecontext` as workaround for
"Automatic fallback to softwarecontext renderer".
.
It is not useful to open a screensaver or to power down the desktop for
operating systems that are run inside VMs. There is no real display that could
be saved and no real power that could be saved. From usability perspective it
also is counter intuitive when looking at the VM window and only seeing a
black screen. Therefore it makes sense to disable power savings in VMs.
`/etc/X11/Xsession.d/20_kde_screen_locker_disable_in_vms.sh`
`/etc/profile.d/20_power_savings_disable_in_vms.sh`
`/etc/X11/Xsession.d/20_software_rendering_in_vms.sh`
`/usr/share/kde-power-savings-disable-in-vms/kdedrc`
`/usr/share/kde-screen-locker-disable-in-vms/kscreenlockerrc`
.
Disables screen locker when running in VMs because that is not useful either.
.
Makes setting up a shared folder for virtual machines a bit easier.
.
* Creates a folder `/mnt/shared` with `chmod 777`, adds a group
"vboxsf", adds user "user" to group "vboxsf". Facilitates auto-mounting of
shared folders.
.
* Helps using shared folders with VirtualBox and KVM a bit
easier (as in requiring fewer manual steps from the user).
.
* `/lib/systemd/system/mnt-shared-vbox.service`
* `/lib/systemd/system/mnt-shared-kvm.service`
.
Set screen resolution 1920x1080 by default for VM in VirtualBox and KVM.
Workaround for low screen resolution 1024x768 at first boot. When using lower
screen resolutions, Xfce will automatically scale down.
`/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/displays.xml`
.
Installs VirtualBox guest additions if package
`virtualbox-guest-additions-iso` is installed if environment variable
`dist_build_virtualbox=true` or if running inside VirtualBox.
(`systemd-detect-virt` returning `oracle`)
`/usr/bin/vbox-guest-installer`
Description-md5: 09e095e928a4c962e728f72d712b4c34
Homepage: https://github.com/Kicksecure/vm-config-dist
[user ~]%
* SHA256 is OK and matches my locally built package.
myfind . | grep vm-config-dist | grep '.deb$' | xargs sha256sum
+ set -e
+ find . -type f -not -iwholename '*.git*'
41fc4cd7e2f97bdcf23ff80b91cbbc339aca3c60445ffaa4725147e4e28d048a ./genmkfile-packages-result/vm-config-dist_10.5-1_all.deb
41fc4cd7e2f97bdcf23ff80b91cbbc339aca3c60445ffaa4725147e4e28d048a ./aptrepo_local/kicksecure/pool/main/v/vm-config-dist/vm-config-dist_10.5-1_all.deb
41fc4cd7e2f97bdcf23ff80b91cbbc339aca3c60445ffaa4725147e4e28d048a ./aptrepo_remote/kicksecure/pool/main/v/vm-config-dist/vm-config-dist_10.5-1_all.deb
* The Installed-Size of the package on the VM is listed as one size, but the Packages file in Kicksecure's remote repo lists a different Installed-Size. Thus even though the debs are identical, apt believes the packages are different and wants to update to the remote version of the package as a result. See https://unix.stackexchange.com/questions/581291/why-apt-wants-to-upgrade-already-up-to-date-package. Why this is happening is unclear. Perhaps something is going wrong with using reprepro? See below.
# From https://deb.kicksecure.com/dists/bookworm/main/binary-amd64/Packages:
Package: vm-config-dist
...
Installed-Size: 135
...
# From /var/lib/dpkg/status from the linked OVA file:
Package: vm-config-dist
...
Installed-Size: 133
...
* I did an OVA build in the background to see what Installed-Size it resulted in, but then accidentally deleted it, I can do redo the build and check it if desired.
== str_replace utf-8 bug ==
str_replace %%replace-me-clearnet-replace-me%% kicksecure.com /etc/postfix/header_checks.db
Traceback (most recent call last):
File "/usr/bin/str_replace", line 49, in
main()
File "/usr/bin/str_replace", line 26, in main
file_data = source_fh.read()
^^^^^^^^^^^^^^^^
File "", line 322, in decode
UnicodeDecodeError: 'utf-8' codec can't decode byte 0x8e in position 54: invalid start byte
* Low-priority, could be difficult to fix.
== Qubes graphical-session.target missing bug ==
* Which source code file does enable systemd graphical-session.target target on Debian?
* https://github.com/QubesOS/qubes-issues/issues/9576
* Patrick: msgcollector now starts the systemd unit from /etc/xdg/autostart, that is good enough.
== add date and time detection to archive.today frontend ==
* This is necessary for the next task.
* If a link has been archived once in the past, but is severely outdated, we should probably request that archive.today rearchive it. This requires that we know when archive.today archived each page.
* (It might be worthwhile to detect when a link was added to the Wiki and use that as a deciding factor as to whether or not we should archive the link again. Might be doable by using the archive.today backups from Github.)
* We decided to not attempt re-archiving already archived content, thus this is no longer needed for now.
== mediawiki bot setup ==
* no wiki mass editing required for now
* will be required for mediawiki mass editing
* https://www.kicksecure.com/wiki/Special:BotPasswords
* https://www.kicksecure.com/wiki/Special:BotPasswords/botname
* https://www.whonix.org/wiki/Special:BotPasswords
* https://www.whonix.org/wiki/Special:BotPasswords/botname
* note: replace botname with actual name of bot
== rootless X11 ==
* only if doable with low effort such as just changing some configs (such as in lightdm config) or changing some installed packages
* Would require switching away from LightDM or enabling rootless X11 support in LightDM, thus moving to backlog.
== power9 RAM encryption research ==
* todo
== auto-detect, prompt for potential root devices in case the root= device is misconfigured or missing ==
* https://github.com/dracutdevs/dracut/issues/2589
* if doable with reasonable effort please send a pull request to dracut-'''ng'''
* Pull request: https://github.com/dracut-ng/dracut-ng/pull/694
* update: as discussed, low priority if effort is too high
== dracut add support for undeclared CDLABEL ==
as discussed
== live-build - Retry button in derivative-maker doesn't work ==
* low priority, move to backlog please
= Footnotes =
{{Footer}}