document /etc/hide-hardware-info.d/40_qusal.conf

[adrelanos]

Because not a Kicksecure upstream default.

https://github.com/ben-grande/qusal/blob/main/salt/kicksecure-minimal/files/template/hide-hardware-info.d/40_qusal.conf

[ben-grande]

It is only placed in the development state: https://github.com/ben-grande/qusal/blob/e35c9fbf4b4ca1044167acee2c431efdcb656012/salt/kicksecure-minimal/install-testing.sls#L29-L44

I understand it deviates from upstream, but it is intended for testing only. I don't plan to document everything that may break when using the testing state because it can become lengthy. If you still think it is a problem, I will set to Kicksecure's default.

[adrelanos]

It's a problem and already created a mess here. Mess as in a time consuming, difficult to debug issues. This happened quick. It already likely generated this issue (or could have generated it): https://forums.whonix.org/t/update-torbrowser-is-currently-broken/18279

These are non-defaults for good reasons. Because there's known, not easily fixable breakage.

The user needs to be consciously aware of the opt-in features that they enabled so no time is wasted attempting to debug.

[ben-grande]

It's a problem and already created a mess here. Mess as in a time consuming, difficult to debug issues. This happened quick. It already likely generated this issue (or could have generated it):

The user:

My problem was caused by hide-hardware-info.service being enabled in sys-whonix, it isn’t enabled by default (but I had it enabled due to a custom saltstack formula).

My formula does not enabled anything in sys-whonix, it is another formula, the salt/whonix formula, not the salt/kicksecure-minimal formula.

The salt/sys-cacher formula does not break Whonix because it has a policy that makes it not use the cacher. If the user claimed to use my formula, I would look deeper in to hte problem, but that is not what he claimed. I just did run update-torbrowser in whonix-workstation-17 and all worked out.

The install-testing SaltFile is also non-default, it would happen only if the user explictly wanted to test kicksecure, and not whonix.

The user enabling hide-hardware-info in sys-whonix is just as unsupported to you as it is unsupported to me.

---

The user needs to be consciously aware of the opt-in features that they enabled so no time is wasted attempting to debug.

It is consciously opt-in, as stated in the readme:

If you want to help improve Kicksecure integration on Qubes, install packages that are known to be broken on Qubes and can break the boot of the Kicksecure Qube, to report bugs upstream (get a terminal with qvm-console-dispvm):

qubesctl --skip-dom0 --targets=kicksecure-17-minimal state.apply kicksecure-minimal.install-developers

The user did not report the contents of their salt formula, if they made the salt formula. If you hope the user will share the setting of their salt formula to be debugged faster rather than not sharing anything, I don't think that will happen with non-expert users, ever, may happen after some back and forths.

But... as I don't want to remove this state, it is beneficial for developers to see what can be hardened but is broken, I will document.