Closed adrelanos closed 8 months ago
It is only placed in the development state: https://github.com/ben-grande/qusal/blob/e35c9fbf4b4ca1044167acee2c431efdcb656012/salt/kicksecure-minimal/install-testing.sls#L29-L44
I understand it deviates from upstream, but it is intended for testing only. I don't plan to document everything that may break when using the testing state because it can become lengthy. If you still think it is a problem, I will set to Kicksecure's default.
It's a problem and already created a mess here. Mess as in a time consuming, difficult to debug issues. This happened quick. It already likely generated this issue (or could have generated it): https://forums.whonix.org/t/update-torbrowser-is-currently-broken/18279
These are non-defaults for good reasons. Because there's known, not easily fixable breakage.
The user needs to be consciously aware of the opt-in features that they enabled so no time is wasted attempting to debug.
It's a problem and already created a mess here. Mess as in a time consuming, difficult to debug issues. This happened quick. It already likely generated this issue (or could have generated it):
The user:
My problem was caused by hide-hardware-info.service being enabled in sys-whonix, it isn’t enabled by default (but I had it enabled due to a custom saltstack formula).
My formula does not enabled anything in sys-whonix
, it is another formula, the salt/whonix
formula, not the salt/kicksecure-minimal
formula.
The salt/sys-cacher
formula does not break Whonix because it has a policy that makes it not use the cacher. If the user claimed to use my formula, I would look deeper in to hte problem, but that is not what he claimed. I just did run update-torbrowser
in whonix-workstation-17
and all worked out.
The install-testing
SaltFile is also non-default, it would happen only if the user explictly wanted to test kicksecure, and not whonix.
The user enabling hide-hardware-info
in sys-whonix
is just as unsupported to you as it is unsupported to me.
The user needs to be consciously aware of the opt-in features that they enabled so no time is wasted attempting to debug.
It is consciously opt-in, as stated in the readme:
If you want to help improve Kicksecure integration on Qubes, install packages that are known to be broken on Qubes and can break the boot of the Kicksecure Qube, to report bugs upstream (get a terminal with qvm-console-dispvm):
qubesctl --skip-dom0 --targets=kicksecure-17-minimal state.apply kicksecure-minimal.install-developers
The user did not report the contents of their salt formula, if they made the salt formula. If you hope the user will share the setting of their salt formula to be debugged faster rather than not sharing anything, I don't think that will happen with non-expert users, ever, may happen after some back and forths.
But... as I don't want to remove this state, it is beneficial for developers to see what can be hardened but is broken, I will document.
Because not a Kicksecure upstream default.
https://github.com/ben-grande/qusal/blob/main/salt/kicksecure-minimal/files/template/hide-hardware-info.d/40_qusal.conf