Debian Packages
Donate
Which Whonix Debian packages are safe to remove? What is a meta package? What other packages do Whonix meta packages install? Which packages should never be removed? How to safely run autoremove?
Upstream[edit]
This page will focus exclusively on aspects related to Whonix/Anonymity. For security hardening and additional insights, users should refer to the Kicksecure page.
Since Whonix is based on Kicksecure™, the user can follow these instructions 
Debian Packages
(links to the Kicksecure™ website)
Introduction[edit]
It is safe to run sudo apt autoremove so long as the specific Whonix machine meta package is kept for the Non-Qubes-Whonix or Qubes-Whonix platform. In other words, these packages should not be in the list of autoremoved packages.
Non-Qubes-Whonix Xfce:
- Whonix-Gateway™:
non-qubes-whonix-gateway-xfce - Whonix-Workstation™:
non-qubes-whonix-workstation-xfce
- Whonix-Gateway:
qubes-whonix-gateway - Whonix-Workstation:
qubes-whonix-workstation
It is actually a good idea to safely run sudo apt autoremove according to the following instructions on this wiki page to make sure extraneous packages which might no longer be recommended for default installation are removed.
Re-install Meta Packages and Safely Run Autoremove[edit]
1. Update the package lists.
sudo apt update
2. Ensure a proper meta package is installed.
Non-Qubes-Whonix Xfce:
- Whonix-Gateway: sudo apt install non-qubes-whonix-gateway-xfce
- Whonix-Workstation: sudo apt install non-qubes-whonix-workstation-xfce
- Whonix-Gateway: sudo apt install qubes-whonix-gateway
- Whonix-Workstation: sudo apt install qubes-whonix-workstation
3. Auto remove packages.
sudo apt autoremove
4. Reconfirm a proper meta package is still installed.
Repeat step two.
5. Done.
The procedure of safely running sudo apt autoremove is complete.
Related: Whonix Factory Reset
Changed Configuration Files[edit]
Be careful if a message like this appears.
Configuration file '/etc/apparmor.d/usr.bin.sdwdate'
Configuration file '/etc/apparmor.d/whonix-firewall'
==> Modified (by you or by a script) since installation.
==> Package distributor has shipped an updated version.
What would you like to do about it ? Your options are:
Y or I : install the package maintainer's version
N or O : keep your currently-installed version
D : show the differences between the versions
Z : start a shell to examine the situation
The default action is to keep your current version.
*** whonix-firewall (Y/I/N/O/D/Z) [default=N] ?
For general advice, see: Changed Configuration Files.
Removal Instructions[edit]
These instructions allow for safe removal of a package (in this example the uwt package). This results in meta package removal without breaking the whole system when next time running sudo apt autoremove.
1. Upgrade.
2. Clean up.
If custom packages were installed and uninstalled or dependencies changed in the meanwhile, remove unneeded dependencies first.
sudo apt autoremove
3. Uninstall.
As an example, consider how the uwt
package could be uninstalled.
sudo apt purge uwt
A message will appear similar to this.
Reading package lists... Done Building dependency tree Reading state information... Done The following packages were automatically installed and are no longer required: faketime libfaketime Use 'sudo apt autoremove' to remove them. The following packages will be REMOVED: qubes-whonix-workstation* uwt* whonix-shared-packages-recommended-cli* whonix-workstation-shared-packages-shared-meta* 0 upgraded, 0 newly installed, 4 to remove and 1 not upgraded. After this operation, 302 kB disk space will be freed. Do you want to continue? [Y/n]
4. Keep packages installed by meta packages.
Now, there is a small issue:
- Next time the sudo apt autoremove command is run, all packages listed under "The following packages were automatically installed and are no longer required:" would also be uninstalled. (Such as rads and others.)
- In order to keep the other packages which were installed such as by the whonix-workstation-packages-recommended-gui and the whonix-shared-packages-recommended-cli meta packages, mark them as manually installed so they do not get removed. This can be conveniently achieved with aptitude. [1] [2]
sudo aptitude keep-all
5. Done.
The procedure is complete. Be sure to understand the disadvantage of this approach.
Alternatively, there might be a very crude workaround which is discussed in the following forum topic:
Issues with removal of specific packages by users / builders.
See Also[edit]
- Configuration Drop-In Folders
- Reset Configuration Files to Vendor Default
- Whonix Factory Reset
- Packages for Debian Hosts
- Whonix APT Repository
- Building and Update Whonix from Source Code
- Installing Whonix from Repository
Footnotes[edit]
- ↑
https://unix.stackexchange.com/questions/166590/what-is-the-apt-get-equvalent-of-aptitude-keep-all
- ↑
It is possible to safely mix apt-get and aptitude. Raphaël Hertzog, dpkg and Debian Developer, stated in 2011 that this is not a problem anymore:
First I want to make it clear that you can use both and mix them without problems. It used to be annoying when APT did not track which packages were automatically installed while aptitude did, but now that both packages share this list, there’s no reason to avoid switching back and forth.
Source: apt-get, aptitude, … pick the right Debian package manager for you
The most watertight privacy operating system in the world.
At
Whonix we value freedom and trust, supporting Open Source and Freedom Software
2012-
2024 ENCRYPTED SUPPORT LP
We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!